Challenges and recommendations for enhancing digital data protection in Indian Medical Research and Healthcare Sector

Abstract

The Digital Personal Data Protection Act (DPDPA), 2023 of India provides a regulatory framework for use and security of personal digital data. However, instances, wherein the patients consult the clinicians via digital means of communication: the implications of DPDPA, 2023 for the medical personnel remain unclear. This paper critically discusses the gray areas encountered in the Indian medical ecosystem and DPDPA, 2023 and; lists the recommendations to address them.

Introduction

Digitilisation and globalization have transformed the world in recent years, with the digital health market forecasted to exceed $833.44 billion by 2027¹. In the healthcare sector, digitilisation has optimized work-flows, enhanced quality patient care and promoted the development of innovative solutions to screen, diagnose and track the spread of infections amongst large populations². Recognizing its potential, the World Health Organization (WHO) released ‘Guideline Recommendations on Digital Interventions for Health systems’³ in 2019 and ‘Global Strategy on Digital Health 2020–2025’⁴ in 2021, wherein the term ‘digital health’ was inclusive of ‘eHealth’.

WHO defines digital health as “the field of knowledge and practice associated with development and use of digital technologies to improve health”⁴; and eHealth as “cost-effective and secure use of information and communications technologies in support of health and health-related fields, including health-care services, health surveillance, health literature, and health education, knowledge and research”⁵.

In particular, eHealth has the potential to revolutionize patient-provider and provider-provider telemedicine^4,5. Healthcare data is big, sensitive personal data. It’s sharing requires high safety and security measures. WHO’s global digital strategy emphasizes maintaining patient confidentiality and data integrity by developing robust legal and regulatory frameworks by each country for lawful governance of their national health systems⁴. In 2021, United Nations Conference on Trade and Development reported that 70% of the world’s countries had developed data protection laws to safeguard their citizen’s right to privacy⁶. Most notable includes the European Union’s General Data Protection Regulation (GDPR)⁷ with several countries incorporating components of GDPR within their national laws such as Germany’s ‘Bundesdatenschutzgesetz’ or the federal data protection law^8,9 and; Sweden’s ‘Integritetsskyddsmyndigheten’ or Swedish Authority for privacy protection¹⁰.

India’s burgeoning population has the potential to be both the source and the providers of large-scale healthcare datasets that may be utilized for developing innovative digital solutions¹¹, exemplar: predicting epidemics, disease prevention and reduction in the cost of patient services. To maintain the balance between lawful utilization of an individual’s personal data and their right to privacy¹²: the Indian Government adopted the ‘Right to Privacy’ in 2017 and followed it by legislating ‘The Digital Personal Data Protection Act’ (DPDPA) in 2023¹³.

DPDPA, 2023 covers various individuals and organizations, such as telemedicine apps, online marketplace, government websites, banking apps, etc. However, a need exists to address the implementation related challenges of DPDPA upon the medical fraternity and the amendments to accommodate varying circumstances in the Indian medical ecosystem. This paper highlights the necessary exemptions and other requirements required by the Indian health care providers to discharge their duties in an efficient manner without the fear of superfluous litigations due to DPDPA, 2023.

The Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA) was published on 11th of August, 2023 by the Government of India¹³but is yet to be implemented in the country. The act was formulated after privacy became a fundamental right in 2017 in India. The Act governs the handling of digital personal data and was introduced to provide individuals with greater control over their personal data and to ensure that the individuals or businesses handling such data are transparent regarding its collection, use, sharing and storage. The act ordains the Data Protection Board of India as the primary judicial authority for resolving matters pertaining to personal data breaches with penalties ranging between 10,000 INR and 250 crores INR (~2.5 billion USD). It defines the responsibilities of the data principals, data fiduciaries, data processors, data protection officer and the consent managers. The act is applicable to the personal data in the digital form as well as in non-digital form which has been digitized subsequently.

