Naavi.org

FDPPI is inviting software developers in the domain of Privacy and Data Protection to join the community of “Special Associate Members”. Such members can expect an opportunity to show case their products in FDPPI forum from time to time and also seek mentorship for better compliance of DPDPA.

As an example of what FDPPI wants the product developers to achieve, let us discuss the “Discovery and Classification” systems presently on offer in the market.

DPDPA is applicable for legacy data and hence every organization needs to ensure that all their existing data to which DPDPA is applicable is identified and tagged. This is not merely a “Personal Data Discovery Process”. It is a process which identifies DPD or Data which is protected by DPDPA.

DPDPA does not protect “Non Personal Data”. Hence the discovery system should exclude such data. Even after thus filtering the “Personal and Non personal Data”, some categories of personal data may not be considered DPD. One example is personal data generated outside India and not used for providing any product or service to data principals in India needs to be excluded. If personal data is generated outside India, not related to business or service provided to data principals but is processed in India, it may be protected or not protected based on certain conditions.

Like wise there are many conditional application of DPDPA that needs to be taken into account before we tag a set of data elements as DPD.

Do the current software have such capability? If not, how to achieve such capability?

These are some of the questions which the software developers need to ask themselves. If they feel that they need expert guidance in this regard, it is time for them to consider “Special Associate Membership” of FDPPI. Contact today.

(Look out for more such reasons… to follow)

Naavi.

AI is all around us and in different forms. Today almost every software is considered as “AI-Embedded”. It is like the “Intel Inside” slogan.

On the one hand, IPR and Privacy activists are crying that AI developers are using data for algorithm development and machine learning ignoring the existing laws of Privacy and Copyright. On the other hand, users are using AI algorithms without understanding their complicity in this IPR or Privacy Violations.

In India both the vendors and the users are taking advantage of “There is No Law and hence I can do no wrong” attitude.

We need to ask ourselves if we need to wait for the “Digital India Act” to be enacted? or should we brace for the impact of AI with whatever is existing as a law.

We currently have one operative law such as ITA 2000 which “Attributes” any automated action of a software to a “Person”. The consequences of the use of the automated software therefore is accountable directly to a human who causes the software to behave in a particular manner. It could be one or more of the “Developer”, “Vendor” or the “Licensed User” who could carry this attribution and is/are accountable for the AI. The penalties already mentioned in ITA 2000 and the Judicial process of “Adjudication” with judicial oversight already in place can act as the remedy to those who get adversely affected by AI.

The principles of “Data Fiduciary” in DPDPA further expands the accountability of the “User” in terms of what assurances he has to seek from developers and what disclosures he has to make in his privacy notices and what consents he has to obtain.

We should therefore start applying the current laws to AI regulation in India and not worry about a new law which may eventually passed.

In implementation, the Developer as well as the User of an AI is advised to designate a human “Handler” for the AI functioning and disclose it appropriately. In the absence of such designation, the CISO/DPO will have to assume the responsibility.

Comments are welcome.

Naavi

DPDPA 2023 was passed in August 2023 and is shortly expected to be notified.

Over the last two years some companies have already started their compliance work firstly by conducting a Risk Assessment and then trying to implement Governance solutions in terms of policies for handling personal data.

Now most of these companies are being offered several solutions from the market about Data Discovery or Consent Management etc. The DPOs are finding it difficult to take a view on which product to chose since once they implement any product, it will be difficult to make changes later if there is a change in the rules or a better product surfaces.

The NeGD has also announced a “Coding Challenge” for Consent Management and participants are likely to come up with several solutions a couple of which may even be endorsed by NeGD as “Winners of the contest”.

FDPPI is committed to ensuring that DPDPA Compliance is properly embedded into such tools and solutions.

In this context FDPPI has already offered an evaluation of a DPDPA Compliance product in the perspective of the DGPSI framework.

This adhoc measure is now being formalized through an “Evaluation and Mentorship of Companies Engaged in development of DPDPA Compliance products”. This will be offered to select Corporate Members who are termed “Special Associate Members” of FDPPI.

The scheme will be tailored to specific companies on a case to case basis. The evaluation will be conducted by a consortium of senior FDPPI members.

