Naavi.org

Guest Post: From Advocate M.G.Kodandaram, IRS, Senior Member FDPPI

A New Chapter in Indian Healthcare

A quiet revolution is reshaping healthcare in India, not through grand infrastructure or cutting-edge equipment, but through a force far less visible yet profoundly transformative: DATA. Across cities and smaller towns alike, paper records are giving way to Electronic Health Records (EHRs), cloud platforms are enabling seamless remote diagnostics, and AI is becoming an invisible partner in clinical decision-making. Yet, behind this wave of innovation lies a critical imperative: Digital Responsibility.

That responsibility is no longer abstract, as it now rests on clearly defined legal and institutional foundations. On one side stands the National Accreditation Board for Hospitals & Healthcare Providers (NABH)[i], which launched its pioneering Digital Health Accreditation Standards. On the other is the Digital Personal Data Protection (DPDP) Act, 2023, India’s first comprehensive law dedicated to regulating the collection, processing, and protection of personal digital data. Together, these frameworks do not merely support the shift toward technology—they define how that shift must occur.

India’s healthcare system is undergoing a foundational transformation. What was once considered a strategic edge – ‘digitising healthcare systems’ – has become a non-negotiable operational and legal requirement.

As healthcare providers adopt digital tools like EHRs, telemedicine platforms, AI diagnostics, and wearable technologies, they are also navigating a complex regulatory landscape. This transformation demands more than efficiency—it calls for compliance, accountability, and ethical stewardship. Without strong safeguards for data privacy and quality assurance, digitalisation risks undermining the very trust it aims to build.

For years, going digital in healthcare was seen as a symbol of prestige or convenience. That perception has shifted. Today, as patients generate vast volumes of health information through mobile apps, diagnostics, and prescriptions, managing the underlying digital infrastructure has become just as critical as delivering clinical care.

Recognising this shift, NABH introduced its Digital Health Accreditation Programme in September 2023[ii]. Rather than leaving digital transformation to individual discretion, the initiative established a structured, scalable framework for evaluating digital maturity in hospitals. Institutions are now assessed across a three-tier scale – Silver, Gold, and Platinum – based on the safety, interoperability, and robustness of their digital systems. The framework is comprehensive, comprising 8 chapters, 38 standards, and 181 measurable elements, aimed at standardising digital excellence across the sector.

However, structure alone isn’t sufficient. As personal health data moves across platforms, institutions, and digital applications, Privacy and Security become paramount. This is where the DPDP Act, 2023 becomes vital. By classifying hospitals as “significant data fiduciaries,” the law imposes rigorous obligations around informed consent, data minimisation, purpose limitation, and breach reporting. In other words, handling patient data is no longer a matter of internal policy – it is now a statutory obligation, enforceable by law.

Taken together, the NABH and DPDP frameworks function like a double helix: one strand drives digital innovation and clinical quality, while the other enforces legal and ethical boundaries around patient data. Their combined influence marks a new era in Indian healthcare – one where digital system are not just tools of convenience, but guardians of compliance, care quality, and patient trust. An attempt is made, through this article, to understand the compliance standards prescribed under the said statutes.

Behind the Accreditation

Imagine a hospital where prescriptions are still scribbled, test results misplaced, and records scattered. Now contrast that with one where a patient’s journey – from consultation to surgery to post-discharge follow-up – is mapped, monitored, and managed through secure, interoperable systems. The difference is not just efficiency – it’s safety, privacy, and trust.

That is why the NABH Digital Health Accreditation Programme is transformative. It forces hospitals to think holistically. It’s not enough to buy a software license. Accreditation means building:

1. Audit trails for every data entry
2. Encrypted channels for doctor-patient communication
3. Clear access controls so only the right eyes see sensitive data

It also means building systems that can speak to each other. In an age of telemedicine, labs, insurance APIs, and government health portals, interoperability is no longer a luxury.

Digital Health Toolkit

In today’s environment, patient data is generated, stored, and shared electronically – across departments, care providers, insurance entities, and even patients themselves. This transformation, while unlocking efficiency and precision in healthcare delivery, brings complex risks related to cybersecurity, data fragmentation, access control, and interoperability.

