University of Petroleum and

ASSIGNMENT
SEMESTER - 4

CONSTITUTIONAL LAW

Topic: Health Data Protection Legislation In India

Submitted To: Mr ASHUTOSH TRIPATHI

Name: HRITHIK SHARMA

SAP ID: 500070320
 Roll No: R760218024
India, being one of the largest health sector and the outsourcing industry, the demand for the
data protection increases every other day. The crimes relating to the computer data is very
high as the internet does not create any barrier with regard to the physical boundaries. The
computer data is facing a lot more resentment due to absence of proper legislative
framework.

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize
intrusion into one’s privacy caused by the collection, storage and dissemination of personal
data. Personal data generally refers to the information or data which relate to a person who
can be identified from that information or data whether collected by any Government or any
private organization or an agency.1

There has always been a necessity for better security of digital patient data in India.
Especially given our population it may be very difficult to keep up one unified digital data
store for every individual that is secure and updated. The Indian government in a trial to
resolve this long pending data security requirement has come up with an act called DISHA
(Digital Information Security in Healthcare Act), ('DISHA') is that firm first step taken by the
Indian Government in this long journey.
DISHA was introduced in March 2019 by the Indian government to protect and regulate
digital healthcare data. The purpose of DISHA is to regulate the generation, collection,
storage, analysis, transmission and ownership of patient health data and personally
identifiable information. It calls for the creation of a central regulator called the National
Electronic Health Authority, and of state regulators called State Electronic Health
Authorities. It also calls for the setting up of Health Information Exchanges by the
government.2

1
http://www.vaishlaw.com/article/information_technology_laws/data_protection_laws_in_india.pdf?
articleid=100324
2
https://aindrasystems.wordpress.com/2019/07/16/insight-on-disha-digital-information-security-in-
healthcare-act/
Some Key points on access and sharing of data from the Act:

Ownership of data and consent: The patient is the sole owner of all digital data that belongs
to him/her. Any establishment that is wishing to use or access this data must seek permission
and written consent from the data owner. This consent will have to be sought every time an
establishment wants to access this data.

The purpose for access to data: There are about 8 instances listed down when data can be
accessed. Among these are to advance the delivery of patient-centred medical care, to
facilitate health and clinical research and health care quality, To promote early detection,
prevention, and management of chronic diseases, to improve coordination of care among
different medical establishments, etc.

Storing of Digital data: No digital health data shall be stored by any clinical establishment
or entity or health information exchange in any manner3

RIGHT TO PRIVACY UNDER INDIAN CONSTITUTION

The Indian Constitution do not expressly grants the right to privacy but this can be inferred
under Article 19 (Freedom of Speech and Expression); Article 21 (Right to Life and Personal
Liberty) and Article 14 (Equality and Equal Protection of laws). But these rights are subject
to reasonable restrictions given under Article 19(2) which can be imposed by the State.

The Supreme Court in Kharak Singh v State of UP 4 observed that the right to privacy is an
essential ingredient of life and personal liberty. Similary PUCL v Union of India 5 the Court
observed that privacy is a part of life and personal liberty as enshrined in Article 21 and the
said right cannot be curtailed except by the procedure established by law. In Gobind v State
of MP6 the Supreme Court observed that “privacy-dignity claims deserve to be examined
with care and to be denied only when an important countervailing interest is shown to be
superior. If the Court does find that a claimed right is entitled to protection as a fundamental
privacy right, a law infringing it must satisfy the compelling State interest test”.

3
http://disha2018.in/wp/
4
AIR 1963 SC 1295
5
(1997) 1 SCC 301
6
(1975) 2 SCC 148
DISHA was born, therefore, out of the need to provide for better healthcare information
security in a way that the public could claim as a right and to ensure interoperability of
electronic health data. When finalised and introduced as law, it will replace the Information
Technology (Reasonable security practices and procedures and sensitive personal data or
information) Rules of 2011 and thereby usher India into a new regime of protection and
regulation of electronic health data. DISHA aims to be a piece of legislation focused on
healthcare data privacy, confidentiality, security and standardisation. DISHA will create
regulatory authorities, both at the central and state level, to enforce the rights and duties
envisaged under the legislation.

At the central level, the setting up of a National Electronic Health Authority ('NeHA') is
proposed, which would be the apex authority entrusted with formulating standards and
operational guidelines and protocols for the generation, collection, storage, and transfer of
digital health data. At the state level, the State Electronic Health Authority ('SeHA') will be
responsible for ensuring that the requirements of DISHA are followed on the ground, at the
institutional level.

Clinical establishments of all kinds will be obliged to comply with the requirements of
DISHA, including diagnostic centres and even individual clinics. DISHA also proposes the
setting up of Health Information Exchanges - the backbone of interoperability and access -
which would process and transmit data between clinical establishments.

From an enforcement perspective, DISHA also establishes central and state adjudicating
authorities, which will investigate complaints regarding breach of DISHA by clinical
establishments and other entities, health exchanges and even NeHA and SeHA. While all
citizens have a fundamental right to privacy enshrined within the Indian Constitution (the
Supreme Court, in the recent case of Justice K.S Puttaswamy (Retd.) v. Union of India and
Ors, held that the right to privacy is an intrinsic part of the right to life and personal liberty),
DISHA specifically lays down the rights of the owners of health data. Informed consent and
the right to know are the central themes behind the disclosure, transfer and access to digital
health data. DISHA also clearly demarcates ownership of the data. While the actual digital
health data is at all times owned by the individual whose health data have been digitised, the
medium of storage and transmission of the digital health data is owned by the clinical
establishment or the Health Information Exchange, as the case may be7

7
https://www.mondaq.com/india/healthcare/723960/disha-the-first-step-towards-securing-patient-health-
data-in-india
CONCLUSION

If we compare the present stage of data processing laws in India with the countries of Europe
and USA then we find that these countries are far ahead of India in this respect. Those
countries have particular and comprehensive laws relating to data protection and privacy.
There is one another thing which is to be noted that different type of data should be divided
into different categories as per the utility and importance of data. So, we are required to frame
a scheme that should be based on the categorical division of data as like USA, and even in the
UK, although there is no such categorical division but still some type of data is defined as
sensitive data; for the disclosure of this sensitive data. The provisions of the IT Act are
basically or the destruction/extraction of data, there is great lack of comprehensive guidelines
in this regard and the companies are required to rely on their private contracts, which process
is in itself complex lengthy. There are no special provisions related to the privacy of an
individual, only sec 72 deals with the violation of privacy, and that is confined only to those
persons on whom the power is conferred by this act.

Although there is one proposed Data Protection Bill, 2013 which deals with the collection use
and disclosure of the personal data. Some of the provisions are taken from the European
Directive on the Data Protection. In the act no category wise division of data was made, in
this regard we have to take inspiration from US laws.

So, a comprehensive data protection law is the need of the hour in India,
BIBLIOGRAPHY

1. http://www.vaishlaw.com/article/information_technology_laws/data_protection_laws
_in_india.pdf?articleid=100324

2. http://uk.practicallaw.com/1-505-9607

3. http://www.majmudarindia.com/pdf/Data%20Protection%20in%20India.pdf

4. http://www.gala-marketlaw.com/77-gala-gazette/gala-gazette/261-india-data-
protection-and-the-it-act-india

5. http://ptlb.in/clpic/wp-content/uploads/2014/01/Data-Protection-Laws-In-India-And-
Privacy-Rights-In-India.pdf

6. http://ec.europa.eu/justice/policies/privacy/docs/studies/final_report_india_en.pdf

7. http://www.ehcca.com/presentations/privacysymposium1/steinhoff_2b_h1.pdf

8. http://legalknowledgeportal.com/2013/06/24/data-privacy-and-protection-law-in-
india-understanding-the-regime/

9. http://nopr.niscair.res.in/bitstream/123456789/3561/1/JIPR%2011(2)%20125-131.pdf

10. http://www.legalserviceindia.com/article/l368-Data-Protection-Law-In-India.html

11. http://www.lawteacher.net/business-law/essays/data-protection-laws-in-india-
business-law-essay.php