Currently, the responsibility of maintaining the confidentiality and privacy of any data shared by the data principal (Table 1) lies with the primary data fiduciary with the Data protection Board being the deciding authority on penalties and adjudication. The amount of monetary penalty is decided following consideration of the nature, gravity and duration of the breach; the type and nature of the personal data affected by the breach; repetitive nature of the breach; a gain or loss circumvention as a result of the breach; action taken to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action; whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act and; the likely impact of the imposition of the monetary penalty on the person. The imposed penalty is deposited to the Consolidated fund of India¹⁴- a revenue repository of the Government of India- instead of the aggrieved party.

Table 1.

Terminologies used in the DPDPA recommendations

S.No.	Term	Definition
1.	Personal medical data	Medical prescriptions, medical reports, images specific to patient’s condition/ disease/ disorder, biopsy reports, intraoperative/surgical images, radiographs, genetic data, ultrasonography images and/or reports and; any other investigative reports and; digital communications pertaining to enquiry or progress of the condition/disease/disorder.
2.	Data fiduciary	A personnel from medical fraternity who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
3.	Data principal	The individual of whom the personal data is/ relates.

Dilemma of the medical fraternity

The medical fraternity of India engages in providing clinical services as well as conducting healthcare research. The medical practitioners of India are governed by the rules and regulations of the National Medical Commission regarding ethics and principles of informed consent and patient confidentiality¹⁵ whereas the researchers follow the Indian Council of Medical Research’s 2017 ethical guidelines on biomedical research¹⁶.

Prior provisions have been made to protect the patient confidentiality under the “National Medical Commission Registered Medical Practitioner (Professional Conduct) Regulations, 2023” of India¹⁵, wherein the medical practitioners are mandated to acquire informed consent from the patient prior to instituting any procedure. If the patient is incapacitated, informed consent from family members or the legal guardian is to be taken. In case of an emergency, the doctor should try to obtain consent, but if this is not possible, he must act in the best interest of the patient. The medical practitioners are required to ensure doctor-patient confidentiality wherein ‘every communication’ is deemed confidential. The current quandary lies in the term ‘every communication’ and whether it is inclusive of digital communication which the patient engages in of his free will and whether scanned documents are considered as ‘digital’.

Optimum patient care requires accurate diagnosis which is often dependent upon multidisciplinary case discussions, expert opinions and multispeciality referrals. Specific diagnosis is based on personal health information of the patients and their resultant investigations. In the Indian scenario, such information is frequently shared by the patients via digital means of communications (such as WhatsApp or emails) to facilitate speedy diagnosis or orientation as to further course of action. This also aids the patient or the care-provider in avoiding an unnecessary hospital visit which may further burden the strained health facilities or escalate financial costs. However, aforementioned means of data sharing may not be completely compliant with the stringent requirements of the DPDPA.

Further, during the course of planning treatment strategies and patient management (both during emergencies and routine care): patient information may be shared amongst various doctors for confirmation or referrals. This holds particularly true for rare cases and multimorbid complex cases wherein diagnostic and management confirmation is required from multiple specialties and time is critical. Since the popular modes of social media communication are optimized for data sharing with several recipients and rapid collection of responses, they are quite useful to a clinician or researcher serving in remote areas and dealing with unfamiliar clinical conditions. These clinicians may rely heavily on expert advice gleaned from the social media communications in serving the patient population and adopting the best practices possible under the given circumstances. Moreover, rapid sharing of clinically meaningful imaging may help in quick decision making in emergency settings such as brain trauma where timely actionable advice can save lives.

With the advent of DPDPA, 2023: it remains unclear to the Indian medical fraternity whether informal sharing of the patient data via digital means for the above-mentioned situations would tantamount to the violation of the law and incur imposition of the severe penalties as dictated by the act. A ‘one size fit all’ approach may escalate uncertainty amongst health care researchers to utilize the patient data for developing improved solutions.

Recommendations for consideration

On 11th May, 2024, a national workshop was held at a national tertiary care and research institution (All India Institute of Medical Sciences, New Delhi) of the country to discuss the impact of a DPDPA, 2023 on the medical ecosystem¹⁷. An interdisciplinary panel discussion was held with over 100 researchers, medical professionals, technical, former government officials and legal experts (from Supreme Court of India) wherein suggestions were provided to ensure feasibility and compliance to DPDPA, 2023. Following, six recommendations were drafted to aid the implementation of the DPDPA, 2023 amongst the medical fraternity of India which would include all individuals (government, private, NGOs) involved in providing either patient care or collection of data for the purpose of improving quality of life via health care research. The various terminologies used in these recommendations are listed in Table 1 and are derivative of DPDPA, 2023¹³.