The NABH Digital Health Accreditation Programme[iii] addresses these challenges head-on by setting benchmarks that ensure:

• Secure digital infrastructure with audit trails;
• Encrypted communication protocols;
• Role-based access control to protect patient data;
• Patient-centric information systems that enable continuity of care;
• Defined protocols for when and how data can be accessed, shared, or destroyed.

These measures are no longer optional. Hospitals seeking accreditation, or aiming to enhance their public credibility and digital efficiency, must meet these baseline expectations.

The NABH didn’t stop at setting the bar—it also handed hospitals a roadmap in the form of a Digital Health Toolkit. Designed to guide institutions through the maze of digital transformation, the toolkit is structured into three phases:

1. Planning
2. Implementation
3. Post-Go-Live

Of these, the Planning Phase is perhaps the most crucial. It’s the stage where vision meets logistics, where doctors and developers sit at the same table, and where the first mistakes – or successes – are often made.

The Planning Phase

For a hospital setting out to digitize, the Planning Phase is where it lays down its first principles – what kind of care it wants to offer, how it wants to protect patient trust, and what digital tools can enable that vision.

Step 1: Taking Stock: Before buying new systems, hospitals must assess what they already have. This means checking whether existing infrastructure—servers, networks, power backups—can support a digital overhaul. It also means studying how doctors and nurse work. Can current workflows adapt to a digital interface? Do staff need training to move from paper to pixels?

Step 2: Measuring Readiness: The NABH toolkit offers detailed checklists: HIS/EMR Readiness Assessments, IT Infrastructure Evaluations—tools that help convert vague ambitions into measurable preparedness. It’s like a health check-up for the hospital itself.

Step 3: Forming a Digital Vanguard: Transformation cannot be top-down. The NABH insists on a Steering Committee that includes clinicians, IT heads, administrators, and department leaders. This cross-functional team becomes the nerve centre of the digital transition—resolving issues, setting priorities, and ensuring that no department is left behind.

Step 4: Talking to People: Change is hard, especially in a field as sensitive as healthcare. So, hospitals must engage early. Town halls, orientation workshops, and even informal discussions are essential. Doctors may worry about screen time reducing patient time; nurses may fear errors in data entry. These concerns must be addressed head-on.

Step 5: Setting Realistic Goals: A good digital plan isn’t about ambition—it’s about clarity. Targets must be SMART: “Digitize 100% of outpatient prescriptions by June,” or “Ensure 95% compliance in access audits by year-end.” These are goals teams can rally behind.

Step 6: Planning Every Detail: Budgets, timelines, risk maps—everything must be documented. What if a vendor delays delivery? What if patient data needs to be migrated from a legacy system? Contingency planning is part of responsible digitalization.

Step 7: Choosing the Right Partners: Not all vendors are equal. The right one understands NABH standards, complies with the DPDP Act, and can integrate with insurance platforms and diagnostic systems. Due diligence—through RFPs, demos, and pilot runs—is non-negotiable.

Step 8: Defining the Must-Haves: Hospitals must define what digital success looks like. Is it just digital records? Or does it also include inventory tracking, billing integration, decision support systems, and consent management? Every module must align with both operational goals and legal mandates.

Laying the Ground for the Future

Once this Planning Phase is complete, hospitals don’t just have a project—they have a roadmap. The next stages—Implementation and Post-Go-Live—will bring their own challenges: user resistance, bugs, data inconsistencies. But if the groundwork is solid, these are hurdles, not roadblocks.

More importantly, a well-planned digital journey ensures that hospitals are not just keeping up with the times—they are staying ahead of legal, ethical, and clinical expectations.

The digital future of Indian healthcare isn’t waiting for anyone. Regulatory bodies like NABH are pushing forward. Laws like the DPDP Act are tightening the guardrails. And patients—armed with information and options—are demanding accountability.

Hospitals that treat digitalization as a checklist item may find themselves in a compliance quagmire. But those that treat it as an opportunity to reimagine care—as a patient-first, privacy-respecting, tech-enabled mission—will find themselves not just accredited, but trusted.

The DPDP Act in Hospitals

The DPDP Act, 2023, is not just a regulatory framework – it’s a new ethic, demanding that every byte of patient data be treated with the same seriousness as a life-saving drug. And for hospitals, particularly those aspiring to or maintaining NABH accreditation, compliance is no longer aspirational – it’s existential.

