Digital information security in Healthcare Act: Its impact on m-health vis-à-vis Personal Data Protection Bill, 2019

In this digital era, we are witnessing an unprecedented growth in technology, however, the laxity of the legal regime in catching with this growth in technology has made governments around the world revamp the existing structure for data privacy. In this attempt, the Government of India introduced the draft Digital Information Security in Healthcare Act 2018 (“DISHA”) for the protection of digital health data of citizens, which combined with the Personal Data Protection Bill, 2019 (“PDP Bill, 2019”)  gives a promising future for data protection regime in India. However, the strict provisions in DISHA related to the ban on the commercialization of health data and disparity with the PDP Bill 2019 have resulted in a conundrum, which needs to be resolved.

What is M-health?

M-health or Mobile health refers to the use of mobile technologies for accessing healthcare services. The services could be ranging from as simple as receiving text messages related to health services, to that of using complex tech to analyze your health data for better services. There are various examples of innovative technology, such as wearable devices that use mobile technology to analyze and interpret health data. Considering the rapid transition to the virtual world, it is expected that this industry will progress at a very fast pace.

It is expected that India will have 859 million smartphone users by 2022. With these growing number of internet and smartphone users, India has a huge potential for becoming the hub of M-health industry.

However, the collection of Digital Health Data (“DHD”) by these industries remains a matter of concern, due to the weakness of antiquated laws that govern this arena. Currently, the data protection regime is governed by Information Technology Act, 2000 read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011, which provides for a body corporate to follow ‘adept data’ protection measures and, in case of any breach, pay compensation to the affected person, this has however not been updated with regards to rapid development in technology and leaves many aspects unaddressed.

Digital Health Data in Relation to PDP Bill, 2019 and DISHA

After the landmark decision of the Apex Court in Justice K.S Puttaswamy (Retd.) v. Union of India where the right to privacy was declared as a fundamental right, efforts were made to frame a data protection act in India. In this step, PDP Bill, 2019 was tabled in the Parliament, which is currently being discussed and deliberated by a Joint Parliamentary Committee in consultation with experts as well as stakeholders of the field.

DISHA on the other hand has been drafted by the Ministry of Family and Health Welfare specifically for the protection of DHD Under DISHA, the user has been given the power to control the flow of his/her data at every stage of data collection, processing, storage, transmission, etc. Moreover, the user has been given the power to refuse the consent for data collection at any stage he/she wants. Note that all these steps need to be taken after explicit and prior permission from the user, for every use of data in an identifiable form (Section 28, DISHA).

However, the difference between the two legislation is that as per PDP Bill, 2019, you need consent for the processing of digital data, and since health data has been defined as sensitive personal data (Section 3(36), PDP Bill 2019), the requirement is explicit consent, at only one stage which is before using such data by any entity (Section 11, PDP Bill 2019). Whereas, if we observe section 29(2) of DISHA, then M-Health service providers like applications or wearable devices which collect DHD of its customer fall under the ambit of ‘other entity’ (since they aren’t clinical establishment or health information exchange). As a result, they will be governed under DISHA, and have to comply with the strict requirement of obtaining the consent at every stage of data collection.

So, in case of any app/wearable device that collects DHD, if it is to be governed under PDP Bill, 2019, the requirement of consent is at only one stage, i.e., before the processing of data by the collecting entity. However, if DISHA is to be applied then it has to obtain consent at each stage of data collection from processing to that of transmission and storage. Hence, if DISHA is to be applied in such a case, it will lengthen the process, limiting the use of such data as per the strict compliance requirements of DISHA, which has been discussed further.

Express Ban on Commercialization of Health Data and its Impact on M-Health.

The M-health industry functions on various business models, but one of the key components of them is targeted advertisements. This is important for those service providers who are fully automated online and offer various services completely free for increasing their customer base and send them targeted advertisements based on user data. Consider the example of Mobisoft which through its apps/wearable devices can collect sophisticated data like Body Mass Index (“BMI”), and on basis of such data prepares specific content tailored for a specific individual which often comes with recommendations or advertisement for any product or company.

DISHA has limited the use of DHD by ‘other entity’ to only limited purposes (mentioned in Section 28(2) of the  Act) and completely prohibited the commercialization of DHD (Section 29(5), DISHA)Since the term ‘commercial’ hasn’t been defined in the Act, we need to take look in the context of legal precedents. In Laxmi Engineering Works v. P.S.G. Industrial Institute, the Court held that commercial means related to commerce, which means “connected with, or engaged in commerce; mercantile; having profit as the main aim”.

The ‘freemium model apps’ provide services and features free of cost, which means there is no commercial transaction per se. However, the use of data to send a tailored advertisement to the user for revenue can be interpreted under the ambit of term ‘commercial’, but unless the scope of the term is defined, it will be difficult to ascertain what ‘commercialization’ of DHD means. Hence the scope of the term ‘commercial’ needs to be defined to erase any confusion.

If there is a complete ban on the commercialization of health data, without defining its scope then it will affect M-health service providers who use either ‘freemium’ or ‘subscription-based’ model, as the use of DHD for tailored advertisement/recommendation for a specific user would amount to ‘commercial’ use of DHD.

Further section 29(5) of DISHA has even prohibited the use and access of DHD in ‘anonymized’ (Section 3(1)(a), DISHA) form for any commercial purpose. The use of DHD in the anonymized form helps in creating data points, which helps in curating to the user’s need and developing the product in tune with the current trends in the market. This will also hamper research, development and innovation in M-health sector.

What Road Lies Ahead?

In PDP Bill, 2019, health data being sensitive personal data needs the express consent of the individual for the data to be processed, but in DISHA any use of DHD for commercial purposes has been prohibited. The problem lies as to the applicability of the law, i.e., which law will apply in this scenario, as both PDP Bill and DISHA have overriding clauses (Section 96 and Section 52, respectively). Thus, if any conflicting provisions of any other law exist, then that conflicting provision wouldn’t be applicable. In such a case the support can be taken from  General Manager, Telecom v. M. Krishnanwhere it was observed that in case of conflict between two sets of laws, the special law, which in this case is DISHA, will override general law, which in this case is PDP Bill 2019.

M-health service providers like apps, wearable devices usually do not collect or process extremely personal/complicated health data related to one individual, as clinical establishments or health information exchanges do (for example DNA sample, data related to serious chronic condition/illness, etc.). Their operation is usually limited to the collection of data like rate of heartbeat, data related to physical condition, or at times BMI of individual. Therefore, inclusion of such M-health service providers under the ambit of DISHA can negatively impact the growth of the M-health sector, because of the extremely strict requirements under the Act.

Hence, the applicability of DISHA can be limited to clinical establishments or health information exchanges only, considering the nature of DHD they handle, and apps/wearable devices providing M health services can be governed under PDP Bill 2019, which will not only reduce friction between two sets of laws but will also promote the development of M-health.

This article has been authored by Jyotiranjan Mallick, student at National Law Institute University, Bhopal.

Leave a Reply

Your email address will not be published. Required fields are marked *