Recommendation 1

Storing personal medical data for extended periods is required to facilitate ongoing research, monitor patient outcomes, and improve treatments. DPDPA, 2023 provides exemptions for use of personal health data during medical emergencies involving threat to life or immediate threat to the health of the data principal or any other individual (section 7 clause f) and for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health (section 7 clause g). Exemptions may be extended to the following cases:

1. If personal medical data is shared by the data principal with a data fiduciary (Table 1) via any digital means of communications for the purpose of obtaining medical diagnosis or opinion. In such a scenario, implied consent would be assumed from the patient.

2. The data fiduciary may share personal medical data as provided by the data principal with other medical experts from the same or other specialities/fields for improving medical diagnosis, acquiring secondary opinions, expediting patient care, modifying patient care, improving prognosis as seen fit by the data fiduciary.

3. The data fiduciary may store the personal medical data for an indeterminate time period for the express purpose of monitoring patient outcome.

4. The data fiduciary may use the personal medical data for publication after obtaining informed consent from the data principal and ensuring anonymization of the personal medical data. Informed consent should include clear communication regarding data handling, including usage, sharing and future storage.

5. The data fiduciary may use the personal medical data following anonymization for the purpose of health care research.

Discussion 1

European Union’s GDPR provides for derogation¹⁸ from the certain rights of the data subjects when personal data is being used for scientific or historical research purposes, statistical purposes or is being archived for public interest. These include right of access by the data subject¹⁹, right to rectification²⁰, right to restriction of processing²¹, notification obligation²², right to data portability²³ and the right to object²⁴.

GDPR also recognizes special categories of personal data and provides derogation “for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” under clause (h) of paragraph 2 of article 9. Certain degree of latitude has also been extended to processing of genetic data, biometric data or data concerning health²⁵.

Recommendation 2

Organizations involved in storing personal medical data should set up robust cybersecurity measures for preventing data breaches. In instances of data breaches, immediate reporting to the appropriate cybersecurity authorities and computer emergency response team (CERT) should be mandatory in addition to the involved data principals. Further escalation should be governed as per DPDPA, 2023 (Table 2).

Table 2.

Overview of recommendations for enhancing DPDPA

S.No	Recommendation
1.	DPDPA should consider extenuating circumstances related to patient care and diagnosis and; provide exemptions to the health care workers involved in the same. Storage and sharing of health care data by the health care workers for patient care and research should be considered as well.
2.	Organizations involved in storing personal medical data should set up robust cybersecurity measures for preventing data breaches.
3	Any personal medical data that was initially acquired by the data fiduciary for the purpose of providing patient care to the data principal and is later required to be used for analysing or storing for the purpose of research should be pseudonymized by the data fiduciary to maintain the privacy of the data principals.
4.	Both data fiduciary and data processors should share the responsibility of data privacy in case of AI based medical research.
5.	Multiple workshops for capacity building along with experts from the field of law and cybersecurity should be held across the country to sensitize the medical fraternity of the implications of this act and the strict penal provisions.
6.	Annual expenditure on health by the government should make provisions for assessing security weaknesses of health information systems. A dedicated cybersecurity team should be appointed to conduct regular vulnerability tests, prepare countermeasures and assess the ecosystem risks for data breaches.

Discussion 2

Article 83 of the GDPR mandates administrative fines upto 2 billion Euros (~2.15 billion USD) or 4% of the total world-wide annual turn-over of the preceding financial year. Additionally, the member states can formulate and impose their specific penalties (Article 84) and; non-compliance of such orders invites heavy penalties^26,27. Prior to processing, data protection impact assessment is also required to be conducted by the data controller especially for special categories of personal data²⁸ including health data²⁹.