The “SAM” scheme will provide the following benefits.

1. Evaluation of the functional aspects of the product from DGPSI perspective
2. Mentoring the development team for improvements
3. Opportunity to show case products in FDPPI fora

The SAM will have a corporate membership fee which will be based on the products of the company. Existing Corporate Members can also get their product evaluated as an extension of their current service which was limited to DPDPA consultancy and Employee training or a priority pricing basis.

It is open to the community to take advantage of this facility.

Naavi

As we approach nearer to the notification of DPDPA it emerges that there are some sectors of the industry and business which may have serious repercussions if they donot recognize the impact of DPDPA. Though we often speak of the penalty of Rs 250 crores, we donot imply that any of the organizations would be penalised substantially in the near future. But it is essential to understand the risks and brace for impact.

Some of the developments in Delhi indicate that the notification of DPDPA is imminent. This should put all wise managements into alert to understand the risk of non compliance and what is the basic requirement to meet the challenge of DPDPA.

In particular I recognize some sectors as vulnerable to damage for various reasons. One may be lack of resources to put in place a good “DPDPA Risk Identification and Management System”. (DRIMS). The SME and MSME as a sector irrespective of what business they are in could fall into this category. Second major reason for vulnerability are those organizations who are engaged in activities traditionally recognized as service to society though in recent days they might have been commercialized. Hospitals, Educational Institutions, Temples can all come under this category.

Under GDPR, Article 91 exempts Churches and Religious Associations from the rigours of GDPR. The article states as under:

Article 91:Existingdata protection rules of Churches and religious associations

1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are brought into line with this Regulation.

2.Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority, which may be specific, provided that it fulfils the conditions laid down in Chapter VI of this Regulation.

In other words, GDPR recognizes that Churches and Religious Institutions can self regulate. Such organizations can set up their own regulatory agency. While we are not aware if any of such agencies have been set up in any EU member state, the provision does exist.

On the other hand, DPDPA does not specifically exempt any religious or charitable organizations from the law.

The complete exemption from DPDPA is provided under Section 17(2) to “Notified instrumentalities of the State”. The power of such notification however is limited to

“interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it;”.

Hence Government cannot indiscriminately use Section 17(2) to exempt any data fiduciary from the Act.

The rest of the “Instrumentalities” of the state come under Section 17(4) and the exemption available is limited to Sections 8(3),(8(7), 12(2) (if not used for decision making) and 12(3).

Additionally, under Section 17(3), the Central Government has reserved its right to notify certain data fiduciaries including start ups to which major parts of the Act such as “Providing Notice”,” Data Deletion after completion of purpose”, “Maintaining Accuracy of data”, “Providing Right to Access and Erasure”.

If therefore certain sections of the industry consider themselves as “Vulnerable”, then they should either be fully compliant with the Act or seek exemption under Sections 17.

Out of the exemptions , Exemption under Section 17(1) is process dependent and not entity dependent. In other words any data fiduciary can claim exemption for this purpose. The process based compliance recommended under DGPSI satisfies this need.

Exemptions under Section 17(2) as well as 17(3) require a specific notification.

Section 17(4) applies to all “Instrumentalities of State” but exempts only Notice, Accuracy, erasure and rights related to erasure and accuracy.

Section 17(5) is an enabling provision available for 5 years to exempt any data fiduciary other than those covered in Sections 17(1), 17(2), 17(3) and 17(4).

Of the several vulnerable sections, Education Center is considered as the most vulnerable since by tradition it does not focus on Information Security to the extent other sectors do. Small hospitals, dispensaries, medical consultants may also be considered as vulnerable.

These sectors need to organize themselves and undertake “Sectoral Representative Action”. Others who are not considered “Vulnerable sectors” can brace for impact with compliance measures under DGPSI.

FDPPI would like to catalyse this as a part of its commitment to the society. This will be one of the main objectives of the IDPS 2025.

