Consequences of Health Data Breach under DISHA 2018

DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to egov-mohfw@nic.in .

In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.

…..Naavi

This is the continuation of the earlier article on this subject


The importance of any legislation is often measured in terms of the penal consequences that would follow if the law is not complied with.  The same logic applies to DISHA 2018 also and hence we need to take a quick look at Chapter V of the proposed legislation that deals with Offences and Penalties.

For the purpose of defining the consequences of non compliance of DISHA 2018, the proposed law defines “Breach of Digital Health Data” along with a term “Serious Breach of Digital health Data”.

As per section 37, Digital Health Data is said to be breached when

a) Any person generates, collects, stores, transmits or discloses digital health information in contravention of the provisions of the Act or

b) Any person who does anything in contravention of the exclusive right conferred upon the owner of the digital health data or

c) Digital health data collected, stored or transmitted by any person is not secured as per the standards prescribed by the Act or any rules thereunder or

d) Any person damages, destroys, deletes, affects injuriously by any means or tampers with any digital health data.

A person who is responsible for such breach shall be liable to pay damages by way of compensation. This is treated as a civil wrong.

A “Serious Beach of Digital health Data” on the other hand is defined  as follows:

(1) A serious digital health data breach shall be said to have taken place, if:

(a) A person commits a breach of digital health data intentionally, dishonestly, fraudulently or negligently; or
(b) Any breach of digital health data occurs, which relates to information which is not anonymised or de-identified; or
(c) A breach of digital heath data occurs where a person failed to secure the data as per the standards prescribed by the Act or any rules thereunder; or
(d) Any person uses the digital health data for commercial purposes or commercial gain; or
(e) An entity, clinical establishment or health information exchange commits breach of digital health data repeatedly;

Explanation: The terms “dishonestly” and “fraudulently” shall have the same meaning as assigned to them under the Indian Penal Code, 1860

(2) Any person who commits a serious breach of health care data shall be punished with imprisonment, which shall extend from three years and up to five years; or fine, which shall not be less than five lakh of rupees.

Provided that, any fine imposed as part of sub-section (2) may be provided to the individual whose data is breached, by the Court, as it deems fit as compensation.

This section is meant to be a section to define offences which may be punished with Imprisonment and Fine and hence should be recognized as a “Criminal Offence”.

The imprisonment under this section is declared as it shall be for a minimum of 3 years and extend upto 5 years and fine is stated as “Shall not be less than Five lakh of rupees”.

The above section  perhaps requires to be better constructed to avoid ambiguities.

Firstly it tries to combine the Criminal penalty with Civil compensation by  providing that the Court may provide compensation by collecting it as a fine. This makes Section 37 redundant since the definition of “Serious Breach of Digital Data” under Section 38 differs from Section 37 only with the addition of “Intention” and “Dishonesty” etc.

Also since the separator “Or” has been used to separate sub sections 1(a) to 1 (e), it appears that “Any Breach of identifiable digital health data” would come under Section 38 with or without dishonesty or malicious intention.

Further 37 (1) (a) has included the term “Negligently” along with “Intentionally”, “Dishonestly” and “Fraudulently”.  This has mixed up criminal intention with “negligence” and “Negligence without Criminal Intention” can be a grey area under this section.

Under (1) (c), breach of data for failure to secure it has also been defined as a serious breach inviting imprisonment and fine. Considering that the punishment can be for a minimum imprisonment of 3 years and fine of Rs 5 lakhs, and “Security” being as ambiguous as it can be, it is difficult to accept the section as it is now drafted as a fair drafting.

The other two actions that can invoke punishment under this section is “Use of digital health data for marketing” and “Repeated breach by a clinical establishment”.

These offences also need to be qualified properly.

Overall, Section 38 is not properly drafted and has to segregate the “Motive”, “Action”, “Consequence” of an action that is defined as an offence before indicating the punitive measures.

Section 39 is again an extension of Section 38 offences to the domain of civil compensation and overlaps both with Sections 37 and 38.

Section 40 of the proposed Act prescribes fines for administrative delay for furnishing of information or document or boos, returns or reports that may be specified. The fine may extend to Rs 1 crore.

Section 41 states that

“Whoever, fraudulently or dishonestly, obtains the digital health information of another person, which he is not entitled to obtain under the Act from a person or entity storing such information shall be punished with imprisonment for a term which shall extend up to one year or fine, which shall be not less than one lakh rupees; or both.”

This addresses the cases of “Digital Impersonation” for which ITA 2000/8 already prescribes 3 years imprisonment.

Additionally, under Section 42, “Data Theft” has been defined as an offence that can result in imprisonment for 3 to 5 years. The section states as under.

“Whoever intentionally and without authorization acquires or accesses any digital health data shall be punished with imprisonment for a term, which shall extend from three years up to five years or fine, which shall be not less than five lakh rupees; or both.”

Section 43 speaks of “Cognizability” and again is ambiguously drafted.

It says that ” No Court shall take cognizance of any offence punishable under this Act or any rules or regulations made thereunder, save on complaint made by the Central Government, State Government, the National Electronic Health Authority of India, State Electronic Health Authority,” but adds “Or a person affected”.

This means that on the basis of a complaint made by the person affected, cognizance can be taken irrespective of the term of imprisonment etc.

This may not be acceptable to the Criminal judicial system.

Section 44 extends the offences which can be attributed to the Company to its executives as under Section 85 of ITA 2000/8.

Overall, it appears that the offensive sections are loosely drafted and need to be tightened substantially before becoming the law.

Perhaps when the draft goes to the Law Ministry, it has to be revised thoroughly.

(To Be continued)

Naavi

Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.