Complementing the NABH’s voluntary accreditation drive is the DPDP Act, 2023, India’s first comprehensive personal data protection law. Its impact on healthcare is both direct and profound. Healthcare providers manage sensitive personal data (SPD) such as biometric records, genetic data, and health conditions, and thus fall squarely within the high-risk category of data fiduciaries under the Act.

Hospitals must now:

• Obtain valid consent from patients for data collection and usage;
• Ensure purpose limitation and data minimization;
• Implement robust safeguards against breaches;
• Appoint data protection officers in some cases;
• Be ready to report data breaches in prescribed timeframes.

Together, the NABH standards and DPDP compliance do not merely represent regulatory obligations—they establish a framework that strengthens public trust, ensures ethical handling of sensitive data, and fosters operational excellence.

Bridging Compliance and Care

The DPDP Act requires a complete rethinking of how healthcare providers handle data. Hospitals must no longer consider data storage and transmission as backend tasks, but as core clinical functions integrated into every aspect of patient interaction.

Consider the case of a mid-sized urban hospital implementing a centralised EHR system post-DPDP. The IT team is no longer a support unit but a frontline department, ensuring encryption standards are met, user access is tightly regulated, and that audit trails are verifiable. But technical capability alone is not enough. As the legal requirements evolve, so must the understanding of clinicians, administrators, and even visiting consultants.

Consent Management Becomes Clinical: One of the most striking requirements under the DPDP Act is the mandate for explicit and informed consent for the use of personal data. This seemingly simple clause carries complex implications in hospital settings. Every lab test requisition, telemedicine consultation, or data sharing with insurance companies now demands a traceable record of patient consent. Hospitals are developing digital consent forms embedded into registration software, capturing date-stamped biometric or OTP-based approvals that are stored along with medical records.

The process has transformed front-desk operations. A receptionist is now trained not only in patient onboarding but also in explaining data usage policies, managing opt-in/opt-out requests, and triggering escalation mechanisms in case a patient refuses consent for secondary uses like research or marketing. Each refusal must be respected, logged, and implemented through technical filters on data access.

The Right to Access and Correction: A New Challenge
Patients under the DPDP Act are not passive subjects of data collection. They are recognised as Data Principals, endowed with the right to access, correct, and even delete their personal data. For hospitals, this introduces both a philosophical and procedural shift.

Imagine a scenario where a patient identifies a wrong allergy notation in their EHR. Earlier, such corrections might involve informal requests, internal memos, or manual overwrites. Now, under the new law, the hospital is expected to offer a digital grievance redressal interface, allowing the patient to initiate a structured correction request, which must be resolved within a stipulated time. Moreover, the correction must be traceable, with records of the original data, the corrected entry, and the authority approving the change.

While this introduces transparency, it also raises complex legal and medical questions. What happens when a correction request challenges a clinician’s judgment—say, a psychiatric diagnosis or a surgical recommendation? Legal teams and medical ethics committees will now need to work in tandem to devise policies that balance patient rights with professional autonomy.

From Human Error to Systemic Assurance: With digitisation comes automation, but also a new form of accountability. The DPDP Act insists on purpose limitation, meaning data collected for one medical purpose cannot be reused arbitrarily for another. This calls for data tagging within EHR systems—ensuring that every field, whether diagnostic or administrative, is linked to its lawful purpose of collection.

Hospitals must also assign Data Protection Officers (DPOs) or internal compliance leads who oversee system-wide adherence, report data breaches, and serve as the nodal point of contact for regulatory authorities. These roles are rapidly gaining prominence, and are often filled by professionals with dual training in law and information systems.

Breach Notification and Legal Exposure: The spectre of financial penalties under the DPDP Act—up to ₹250 crore—looms large over administrative boards. But the consequences extend beyond fines. A single breach of sensitive health data can irreparably damage a hospital’s reputation, provoke class-action lawsuits, or trigger investigations under other laws like the Information Technology Act, 2000, or the Indian Penal Code (soon to be replaced by the Bharatiya Nyaya Sanhita).

Consequently, breach reporting protocols must be codified. Any unauthorised access—whether via phishing, internal misconduct, or technical failure—must be logged, internally investigated, and in some cases, reported to the Data Protection Board. Hospitals are now investing in real-time intrusion detection systems, digital forensics teams, and third-party audits to bolster preparedness.

