116 B, Mittal Towers, Nariman Point, Mumbai, India

INTRODUCTION
The alarming increase in incidents of data breaches has been a cause of worry. Facebook data breach has affected more than 500 million users worldwide.1 Big companies such as Yahoo, WhatsApp, Adobe have suffered from data breaches.2 Last year had caused a paradigm shift in terms of work culture and massively increased online activity.3 Breach of health data had also witnessed a spike due to vast amount of data being collected by health service providers, insurance companies and other government authorities and increased use of medical devices by people in the form of wearables and other medical devices.4 The recent health data breach in India took place, where the data of over millions of medical records and medical images were leaked, the breach was detected by German firm, Greenbone Networks.5 This call for a deeper scrutiny into how health data is handled by various stakeholders.

REGULATING HEALTH DATA
Health Data may broadly be defined as information related to physical or mental health of an individual or the health services provided to that person.6 They may be collected through various ways, for e.g., during the registration of health services, laboratory tests, hospital records, etc.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under the Information Technology Act, 2000 treat a patient's personal information, which includes information about physical, physiological and mental health conditions along with medical records and history as sensitive personal data or information ("SPDI"). Certain protections are available for SPDI.7 For instance, a body corporate is required to obtain consent of the provider of the sensitive information regarding purpose of usage before collecting the information.8

With the objective to digitise healthcare in India, Ministry of Health and Family Welfare ("MoHFW") last year launched the National Digital Health Mission ("NDHM"). The Health Data Management Policy under NDHM is created with the objective to create a system of digital health records which is easily accessible to individuals and health service providers.9 Participation of an individual will be on a voluntary basis. If an individual chooses to participate, he/she will be issued a Health ID by the NDHM. It is based on the principle of federated architecture, which allows interoperability between independent and decentralized information systems. Such interoperability will have to comply with provisions relating to consent, security and protection of personal data.

NDHM also talks about health data and classifies it into to two categories10
  • Personal health data - It includes any data with personally identifiable information related to an individual containing detailed information of various health conditions and treatments.
  • Non-personal health data - It includes aggregated and anonymised health data where all personally identifiable information has been removed.
Similarly, under the Personal Data Protection Bill, 2019 ("PDP Bill"), 'health data'11 is classified as 'sensitive personal data'12 and any kind of processing of this data is prohibited unless explicit consent is given by the data provider13. The PDP Bill gives more control to patients over their personal data that is being collected, as well as how this information is used. The Bill also penalises for data breaches.14

Regarding non-personal data related to health of people (both aggregated and anonymised), the protection accorded to it is the same as provided to the underlying data as per the Report by the Committee of Experts on Non-Personal Data Governance Framework.15 This is to say that since 'health data' is classified as 'sensitive personal data' as per Section 3(36) of the PDP Bill, therefore non-personal health data would be accorded same protection as sensitive personal data. This additional protection is necessary This categorisation gives additional protection to the health data and also because anonymised data bears a risk of re-identification which could constitute a critical loss of privacy.16

LEVERAGING HEALTH DATA
Data is crucial for further developing technologies especially artificial intelligence systems that feed on datasets. It also helps policy makers to make evidence-based decisions. Data related to health also falls under a High Value Dataset (HVD) - a dataset that is beneficial to the community at large and shared as a public good.17 Health data held by the private sector when combined with public-sector data may be useful for improving public service, devising public programs, infrastructures, etc. to achieve societal objectives of healthcare planning.18 Therefore, in various laws, provisions are there for sharing of data with the government. For an overview of the same refer to Table 1.