Naavi

Guest Post: From Advocate M.G.Kodandaram, IRS, Senior Member FDPPI

A New Chapter in Indian Healthcare

A quiet revolution is reshaping healthcare in India, not through grand infrastructure or cutting-edge equipment, but through a force far less visible yet profoundly transformative: DATA. Across cities and smaller towns alike, paper records are giving way to Electronic Health Records (EHRs), cloud platforms are enabling seamless remote diagnostics, and AI is becoming an invisible partner in clinical decision-making. Yet, behind this wave of innovation lies a critical imperative: Digital Responsibility.

That responsibility is no longer abstract, as it now rests on clearly defined legal and institutional foundations. On one side stands the National Accreditation Board for Hospitals & Healthcare Providers (NABH)[i], which launched its pioneering Digital Health Accreditation Standards. On the other is the Digital Personal Data Protection (DPDP) Act, 2023, India’s first comprehensive law dedicated to regulating the collection, processing, and protection of personal digital data. Together, these frameworks do not merely support the shift toward technology—they define how that shift must occur.

India’s healthcare system is undergoing a foundational transformation. What was once considered a strategic edge – ‘digitising healthcare systems’ – has become a non-negotiable operational and legal requirement.

As healthcare providers adopt digital tools like EHRs, telemedicine platforms, AI diagnostics, and wearable technologies, they are also navigating a complex regulatory landscape. This transformation demands more than efficiency—it calls for compliance, accountability, and ethical stewardship. Without strong safeguards for data privacy and quality assurance, digitalisation risks undermining the very trust it aims to build.

For years, going digital in healthcare was seen as a symbol of prestige or convenience. That perception has shifted. Today, as patients generate vast volumes of health information through mobile apps, diagnostics, and prescriptions, managing the underlying digital infrastructure has become just as critical as delivering clinical care.

Recognising this shift, NABH introduced its Digital Health Accreditation Programme in September 2023[ii]. Rather than leaving digital transformation to individual discretion, the initiative established a structured, scalable framework for evaluating digital maturity in hospitals. Institutions are now assessed across a three-tier scale – Silver, Gold, and Platinum – based on the safety, interoperability, and robustness of their digital systems. The framework is comprehensive, comprising 8 chapters, 38 standards, and 181 measurable elements, aimed at standardising digital excellence across the sector.

However, structure alone isn’t sufficient. As personal health data moves across platforms, institutions, and digital applications, Privacy and Security become paramount. This is where the DPDP Act, 2023 becomes vital. By classifying hospitals as “significant data fiduciaries,” the law imposes rigorous obligations around informed consent, data minimisation, purpose limitation, and breach reporting. In other words, handling patient data is no longer a matter of internal policy – it is now a statutory obligation, enforceable by law.

Taken together, the NABH and DPDP frameworks function like a double helix: one strand drives digital innovation and clinical quality, while the other enforces legal and ethical boundaries around patient data. Their combined influence marks a new era in Indian healthcare – one where digital system are not just tools of convenience, but guardians of compliance, care quality, and patient trust. An attempt is made, through this article, to understand the compliance standards prescribed under the said statutes.

Behind the Accreditation

Imagine a hospital where prescriptions are still scribbled, test results misplaced, and records scattered. Now contrast that with one where a patient’s journey – from consultation to surgery to post-discharge follow-up – is mapped, monitored, and managed through secure, interoperable systems. The difference is not just efficiency – it’s safety, privacy, and trust.

That is why the NABH Digital Health Accreditation Programme is transformative. It forces hospitals to think holistically. It’s not enough to buy a software license. Accreditation means building:

1. Audit trails for every data entry
2. Encrypted channels for doctor-patient communication
3. Clear access controls so only the right eyes see sensitive data

It also means building systems that can speak to each other. In an age of telemedicine, labs, insurance APIs, and government health portals, interoperability is no longer a luxury.

Digital Health Toolkit

In today’s environment, patient data is generated, stored, and shared electronically – across departments, care providers, insurance entities, and even patients themselves. This transformation, while unlocking efficiency and precision in healthcare delivery, brings complex risks related to cybersecurity, data fragmentation, access control, and interoperability.

The NABH Digital Health Accreditation Programme[iii] addresses these challenges head-on by setting benchmarks that ensure:

• Secure digital infrastructure with audit trails;
• Encrypted communication protocols;
• Role-based access control to protect patient data;
• Patient-centric information systems that enable continuity of care;
• Defined protocols for when and how data can be accessed, shared, or destroyed.