Interoperability vs. Privacy: The Policy Dilemma

As India pushes for a unified health stack under Ayushman Bharat Digital Mission (ABDM), hospitals are under pressure to make their systems interoperable with national databases. While this aids portability of care and improves outcomes, it also raises privacy concerns, especially when health data is linked with Aadhaar or insurance databases.

DPDP compliance demands that interoperability must never dilute consent norms. Every data-sharing interface must be equipped with user verification protocols, purpose declarations, and logging systems. In high-stakes contexts like medical research or epidemiological surveillance, data anonymisation becomes a prerequisite.

Hospitals engaging in clinical trials or partnerships with research bodies must now implement Privacy Impact Assessments (PIAs) and sign Data Sharing Agreements (DSAs) that define the scope, retention period, and destruction protocols of shared data. These agreements are increasingly becoming a standard compliance tool—drafted by legal counsel and enforced via software integrations.

Admissibility, Evidence, and Institutional Defensibility

The digital trail is not merely a compliance tool – it is a legal defence mechanism. Under the Bharatiya Sakshya Adhiniyam (BSA), 2023, electronically generated or scanned documents are admissible in court, provided they are accompanied by certificates of authenticity under Section 63 of the BSA (Refer Modernising Evidence Law: The Bharatiya Sakshya Adhiniyam, 2023 (BSA) in the Digital Age by the Author[iv]).

For hospitals, this means every digital record must be system-generated, time-stamped, and digitally signed or authenticated via a hash function. Internal SOPs must mandate that medical entries be made in real-time and on designated devices. For medico-legal cases—like assault injuries, MTPs, or custodial deaths—any compromise in data integrity can nullify the evidence in court.

Hospitals that automate this process with robust metadata management, access logs, and tamper-evident backups are best positioned to defend themselves legally. In fact, some institutions are now employing legal tech tools to automatically generate Section 63 certificates on demand, reducing delays in litigation or insurance claims.

From Legal Compliance to Institutional Culture

Despite the technical and legal rigour, full compliance cannot be achieved without a cultural shift within hospitals. Doctors, nurses, lab technicians, and billing executives must be trained not only on how to operate software but also on why compliance matters. Training sessions now include modules on:

• Recognising and preventing social engineering attacks (e.g., impersonation or phishing)
• Managing data disclosure requests from police or third parties
• Understanding the difference between medical necessity and legal obligation
• Filing incident reports for suspected breaches

Patient education is equally vital. Hospitals are beginning to include data privacy brochures in welcome kits, offer digital consent dashboards on tablets during admission, and launch awareness campaigns in OPDs and waiting areas.

Digital Ethics and the Future of Healthcare Governance

India’s healthcare landscape is undergoing a quiet revolution and at the heart of this transformation lies the growing imperative to treat patient data not just as information – but as a legal, ethical, and operational cornerstone of healthcare delivery.

What was once considered a backend function- “medical recordkeeping” has now emerged as a frontline compliance priority. The DPDP Act, with its stringent requirements on consent, purpose limitation, data minimisation, and breach accountability, has elevated the way healthcare institutions handle digital personal data. Unlike earlier frameworks, the DPDP Act provides individuals with strong enforceable rights, while imposing steep penalties for lapses, thus placing patient autonomy and privacy at the centre of every digital interaction.

In parallel, NABH standards have moved from generic quality guidelines to a more nuanced digital mandate. Hospitals are now expected to deploy Electronic Health Record (EHR) systems that don’t merely capture data but do so with integrity, traceability, and security. This means time-stamped entries, audit trails, encryption, real-time access control, and documented consent workflows – elements once associated with advanced tech infrastructure, now becoming basic prerequisites for accreditation and compliance.

Together, the DPDP Act and NABH form a dual regulatory lens – one focused on patient rights and data protection, the other on institutional governance and digital standardisation. Their convergence is forcing hospitals to rethink digital workflows, not as isolated IT upgrades, but as part of a broader legal-ethical framework. More importantly, this shift is not merely technical—it is cultural. Hospitals are being compelled to instil a digital hygiene mindset across staff levels, from doctors to data-entry operators. Every click, every view, and every transmission of patient data must now be justifiable, auditable, and aligned with both clinical and legal norms.

