“Informed Consent” is the backbone of most Data Protection laws including the Indian Personal Data Protection Act (proposed). The NDHM’s Health Management Policy adopts all the provisions of the PDPB 2019.
Consent is a mandatory requirement under the policy and it should meet the standards of a “Free Consent” under Section 14 of the Indian Contract Act, should involve “Informed choice” etc as envisaged in PDPB 2019 (Section 11).
The purposes to which a consent can be obtained under this policy is restricted to the requirements of the NHA (National Health Authority similar to the DPA of PDPA) which means that the consent can be used only for purposes consistent with the NDHM.
Once this policy comes into force, fresh consents have to be obtained. This means that the legacy health data for which consent may be available or not becomes a data collected under a “Defective” or “Expired Consent”.
When subsequent processing is required and the data has to be passed onto another processor (Health Information Users and Providers), a “Consent artifact” has to be generated and shared by the “Consent Manager”.
In obtaining the consent from a minor (less than 18 years of age), the policy indicates that a “Valid Proof of relationship” must be obtained along with the identity of the parent or guardian for processing of sensitive personal data.
The “Valid Proof of relationship” could be a point of difficulty and needs to be debated further.
It is expected that the NDHE framework will take note of “Nomination” like an “Authorized representative” who takes care of the consent in the event the data principal is seriously ill or mentally incapacitated.
This point is a problem in all health related laws since this provision is in conflict with the earlier provision that “Consent has to be as per Section 14 of Indian Contract Act”. As per the Indian Contract Act, a person who loses the mental capacity to take decision is no longer able to withdraw the earlier authorization given to an agent and hence the contract of agency is deemed as terminated in such a situation. HIPAA resolves this dilemma by bringing in the view of the medical practitioner whose certificate would be a vital document that determines what decision can be taken in respect of the patient.
It is better if we also adopt this provision in the policy.
The Rights of the data principal recognized by the policy is similar to the PDPB 2019 and includes right to confirmation, right to access, right to receive a notice, right to correction and limited right to erasure. and data portability.
The provisions recognize the need for retention of data as per law and use of restriction of access and disclosure instead of deletion if the situation so warrants and expects a Data Retention and Archival policy to be adopted for the purpose.
Another point of difficulty is the policy that a person may restrict consent to disclose the information to his legal heirs after his death which would not be possible in electronic form of consent. This would be ultravires the ITA 2000 since any instruction applicable after the death of a person can be considered as a statement of Will which has no recognition in electronic form.
All Articles in the series: