01 June 2018 | News
This would make India one of the world’s foremost jurisdictions in the regulation of healthcare data
India’s health ministry has proposed a law to govern data security in the healthcare sector that would give individuals complete ownership of their health data.
Individuals would have the absolute right to refuse or allow data to be generated, collected, accessed, transmitted or used.
Data collectors such as hospitals would be prohibited from refusing treatment to those who do not want their data collected or used. This would make India one of the world’s foremost jurisdictions in the regulation of healthcare data, at a time when governments around the world are scrambling to keep a check on who gets to generate and use data and how, especially as citizens do not completely understand the data privacy and security implications of the innumerable applications they wittingly or unwittingly use.
The draft Digital Information Security in Healthcare Act was proposed by the health ministry on March 11, 2018. The period for stakeholder comment ended April 21 and a bill is currently being finalized.
Experts say the health ministry is possibly waiting for a final verdict from the Supreme Court on petitions challenging the constitutional validity of Aadhaar–on which it has just completed the second-longest oral hearing in the history of the court.
The ruling is expected in July or August. The verdict will guide India’s data privacy framework, which is already being prepared by the Committee of Experts on a Data Protection Framework for India being chaired by Justice BN Srikrishna.
It will also have implications for the health ministry’s proposed law.
The responsibility for ensuring data security and privacy would lie with the entity that has custody of the data, which could be penalized for data breach.
Currently, under Indian law, companies in India are not obligated to inform individuals of data breach, with the exception of banks, which are obligated to inform the Reserve Bank of India within six hours.
The result is that individuals are often not aware that their details may have been compromised. The draft law proposes to make breach notification mandatory.
Data breaches would be ranked by severity, and the more serious kind would be punishable with a fine of at least Rs1 lakh and a jail term of up to five years.
Clinical establishments and health information exchanges would have to notify the owner in case of a breach within three days.
Data owners could claim compensation from the person who breached the data, and no limit has been prescribed for the compensation amount.
The draft also specifies punishment for various other offences such as unauthorized access and data theft of up to five years’ imprisonment.