The digital shift is also fostering greater interdepartmental collaboration. Legal teams, IT departments, and medical professionals must now work in tandem to ensure that data security protocols are not just documented but lived. Training, periodic audits, breach readiness, and clarity in roles have become essential operational practices. The law is no longer on the periphery of hospital functioning—it is embedded in how care is administered, how records are retrieved, and how patients are communicated with.

Ultimately, this transformation is more than a compliance story—it is one of trust. Patients entrust hospitals not just with their lives, but with the most intimate details of their existence. When hospitals secure that data responsibly—when they ensure access is lawful, disclosures are transparent, and systems are resilient—they do more than follow the law. They honour that trust.

In a digital era, where data is the new diagnostic tool and privacy the new patient right, NABH standards and the DPDP Act are not just shaping healthcare compliance – they are shaping the very future of ethical, accountable, and patient-centric healthcare in India.

---

[i] https://nabh.co/

[ii] https://nabh.co/hospitals/

[iii]https://www.nabh.co/Announcement/Draft%20NABH%20Digital%20Health%20Standards%201st%20Edition.pdf

[iv] https://www.naavi.org/wp/modernising-evidence-law-the-bharatiya-sakshya-adhiniyam-2023-bsa-in-the-digital-age/

EU is embarking on another expedition of a regulation about which a brief summary is being provided here.

This act is called “The Data Act on harmonized rules on fair access to and use of data”. It should be implemented from 12th September 2025.

This act has been also adopted as UK’s” Data (Use and Access) Act 2025″ in UK and received the royal assent on June 19, 2025

This law builds upon existing data protection laws but focuses on enabling responsible data sharing, promoting innovation, and enhancing public services. 

The objective of the regulation is to ensure that users of a connected product or related service can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice.

It imposes the obligation on data holders to make data available to users and third parties of the user’s choice in certain circumstances.

It also ensures that data holders make data available to data recipients under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.

This Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair access to and use of data.

This Regulation also ensures that data holders make available to public sector bodies, where there is an exceptional need, the data that are necessary for the performance of a specific task carried out in the public interest.

In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and of data sharing mechanisms and services.

This Regulation should not be interpreted as recognising or conferring any new right on data holders to use data generated by the use of a connected product or related service.

Currently the GDPR like laws recognize “Personal Data” and impose restrictions on its sharing by Consent or legitimate interest etc. The “Data covered under this regulation” is what we have been recognizing as “Transactional Data” which belongs “Jointly” to the individual (User) and the organization (Data Fiduciary). Naavi has been insisting that such personal data does not exclusively belong to the data principal (data subject) and its disposal can be governed as a joint contract.

It appears that this new regulation may shed little more light on this concept and validate what we have adopted as “Jurisprudence”.

We can perhaps view this legislation as an extended rule on “Personal Data Disclosure”.

But as is customary, EU/UK have made it an elaborate law by itself with 49 articles in the EU version and 200 provisions in the UK version and it will be analysed ad nauseum in the days to come.

Penalties under EU version can reach up to €20 million ( £17.5 million for UK law) or 4% of a company’s total annual worldwide turnover, whichever is higher. 

Besides financial penalties, the Data Act also allows for non-monetary measures such as warnings, reprimands, temporary or permanent bans on data processing, and orders to rectify, restrict, or erase data. Enforcement is primarily at the national level within each EU member state, though data protection authorities (ICO for UK) retain jurisdiction for violations involving personal data.

If an organization outside the EU/UK provides goods or services to individuals within the EU/UK, they may need to comply with the EU Data Act. If deemed applicable, organizations should implement necessary measures to comply with the Act’s requirements, such as establishing procedures for data access requests, data portability, and data sharing.

The EU/UK Data Act may also have implications for international data transfers, requiring organizations to ensure compliance with the Act’s provisions when transferring data outside the EU. 

Watch out for more discussions on this.

Naavi

In the recently reported data breach penalty issue in South Korea, Ewha Women’s University server was hacked and more than 80000 data sets are reported to have been leaked.

According to the University, data was related to the students who had entered the school from 1982-2002 and included names, resident registration numbers, phone numbers, email, home address and school records.

The penalty imposed by the PIPC (Data Regulatory Authority of South Korea” was approximately $250000. The cost of the data compromise was therefore estimated at around $3 per data set.

The penalty was a deterrent for not securing the data and not the value of the data itself. However, we can presume that the penalty should have some reasonable relationship to the value of the asset compromised and the loss cumulatively suffered by the data owners.