These measures are no longer optional. Hospitals seeking accreditation, or aiming to enhance their public credibility and digital efficiency, must meet these baseline expectations.

The NABH didn’t stop at setting the bar—it also handed hospitals a roadmap in the form of a Digital Health Toolkit. Designed to guide institutions through the maze of digital transformation, the toolkit is structured into three phases:

1. Planning
2. Implementation
3. Post-Go-Live

Of these, the Planning Phase is perhaps the most crucial. It’s the stage where vision meets logistics, where doctors and developers sit at the same table, and where the first mistakes – or successes – are often made.

The Planning Phase

For a hospital setting out to digitize, the Planning Phase is where it lays down its first principles – what kind of care it wants to offer, how it wants to protect patient trust, and what digital tools can enable that vision.

Step 1: Taking Stock: Before buying new systems, hospitals must assess what they already have. This means checking whether existing infrastructure—servers, networks, power backups—can support a digital overhaul. It also means studying how doctors and nurse work. Can current workflows adapt to a digital interface? Do staff need training to move from paper to pixels?

Step 2: Measuring Readiness: The NABH toolkit offers detailed checklists: HIS/EMR Readiness Assessments, IT Infrastructure Evaluations—tools that help convert vague ambitions into measurable preparedness. It’s like a health check-up for the hospital itself.

Step 3: Forming a Digital Vanguard: Transformation cannot be top-down. The NABH insists on a Steering Committee that includes clinicians, IT heads, administrators, and department leaders. This cross-functional team becomes the nerve centre of the digital transition—resolving issues, setting priorities, and ensuring that no department is left behind.

Step 4: Talking to People: Change is hard, especially in a field as sensitive as healthcare. So, hospitals must engage early. Town halls, orientation workshops, and even informal discussions are essential. Doctors may worry about screen time reducing patient time; nurses may fear errors in data entry. These concerns must be addressed head-on.

Step 5: Setting Realistic Goals: A good digital plan isn’t about ambition—it’s about clarity. Targets must be SMART: “Digitize 100% of outpatient prescriptions by June,” or “Ensure 95% compliance in access audits by year-end.” These are goals teams can rally behind.

Step 6: Planning Every Detail: Budgets, timelines, risk maps—everything must be documented. What if a vendor delays delivery? What if patient data needs to be migrated from a legacy system? Contingency planning is part of responsible digitalization.

Step 7: Choosing the Right Partners: Not all vendors are equal. The right one understands NABH standards, complies with the DPDP Act, and can integrate with insurance platforms and diagnostic systems. Due diligence—through RFPs, demos, and pilot runs—is non-negotiable.

Step 8: Defining the Must-Haves: Hospitals must define what digital success looks like. Is it just digital records? Or does it also include inventory tracking, billing integration, decision support systems, and consent management? Every module must align with both operational goals and legal mandates.

Laying the Ground for the Future

Once this Planning Phase is complete, hospitals don’t just have a project—they have a roadmap. The next stages—Implementation and Post-Go-Live—will bring their own challenges: user resistance, bugs, data inconsistencies. But if the groundwork is solid, these are hurdles, not roadblocks.

More importantly, a well-planned digital journey ensures that hospitals are not just keeping up with the times—they are staying ahead of legal, ethical, and clinical expectations.

The digital future of Indian healthcare isn’t waiting for anyone. Regulatory bodies like NABH are pushing forward. Laws like the DPDP Act are tightening the guardrails. And patients—armed with information and options—are demanding accountability.

Hospitals that treat digitalization as a checklist item may find themselves in a compliance quagmire. But those that treat it as an opportunity to reimagine care—as a patient-first, privacy-respecting, tech-enabled mission—will find themselves not just accredited, but trusted.

The DPDP Act in Hospitals

The DPDP Act, 2023, is not just a regulatory framework – it’s a new ethic, demanding that every byte of patient data be treated with the same seriousness as a life-saving drug. And for hospitals, particularly those aspiring to or maintaining NABH accreditation, compliance is no longer aspirational – it’s existential.

