The recent announcement of the draft data privacy bill by Justice Sri Krisha Panel has generated a lot of interest in India. Though its too early to comment as this is just a draft bill and we will have to wait for its final version. However it’s a progressive move. It would require the Data Fiduciary to comply with the provisions for both personal data and sensitive personal data. Overall the rights of the individual would be better protected and would increase the trust between individuals and organizations. The bill gives the data principal the right to correct his data, port his data, the right to be forgotten and the right to access. I believe this will increase the transparency. This may require organizations to invest in reengineering processes and technology, specifically related to taking consent and for safe storage of the data. Organizations would have to add special controls in addition to these and not merely rely on existing controls and processes. Also, this would lead to remodeling of how we deal with personal data and sensitive personal data across industries. Interestingly, the bill provisions apply to both the government as well as private organizations which is a welcome move.
I am also closely following how the draft bill would ring in changes for the healthcare industry. The existing laws in the industry would get a much-needed boost. Currently, the laws do recognize the rights of the patient. For example The Clinical Establishment Rules, 2012 recognize the rights of the patient and his sensitive personal data and regulates its collection, use, and disclosure. This however applied to only the private sector. The Indian Medical Council Rules of 2002 also recognized the confidential clauses between the doctor and the patient. With the new bill, the public sector and government are also included. Finally, the patient would have absolute control over his data.
The draft bill once it becomes an act will provide unprecedented protection to the personal data as well as sensitive personal data. One of the concerns the healthcare community had was whether this would hinder research work in the healthcare field. Specifically in case of using anonymous (De-personalized) data for research, which would really in predicting disease patterns and creating treatment modalities across the care ecosystem. As per the bill, anonymous data is outside the preview of this bill. So as long as measures have been taken to anonymize the data, research work can continue.
The need for explicit consent for processing healthcare data puts the ownership of the data in the hands of the patients. While there are provisions where in cases of emergency or due to actions of state the data can be processed without explicit consent, but still this is a big step forward in the healthcare industry as it would reduce the instances of where sensitive personal data like healthcare records can be misused.
Healthcare data belongs to the individual and the bill will go a long in helping create the perfect construct for taking personal consent before processing the data.