DISHA: THE DIRECTION FOR BETTER DATA MANAGEMENT
The Digital Information Security in Healthcare Act ("DISHA") is another important law that will be crucial for governance of data in India. DISHA aims to provide privacy, security, confidentiality and standardization related to digital health care data of the citizens of India. The Act aims to provide a framework to regulate the generation and collection of such data, including the right to withhold confidential health details.19 It promotes the rights, obligations, safety, accessibility, compilation, and retention of everyone's digital health record.20 This legislation includes medicinal, medical wearable devices, insurers, and manufacturing firms, as well as other organizations that handle digital health details for their customers. Some of the features of the Act are as follows
  • An agency named National Electronic Health Authority and State Electronic Health Authority will be constituted to ensure the compliances under the Act.21
  • The Act does not deny citizens any health benefits on refusal to give consent for collection of data.22
  • The owner of data shall have the right to access their own data and rectify it.23
  • The owner will also have the right to know about the establishment which has their data, and the purpose for which the data is being used.
  • The establishments will have to inform the authority about the breach of data within 3 days of the breach.24
  • The people will have the right to complain to State or Central adjudicating authorities, if they feel their data is getting breached.25
  • The Act will benefit the citizen to secure their privacy and provide transparency regarding their data.
CONCLUSION
Data breach is one of the serious concerns, and when it comes to health data, it becomes more important to secure that data because if the personal data is leaked, it can cause some irreparable damages to individuals. Many aforementioned legislations have not come into force which raises important questions on data security. This leaves victim of these breaches without any effective remedy. The need is have robust data protection regime.
  1. Facebook data leak of 533 million users: Here's how to know if your account is affected, The Indian Express (Apr. 7, 2021 10:16 AM), https://indianexpress.com/article/technology/tech-news-technology/facebook-data-breach-how-to-find-out-if-your-account-is-affected-7260967/
  2. Dan Swinhoe, The 15 biggest data breaches of the 21st century, CSO ONLINE (Jan. 08, 2021 03:30 PM), https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
  3. Mark Beach, COVID-19 Pushes up Internet Use 70% And Streaming More than 12%, First Figures Reveal, FORBES (Mar. 25, 2020), https://www.forbes.com/sites/markbeech/2020/03/25/covid-19-pushes-up-internet-use-70-streaming-more-than-12-first-figures-reveal/?sh=25dc7ca93104
  4. Anuja Vaidya, Healthcare data breaches spiked 55% in 2020, MEDICITY NEWS (Feb. 16, 2021 06:09 PM), https://medcitynews.com/2021/02/report-healthcare-data-breaches-spiked-55-in-2020/?rf=1
  5. Healthcare Data Leak: Over 120 Mn Medical Images Of Indian Patients Left Exposed, INC42 (Feb. 04, 2021) https://inc42.com/buzz/india-healthcare-data-leak-over-120-mn-medical-images-exposed/
  6. What is health data?, IGI GLOBAL, https://www.igi-global.com/dictionary/health-data/42215
  7. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Rule 6,
  8. Id at Rule 5.
  9. Clause 3(c), National Digital Health Mission: Health Data Management Policy, https://ndhm.gov.in/documents/HealthDataManagementPolicy
  10. Clause 2.2.1, National Digital Health Mission: Strategy Overview (2020), https://ndhm.gov.in/documents/ndhm_strategy_overview
  11. The Personal Data Protection Bill, Bill No. 373 of 2019, sec. 3(21).
  12. Id. sec. 3(36).
  13. Id. sec. 11(3)
  14. Id at. Chapter X.
  15. Report by the Committee of Experts on Non-Personal Data Governance Framework (Dec 16, 2020), https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf
  16. Id at Clause 8.15(i).
  17. Id at Clause 7.6.
  18. Id at Clause 8.2(ii).
  19. Digital Information Security in Healthcare Act, 2018, sec. 28(2).
  20. Supratim Chakraborty & Arindam Bhattacharjee, DISHA to give direction to digital information security in healthcare, Health Economic Times (May 02, 2018 06: 17 PM),
  21. https://health.economictimes.indiatimes.com/news/industry/disha-to-give-direction-to-digital-information-security-in-healthcare-supratim-chakraborty/63993563
  22. Digital Information Security in Healthcare Act, 2018, sec. 4(1).
  23. Id at sec. 28 (8) (f).
  24. Id at sec. 28 (5).
  25. Id at sec. 35 (5).
  26. Id at sec. 45(1) & 46 (1).