Since data protection authorities are accepting “Reasonable Security” as a principle, the data controllers/fiduciaries also should expect that the fines are “Reasonable”.

I am not sure if 20-40 year old student data (University claims that the grading data was not compromised) was worth anything close to the value of the fine. But unfortunately there is no valuation guideline with which we can challenge the fine.

When Indian DPB considers any fine for non compliance of DPDPA, we will be debating in greater depth whether the penalty amount was “Reasonable”.

If we assume that a similar compromise of data had occurred in an Indian University, what would be the value of the data. It would be almost zero. Hence the penalty should be only nominal and should be not more than say Rs 1 per data set lost.

If industry does not move in to develop some norms for data valuation, they will have to face situations where the notional value of data compromised assumed by the DPB may be unrealistically high.

Naavi has been suggesting that every data fiduciary should have a valuation for its data assets and this is one of the requirements under DGPSI. If there was a documentation within the organization that the value of such student data depreciates year after year, there would be some base value to discuss with the regulators under the “Voluntary Undertaking” discussions.

Even the Insurance companies need such valuation guidelines to fix a premium or settle a claim.

I would like readers to check the Data Valuation Standard of India (DVSI) for preliminary concepts of personal data valuation.

In the instant case of an educational institution where students enrol themselves for a course of say 5 years, the data set related to the student may carry one basic value for the duration of the course during which the data gets enriched with the grading, performance, extra curricular achievements etc and finally the certificate of graduation. The value therefore keeps on appreciating through the years until around 2-3 years after graduation after which it should start depreciating. By 20 years the value should be very low and by 40 years assuming that even the working life of the student ends, the value is almost worthless.

The institution can store the data in two sets one containing the demographic data filed at the time of admission (Which is the data compromised in the Ewah case) and the second which represents the data added during the course by the institution (on which it may have some rights of creation). The demographic data does not appreciate and only depreciates right from the first year since the address, email, phone number may all change over a period of time. The grading data may be considered more valuable and also sensitive and it adds year after year until the final graduation certificate and there after it stagnates for some time and start depreciating later.

Hence the personal data valuation system applicable in such cases is complicated but is not beyond our capability of computation.

I urge the industry and the community to start thinking in this direction.

Naavi

Two Universities in South Korea have been fined for Personal Data Breaches with penalties amounting to $459000 (Jeobunk National university) and $253 million (Ewha University) following personal data breach .

On July 28, 2024, the personal information of over 320,000 students and graduates of Jeonbuk National University was leaked. The university said that the names, phone numbers, email addresses and other details of students and graduates had been exposed in the breach. The cause was traced to lack of adequate information security measures including not implementing appropriate data retention measures based on existence of legal basis for processing.

In a similar case, the personal information of over 83,000 students and graduates of Ewha Womans University, also including RRNs, was leaked on Sept. 3, 2024.

On top of imposing monetary penalties, the data protection authority of South Korea ordered the two universities to make their violations public by making official announcements on their websites, inspect their information security systems and establish round-the-clock monitoring systems.

Last year the South Korean agency had also imposed fines on Kyungsung University (KRW 42.8 million) and Soonchunhyang University (KRW 193 million) highlighting the vulnerabilities of such organizations.

The news papers report that the commission also advised additional penalties to the personnel in charge.

These incidents highlight the risks that Indian educational institutions in India also run. Most of these institutions hold enormous data not adequately secured. Not many of them have thought of any implementation of DPDPA.

It is time for such organizations to wake up…and be ready for DPDPA.

Naavi

Organizations in India are debating on what are the credentials of a DPO who is emerging as one of the senior most executives in an organization reporting directly to the Board. Many companies would like to have a trusted person within the organization to be elevated to this coveted post.

Often such discussions lead to CISOs and CTOs being considered for filling up the post.

It is however time to discuss if the CHRO is also a person who should be considered for elevation as DPO. Every company small or big has HR functions and every such company needs to be considered as a “Data Fiduciary”. The CHRO is therefore almost always required to manage DPDPA compliance for employees whether there is a designated DPO or not in the company. Hence a CHRO can implement DPDPA for employees and gradually emerge as the DPO material himself/herself. If a legal person without technical knowledge or a Technical person without legal knowledge can become a DPO, it is necessary to ask why a HR specialist cannot become a DPO.

