The basic objective of the Digital Personal Data Protection Act (DPDPA) is to give individuals a right to protect their privacy through the regulated management of personal data while it is processed by third parties. How we arrived at that objective is itself a story of how our understanding of data has evolved — and that evolution is the key to seeing why hospitals are different.
In the first generation, personal data was understood technically: a set of binary data which the perceiver is able to read as information belonging to an identifiable individual. The concern of that era was the preservation of Confidentiality, Integrity and Availability — the familiar CIA triad of information security. Data was qualified as “sensitive” only when its loss could harm the individual, and protection meant securing the bits.
The second generation reframed data as money. As organizations searched for monetization strategies, digital marketing companies built their business on profiling data principals and linking that profile to advertising. Data became an asset to be valued and traded. It was at this stage that privacy protection surfaced as a public concern, and laws such as the DPDPA emerged to address it.
Because “privacy” is notoriously difficult to define, the DPDPA wisely declined to define it. Instead it prescribed certain measurable obligations on the processing of personal data and enforced them through a stringent penalty system. These are the obligations of the Data Fiduciary — the organization that, by determining the purpose and means of processing, is recognized as a trustee and is expected to take micro-level decisions in that fiduciary character. The Fiduciary’s journey therefore begins with a Notice that explains the purpose of collection and how the data will be used, followed by the capture of the data principal’s Consent.
The DGPSI frameworks recognized this changing perception and introduced Data Valuation as a key parameter in their compliance strategies. And it is precisely the question of valuation that brings us to the third generation — and to hospitals.
In a hospital, the personal data of a patient is not simply personal data that has a value to be monetized. It is representative of life itself. Any misuse or breach does not end in financial loss; it could endanger the life of the patient. Hence the axiom “Data is Money” is not valid for the healthcare sector. Here we need to treat Data as Life.
Note that valuation does not disappear in this third generation — it changes its denomination. The value of patient data is no longer measured in rupees of monetization but in the severity of harm to life. DGPSI’s Data Valuation parameter therefore remains central to healthcare compliance; only the currency changes.
This matters all the more because the DPDPA deliberately abandoned the category of “sensitive personal data” that earlier Indian rules had recognized. The statute applies a single, uniform standard to all personal data and refuses to place health data on a special pedestal. If the law will not elevate health data, then governance must. The responsibility of restoring the special status of patient data falls on the compliance framework, not on the statute.
This is the reasoning behind a deliberate DGPSI decision. The DPDPA grades the “significance” of a Data Fiduciary largely by scale — the volume and sensitivity of data and the breadth of risk to data principals — and leaves the designation of a Significant Data Fiduciary to government notification. But harm to life cannot be graded by scale. One life lost is not less significant than many lives lost. A small nursing home that endangers a single patient through a data breach has caused a harm no less grave than a large hospital chain. The volume-based test of significance, sensible for commercial data, is the wrong yardstick for life.
DGPSI therefore treats every hospital as a Significant Data Fiduciary — regardless of its size, the number of patients it serves, or whether the government has notified it as such. Under DGPSI, the threshold question “Am I a Significant Data Fiduciary?” has only one answer for a hospital: yes.
That elevation has a direct governance consequence. For an ordinary company, one can argue for a lean compliance team. The DPDPA makes a Data Protection Officer (DPO) a mandatory statutory function only for a Significant Data Fiduciary, while leaving the Chief Information Security Officer (CISO) as a best-practice function. On that footing, a general company could let the DPO be made responsible for DPDPA compliance and allow the CISO to continue focusing on what he is presently doing.
A hospital cannot be governed so simply. Once every hospital is treated as a Significant Data Fiduciary, the DPO becomes a full, mandatory function in each one. But the DPO cannot be placed on the pedestal of data protection responsibilities alone, because a hospital has a third officer whose role cannot be subordinated — the Patient Safety Officer (PSO).
The PSO’s functions are quasi-legal. They often protect the hospital and its doctors from liabilities arising out of unfortunate adverse events. This authority cannot be allowed to be pushed down by the DPO. One may debate whether the CISO can still be pushed down and the compliance left to the DPO and the PSO together. After giving weight to these sensitivities of governance, DGPSI has decided to retain a triumvirate — the DPO, the CISO and the PSO — as the compliance team in a hospital.
The wisdom of insisting on all three becomes obvious the moment a breach occurs. A single data breach in a hospital can trigger two clocks at once: the CISO must report the cyber incident to CERT-In within six hours, while the DPO must notify the Data Protection Board and the affected patients within seventy-two hours under the DPDP Rules. (The moment the data breach report is triggered the Patient Safety event also gets triggered.) Two timelines, two regulators and two reporting formats have to be coordinated under pressure — which is exactly the coordination the triumvirate exists to provide. Leave one officer out, and the clock keeps running while the others stitch the response together.
The DGPSI-Hospital governance structure therefore retains an apex DPDPA governance body — which includes other stakeholders such as the CFO and the CMO, and is led by an Independent Director — with the triumvirate functioning as its sub-committee. Accountability to the regulator rests with the fiduciary through this apex body; the triumvirate is the coordinating engine beneath it, not a diffusion of responsibility. Externally, each of the three members maintains a distinct line of exposure: the DPO to the Data Protection Board (DPB), the CISO to CERT-In, and the PSO to the NABH accreditation authorities.
As regards the PSO’s remaining obligations, the call is for cooperation rather than competition. The PSO has to coordinate with the CISO and the CIO to establish a compliance architecture for NABH accreditation, without interfering with the DPO’s requirements under the DPDPA.
These distinctions grow sharper as hospitals adopt artificial intelligence. AI-assisted diagnosis, clinical decision support and the profiling of patient data fold the safety question and the data-protection question into a single question: an erroneous or biased model can endanger life exactly as a breach can. Governing such systems needs the safety lens of the PSO, the security lens of the CISO and the data-protection lens of the DPO acting together.
These changes need to be reflected in DGPSI-Hospital as an improvement to the framework — DGPSI-FULL with AI.
Naavi