Complementing the NABH’s voluntary accreditation drive is the DPDP Act, 2023, India’s first comprehensive personal data protection law. Its impact on healthcare is both direct and profound. Healthcare providers manage sensitive personal data (SPD) such as biometric records, genetic data, and health conditions, and thus fall squarely within the high-risk category of data fiduciaries under the Act.

Hospitals must now:

• Obtain valid consent from patients for data collection and usage;
• Ensure purpose limitation and data minimization;
• Implement robust safeguards against breaches;
• Appoint data protection officers in some cases;
• Be ready to report data breaches in prescribed timeframes.

Together, the NABH standards and DPDP compliance do not merely represent regulatory obligations—they establish a framework that strengthens public trust, ensures ethical handling of sensitive data, and fosters operational excellence.

Bridging Compliance and Care

The DPDP Act requires a complete rethinking of how healthcare providers handle data. Hospitals must no longer consider data storage and transmission as backend tasks, but as core clinical functions integrated into every aspect of patient interaction.

Consider the case of a mid-sized urban hospital implementing a centralised EHR system post-DPDP. The IT team is no longer a support unit but a frontline department, ensuring encryption standards are met, user access is tightly regulated, and that audit trails are verifiable. But technical capability alone is not enough. As the legal requirements evolve, so must the understanding of clinicians, administrators, and even visiting consultants.

Consent Management Becomes Clinical: One of the most striking requirements under the DPDP Act is the mandate for explicit and informed consent for the use of personal data. This seemingly simple clause carries complex implications in hospital settings. Every lab test requisition, telemedicine consultation, or data sharing with insurance companies now demands a traceable record of patient consent. Hospitals are developing digital consent forms embedded into registration software, capturing date-stamped biometric or OTP-based approvals that are stored along with medical records.

The process has transformed front-desk operations. A receptionist is now trained not only in patient onboarding but also in explaining data usage policies, managing opt-in/opt-out requests, and triggering escalation mechanisms in case a patient refuses consent for secondary uses like research or marketing. Each refusal must be respected, logged, and implemented through technical filters on data access.

The Right to Access and Correction: A New Challenge
Patients under the DPDP Act are not passive subjects of data collection. They are recognised as Data Principals, endowed with the right to access, correct, and even delete their personal data. For hospitals, this introduces both a philosophical and procedural shift.

Imagine a scenario where a patient identifies a wrong allergy notation in their EHR. Earlier, such corrections might involve informal requests, internal memos, or manual overwrites. Now, under the new law, the hospital is expected to offer a digital grievance redressal interface, allowing the patient to initiate a structured correction request, which must be resolved within a stipulated time. Moreover, the correction must be traceable, with records of the original data, the corrected entry, and the authority approving the change.

While this introduces transparency, it also raises complex legal and medical questions. What happens when a correction request challenges a clinician’s judgment—say, a psychiatric diagnosis or a surgical recommendation? Legal teams and medical ethics committees will now need to work in tandem to devise policies that balance patient rights with professional autonomy.

From Human Error to Systemic Assurance: With digitisation comes automation, but also a new form of accountability. The DPDP Act insists on purpose limitation, meaning data collected for one medical purpose cannot be reused arbitrarily for another. This calls for data tagging within EHR systems—ensuring that every field, whether diagnostic or administrative, is linked to its lawful purpose of collection.

Hospitals must also assign Data Protection Officers (DPOs) or internal compliance leads who oversee system-wide adherence, report data breaches, and serve as the nodal point of contact for regulatory authorities. These roles are rapidly gaining prominence, and are often filled by professionals with dual training in law and information systems.

Breach Notification and Legal Exposure: The spectre of financial penalties under the DPDP Act—up to ₹250 crore—looms large over administrative boards. But the consequences extend beyond fines. A single breach of sensitive health data can irreparably damage a hospital’s reputation, provoke class-action lawsuits, or trigger investigations under other laws like the Information Technology Act, 2000, or the Indian Penal Code (soon to be replaced by the Bharatiya Nyaya Sanhita).