Recommendation 3

Any personal medical data that was initially acquired by the data fiduciary for the purpose of providing patient care to the data principal and is later required to be used for analysing or storing for the purpose of research should be pseudonymized by the data fiduciary to maintain the privacy of the data principals. Prior written permission from Institutional review boards/Institutional ethics committee would be mandatory in such cases.

Discussion 3

Data pseudonymisation refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information³⁰. Data anonymisation refers to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable³¹. GDPR does not apply to anonymised data.

Recommendations 4

Artificial intelligence (AI)- based medical research may involve sharing personal data with AI models. This entails complexities in tracking and managing the personal data due to AI’s data processing and replication capabilities, making it difficult to retract personal data once shared with the same. Data fiduciaries involved in such prospective studies should acquire informed consent from the all the data principals. In case of retrospective studies, it would be the onus of the data fiduciaries to ensure pseudonymisation of the personal medical data prior to its usage for AI models. However, data processors (technical experts) will share the liability (ethical and monetary) for maintaining the confidentiality and the privacy of the medical data being used to develop AI models. The principle of proportionality may be used to determine culpability in case of data leaks.

Discussion 4

DPDPA, 2023 singularly holds the data fiduciary as the liable person/ organization for prosecution regardless of the person responsible for the data breaches. In contrast, GDPR considers the role of both the data controller and processor as individually responsible for maintaining the data security. It also provides exemption from liability if it is proven that they are not in any way responsible for the event giving rise to the damage³².

Recommendation 5

It is imperative that awareness be spread amongst the medical fraternity regarding the DPDPA on a war footing. It is recommended that multiple workshops for capacity building along with experts from the field of law and cybersecurity be held across the country to sensitize the medical fraternity of the implications of this act and the strict penal provisions.

Discussion 5

Concerns of the in-field health care workers should be addressed during such workshops.

Recommendation 6

Compliance with the DPDPA may require persons /organizations from medical fraternity to introspect and invest in the infrastructure and human resources in order to maintain readiness to counter cybersecurity threats. Hence, annual expenditure on health by the government should make provisions for assessing security weaknesses of health information systems via various tests such as vulnerability assessment and penetration testing (VAPT). A dedicated cybersecurity team should be appointed (particularly for significant data fiduciaries) in each institution who will conduct regular vulnerability tests, prepare countermeasures and assess the ecosystem risks for data breaches.

Discussion 6

Similar provisions have been mandated by the GDPR to implement technical and organizational mechanisms such as pseudonymization, data minimization, encryption, restoration of the personal data in the event of an incident; and processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing^25,33. Voluntary data protection certifications, seals and/or marks can be acquired from the accredited certification bodies to validate such measures. The certification supervisory authorities or bodies should in accordance with Regulation (EC) No 765/2008 of European Parliament and of the Council and; of the EN-ISO/IEC 17065/2012^34,35.

Conclusion

As the world becomes increasingly technologically advanced, threats to personal data have increased manifold. As of August 2024, cumulative fine of ~4.6 billion euros have been levied since the advent of GDPR (in 2018) with the healthcare sector accounting for 17 million euros³⁶.

DPDPA, 2023 is considered as a watershed moment for India in the field of digital healthcare. Through the mass population driven data, our country holds the key to developing AI deployed solutions for other nations and it is imperative that protection be afforded to the enablers of such initiatives from frivolous litigations. Inclusion of these recommendations within the DPDPA, 2023 would be instrumental for encouraging both foreign investment in healthcare ecosystems and propelling the country’s medical fraternity to undertake the task of providing optimum care in the best interest of the patients.

Author contributions

Conceptualization was by D.M. Investigation and data curation were done by A.S. Writing- Original draft was completed by A.S. Writing- Review and editing was done by D.M., V.S., H.S., R.S., D.P., R.D., Ro.S., S.M., N.A.C., So.M., P.D., and V.K.I. Overall supervision was done by V.S. and D.M. Funding acquisition done by D.M., D.P., and H.S. Final approval for submission was done by all authors.

Data availability

No datasets were generated or analysed during the current study.

Competing interests

The authors declare no competing interests.