DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India. At a time there is discussion on GDPR all around the industry and anticipation of the Justice Srikrishna Committee’s recommendation on the General Data Protection Act for India, DISHA 2018 has been proposed by the Health Ministry in a draft form for public comments. The Act is likely to be named as “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to firstname.lastname@example.org .
In order to enable stake holders to form their views and forward to the ministry, Naavi is providing here his own views. I suppose this would be helpful in triggering thoughts in others to send their own comments.
DISHA 2018 has been structured into the following 7 Chapters:
II: National Electronic Health Authority
III: Powers and Functions of the National and State Authorities
IV: Data Ownership, Security and Standardization
V: Digital Health Data Breach and Consequences
VI: Adjudicating Authority
VII: Miscellaneous Provisions
Schedule I: Personally Identifiable Information
Let’s start with the Preliminary Chapter that states that this law extends to the whole of India except the State of Jammu and Kashmir.
Since ITA 2000/8 is a law that also applies to J&K and it has provisions that state that Health Information is sensitive personal information and it has to be protected in a certain manner, that provision will continue to apply to J&K. In other areas there could be some overlap of regulations between ITA 2000/8 and this law when it becomes effective.
The definition section is Section 3 and it requires a detailed discussion. Before we get into the definitions under Section 3, we can first have a look at the Schedule I which lists certain parameters as “Personally Identifiable Information”. (PII)
The listed parameters that would be considered as PII are
- Date of Birth
- Telephone Number
- Email Address
- Financial Information such as Bank account or credit card or debit card or other payment instrument details
- Physical, Physiological and Mental Health Condition
- Sexual Oritentation
- Medical Records and Histrory
- Biometric Information
- Vehicle Number
- Any Government number including Aadhaar, Voter’s Identity, Permanent Account Number (PAN), passport, Ration Card, Below Poverty Line (BPL) card
Compared to the HIPAA identifiers, there appears to be an omission of E Mail Address, IP Address, IMEI Number, SIM number (unless telephone number can be interpreted also as mobile number). Also Age is not included and Address as a whole is included and there is no exemption for address at higher level as in HIPAA.
There is an additional definition under Section 3(o) which defines “Sensitive Health Related Information” namely,
(o) ‘Sensitive health-related information’ means information,
that if lost, compromised, or disclosed, could result in substantial harm, embarrassment, inconvenience, violence, discrimination or unfairness to an individual,
including but not limited to, one’s physical or mental health condition, sexual orientation, use of narcotic or psychotropic substances, consumption of alcohol, sexual practices, Human Immunodeficiency Virus status, Sexually Transmitted Infections treatment, and abortion.
This appears to be a departure from the other legislations where “Personal Information” is defined in general terms and some types of Personal Information are defined as Sensitive Personal Information (SPI). This approach has been used in ITA 2000/8 as well as in GDPR.
It is interesting to note that DISHA 2008 has defined “Sensitive” nature of PI in the context in which the breach could cause “Substantial” harm.
The interpretation of the word “Substantial” would be subject to debate as it happened when the Supreme Court discussed Section 66A of ITA 2008 and interpreted that the term “Grossly Offensive” was vague. But this judgement was prompted by other considerations and should be considered as an aberration.
On the other hand, “Personally Identifiable Information” as per Section 3(k) means any information that can be used to uniquely identify, contact or locate an individual, or can be used with other sources to uniquely identify a person, and includes the information stated in Schedule I.
Hence the suggestion that “Data” is Data under all circumstances and it becomes “Sensitive” in certain circumstances is welcome.
The Act defines a “Clinical Establishment” as well as the term “Entity”. Both the definitions include all types of or organizations including individuals, Trusts, private and public establishments, Hospitals, diagnostic centers, pathological laboratories, radiology laboratories etc. Only the establishments owned by armed forces are exempted from this definition.
As a result of this approach, the scope of this proposed Act will have a very wide impact in the Health Care industry.
……To Be Continued