Consequently, breach reporting protocols must be codified. Any unauthorised access—whether via phishing, internal misconduct, or technical failure—must be logged, internally investigated, and in some cases, reported to the Data Protection Board. Hospitals are now investing in real-time intrusion detection systems, digital forensics teams, and third-party audits to bolster preparedness.

Interoperability vs. Privacy: The Policy Dilemma

As India pushes for a unified health stack under Ayushman Bharat Digital Mission (ABDM), hospitals are under pressure to make their systems interoperable with national databases. While this aids portability of care and improves outcomes, it also raises privacy concerns, especially when health data is linked with Aadhaar or insurance databases.

DPDP compliance demands that interoperability must never dilute consent norms. Every data-sharing interface must be equipped with user verification protocols, purpose declarations, and logging systems. In high-stakes contexts like medical research or epidemiological surveillance, data anonymisation becomes a prerequisite.

Hospitals engaging in clinical trials or partnerships with research bodies must now implement Privacy Impact Assessments (PIAs) and sign Data Sharing Agreements (DSAs) that define the scope, retention period, and destruction protocols of shared data. These agreements are increasingly becoming a standard compliance tool—drafted by legal counsel and enforced via software integrations.

Admissibility, Evidence, and Institutional Defensibility

The digital trail is not merely a compliance tool – it is a legal defence mechanism. Under the Bharatiya Sakshya Adhiniyam (BSA), 2023, electronically generated or scanned documents are admissible in court, provided they are accompanied by certificates of authenticity under Section 63 of the BSA (Refer Modernising Evidence Law: The Bharatiya Sakshya Adhiniyam, 2023 (BSA) in the Digital Age by the Author[iv]).

For hospitals, this means every digital record must be system-generated, time-stamped, and digitally signed or authenticated via a hash function. Internal SOPs must mandate that medical entries be made in real-time and on designated devices. For medico-legal cases—like assault injuries, MTPs, or custodial deaths—any compromise in data integrity can nullify the evidence in court.

Hospitals that automate this process with robust metadata management, access logs, and tamper-evident backups are best positioned to defend themselves legally. In fact, some institutions are now employing legal tech tools to automatically generate Section 63 certificates on demand, reducing delays in litigation or insurance claims.

From Legal Compliance to Institutional Culture

Despite the technical and legal rigour, full compliance cannot be achieved without a cultural shift within hospitals. Doctors, nurses, lab technicians, and billing executives must be trained not only on how to operate software but also on why compliance matters. Training sessions now include modules on:

• Recognising and preventing social engineering attacks (e.g., impersonation or phishing)
• Managing data disclosure requests from police or third parties
• Understanding the difference between medical necessity and legal obligation
• Filing incident reports for suspected breaches

Patient education is equally vital. Hospitals are beginning to include data privacy brochures in welcome kits, offer digital consent dashboards on tablets during admission, and launch awareness campaigns in OPDs and waiting areas.

Digital Ethics and the Future of Healthcare Governance

India’s healthcare landscape is undergoing a quiet revolution and at the heart of this transformation lies the growing imperative to treat patient data not just as information – but as a legal, ethical, and operational cornerstone of healthcare delivery.

What was once considered a backend function- “medical recordkeeping” has now emerged as a frontline compliance priority. The DPDP Act, with its stringent requirements on consent, purpose limitation, data minimisation, and breach accountability, has elevated the way healthcare institutions handle digital personal data. Unlike earlier frameworks, the DPDP Act provides individuals with strong enforceable rights, while imposing steep penalties for lapses, thus placing patient autonomy and privacy at the centre of every digital interaction.

In parallel, NABH standards have moved from generic quality guidelines to a more nuanced digital mandate. Hospitals are now expected to deploy Electronic Health Record (EHR) systems that don’t merely capture data but do so with integrity, traceability, and security. This means time-stamped entries, audit trails, encryption, real-time access control, and documented consent workflows – elements once associated with advanced tech infrastructure, now becoming basic prerequisites for accreditation and compliance.