Let us discuss this in today’s interaction at greyt HR community.

Naavi

India has been trying to get the “Privacy Protection Act” since around 2006 when the Personal Data Protection Bill 2006 (See here) was first presented in the Parliament along with the Information Technology Amendment Bill 2008 which later became a law. The initial demand was entirely from the industry which sought such a law since EU was indicating that they would not transfer data related business to India unless there is a corresponding data protection law here.

The Government yielded to the pressure from the industry and introduced the bill in 2006 which however could not be converted into law. Then again it was in 2017-2018 that the first PDPB 2018 saw the light of the day following Justice Srikrishna’s efforts. Since then we saw a two more versions PDPB 2019 and DPA 2021 before the current DPDB 2022 was born as a bill and later converted into an act on August 11, 2023. The blame has always been placed on the Government though it is part of the industry which is also consistently opposing the Bill for one reason or the other.

Ultimately Mr Rajeev Chandrashekar pushed through the current version by simplifying the law and trying to make a law which was acceptable to all parts of the society including the Big Tech and the Government.

However the Privacy activists continue to oppose the current law either because it is being moved by the Modi Government or because they want only a law to beat the Government with litigations every day.

The latest version of this opposition is now seen in the move to oppose DPDPA 2023 on the ground that it dilutes the RTI act. This has resulted in the Government delaying the notification of the rules and seeking further clarification from the AG.

In our view the opposition is not necessarily valid for the following reasons.

By its inherent nature, a law for protecting Privacy is in contradiction with the law of freedom of speech or national security. Privacy cannot have a free hand if it violates the national security interests or even the rights of another person to maintain his dignity. Hence we can always find contradictions in the Privacy law with any effort to balance it with the “Right to Freedom of Speech” or “Right to Security”.

The Constitution itself has recognized that Right to Privacy even as a Fundamental Right has several reasonable exceptions provided in the Article 19(2) of the Constitution. This article includes national security (interests of the sovereignty and integrity of India, the security of the State, friendly relations with Foreign States,) as well as other issues such as “public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence”.

DPDPA, under Section 17(2)(a) has used the Article 19(2) to provide exemptions to the Government and notified instrumentalities of State in respect of only the national security and maintenance of public order or preventing incitement to any cognizable offence relating to any of these. It may be noted that the DPDPA does not claim exemption in respect of “Contempt of Court”, “Defamation” and restricts the “Incitement to an offence” to only those which relate to the national security and maintenance of public order.

In other words, the Government has been circumspect in using the Article 19(2) exceptions and not provided all the benefits which our constitution had provided to exempt the Government from the requirements of the DPDPA obligations.

The exemption available for “Prevention, detection, investigation or prosecution” is restricted to “Chapter II other than Sections 8(1) and 8(5), Chapter III and Section 16. Here again an attempt is made to use less of privilege than what the constitution had provided.

Now coming to the controversial amendment to the RTI act, it is proposed as follows.

Current provision under Section 8(1)(j) states

“(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:”

The amended section now reads: ”   “(j) information which relates to personal information;”

However the persons opposing the amendment are forgetting that if there is any public interest involved in the information which is being refused to be provided under the amended provision, it can be covered under Section 8(2) of the RTI act which states

“(2) Notwithstanding anything in the Official Secrets Act, 1923 (19 of 1923) nor any of the exemptions permissible in accordance with sub-section (1), a public authority may allow access to information, if public interest in disclosure outweighs the harm to the protected interests.”

Though this provision says “May” instead of “Shall” it is still available for the activists to prove the existence of public interest and claim the information under section 8(2) instead of 8(1)(j).

Hence the hue and cry raised by all the activists has only a marginal justification. Hence there is no need for any Court to intervene and impede the notification of the Act.

Further, the Draft Rules 2025 is currently silent on notification of Section 44 and hence has no bearing on the controversy. As has been already pointed out by us, there is a need to notify at least Section 44(1) and Section 44(2) giving effect to the amendment to the Telecom Act and ITA 2000 even if notification of Section 44(3) is further deferred.

It is our sincere desire that the Government proceeds with the release of the Draft rules with the additional notification of Sections 44(1) and Section 44(2) and wait for the AG’s clarification on Section 44(3). This would enable the industry to go ahead with the implementation since the RTI issue does not affect the private sector.

Naavi