Together, the DPDP Act and NABH form a dual regulatory lens – one focused on patient rights and data protection, the other on institutional governance and digital standardisation. Their convergence is forcing hospitals to rethink digital workflows, not as isolated IT upgrades, but as part of a broader legal-ethical framework. More importantly, this shift is not merely technical—it is cultural. Hospitals are being compelled to instil a digital hygiene mindset across staff levels, from doctors to data-entry operators. Every click, every view, and every transmission of patient data must now be justifiable, auditable, and aligned with both clinical and legal norms.

The digital shift is also fostering greater interdepartmental collaboration. Legal teams, IT departments, and medical professionals must now work in tandem to ensure that data security protocols are not just documented but lived. Training, periodic audits, breach readiness, and clarity in roles have become essential operational practices. The law is no longer on the periphery of hospital functioning—it is embedded in how care is administered, how records are retrieved, and how patients are communicated with.

Ultimately, this transformation is more than a compliance story—it is one of trust. Patients entrust hospitals not just with their lives, but with the most intimate details of their existence. When hospitals secure that data responsibly—when they ensure access is lawful, disclosures are transparent, and systems are resilient—they do more than follow the law. They honour that trust.

In a digital era, where data is the new diagnostic tool and privacy the new patient right, NABH standards and the DPDP Act are not just shaping healthcare compliance – they are shaping the very future of ethical, accountable, and patient-centric healthcare in India.

---

[i] https://nabh.co/

[ii] https://nabh.co/hospitals/

[iii]https://www.nabh.co/Announcement/Draft%20NABH%20Digital%20Health%20Standards%201st%20Edition.pdf

[iv] https://www.naavi.org/wp/modernising-evidence-law-the-bharatiya-sakshya-adhiniyam-2023-bsa-in-the-digital-age/

EU is embarking on another expedition of a regulation about which a brief summary is being provided here.

This act is called “The Data Act on harmonized rules on fair access to and use of data”. It should be implemented from 12th September 2025.

This act has been also adopted as UK’s” Data (Use and Access) Act 2025″ in UK and received the royal assent on June 19, 2025

This law builds upon existing data protection laws but focuses on enabling responsible data sharing, promoting innovation, and enhancing public services. 

The objective of the regulation is to ensure that users of a connected product or related service can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice.

It imposes the obligation on data holders to make data available to users and third parties of the user’s choice in certain circumstances.

It also ensures that data holders make data available to data recipients under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.

This Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair access to and use of data.

This Regulation also ensures that data holders make available to public sector bodies, where there is an exceptional need, the data that are necessary for the performance of a specific task carried out in the public interest.

In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and of data sharing mechanisms and services.

This Regulation should not be interpreted as recognising or conferring any new right on data holders to use data generated by the use of a connected product or related service.

Currently the GDPR like laws recognize “Personal Data” and impose restrictions on its sharing by Consent or legitimate interest etc. The “Data covered under this regulation” is what we have been recognizing as “Transactional Data” which belongs “Jointly” to the individual (User) and the organization (Data Fiduciary). Naavi has been insisting that such personal data does not exclusively belong to the data principal (data subject) and its disposal can be governed as a joint contract.

It appears that this new regulation may shed little more light on this concept and validate what we have adopted as “Jurisprudence”.

We can perhaps view this legislation as an extended rule on “Personal Data Disclosure”.

But as is customary, EU/UK have made it an elaborate law by itself with 49 articles in the EU version and 200 provisions in the UK version and it will be analysed ad nauseum in the days to come.

Penalties under EU version can reach up to €20 million ( £17.5 million for UK law) or 4% of a company’s total annual worldwide turnover, whichever is higher. 

Besides financial penalties, the Data Act also allows for non-monetary measures such as warnings, reprimands, temporary or permanent bans on data processing, and orders to rectify, restrict, or erase data. Enforcement is primarily at the national level within each EU member state, though data protection authorities (ICO for UK) retain jurisdiction for violations involving personal data.

If an organization outside the EU/UK provides goods or services to individuals within the EU/UK, they may need to comply with the EU Data Act. If deemed applicable, organizations should implement necessary measures to comply with the Act’s requirements, such as establishing procedures for data access requests, data portability, and data sharing.

The EU/UK Data Act may also have implications for international data transfers, requiring organizations to ensure compliance with the Act’s provisions when transferring data outside the EU. 

Watch out for more discussions on this.

Naavi