Comments on Draft Digital Information Security in Healthcare Act (DISHA)
Undoubtedly, India is one country which is in the dire need for a data protection framework. With the Committee of Experts chaired by Justice BN Srikrishna publishing the White Paper on Data Protection Framework for India (herein referred as the White Paper) in December 2017, the wheels have been indeed set in motion. And with the introduction of the draft bill of DISHA, we are surely headed in the right direction.
On March 21, 2018, e-Health Section of Ministry of Health & Family Welfare, Government of India published a draft bill on Digital Information Security in Healthcare Act and has invited the general public as well as the stakeholders to send their comments by April 21, 2018. We have summarized our comments in the bullet-points given below. (Later on, we will also be publishing a white paper discussing DISHA in detail).
- Related to the notion of identifiability, the White Paper has discussed pseudonymisation and anonymisation in Chapter 3 of Part II. DISHA, on the other hand, discusses anonymisation and de-dentification under sub-section (a) and (d) of Section 3 respectively. Considering that the concepts of pseudonymisation and de-identification are same, the definition of pseudonymisation can be included in Section 3(d) in place of de-identification to bring the coherency with the proposed data protection framework.
- In Chapter 1 of Part III of the White Paper, failure of consent has been discussed. Although DISHA has included the concept of proxy consent, there is no specific provision dealing with the failure to secure consent.
- As defined in Section(1)(j) of DISHA, the definition of an owner includes an individual whose data has been generated and processed under this act. To bring this definition at par with EU-GDPR and the White Paper, the scope of definition can be expanded by using the words stored and transmitted or as may be deemed fit. As per our observation, the existing proposition is not sufficient.
- As defined in Section 3(1)(m) of DISHA, the definition of a relative gives priority to an owner’s siblings or owner’s spouse’s siblings before the owner’s children. An additional sub-clause can be added after/before Section 3(1)(m)(ii): Parents of the owner so that the children of an owner get a higher priority.
- The scope of the definition of data security given under Section 3(1)(n) of DISHA can be further extended by adding following words after “information in confidence” – “along with preventing unauthorized access, use, disclosure, disruption, modification, or destruction.”
- Article 13 of EU-GDPR prescribes the information to be provided when personal data of an individual is collected. Same has been given under Section 30(2) of DISHA as it lays down the procedure for collecting the digital health data of an owner. However, Article 13 makes it mandatory to provide the information about the supervisory authority and the period for which the personal data of a data subject will be stored. One the similar lines, two sub-clauses under Section 30(2) can be added for providing information about the concerned State eHealth Authority (SeHA) and the period for which the digital health data of an owner will be stored.
- An additional duty can be prescribed for the clinical establishments collecting the digital health data of minors. It shall be the duty of clinical establishments to verify that the consent of a minor has been lawfully provided by his guardian.
- Section 38(3) classifies repeated data breaches by a clinical establishment or a health information exchange as a serious breach. However, there is no provision under either Section 37 or Section 38 dealing with a single incident of a data breach by a clinical establishment or a health information exchange. As per our suggestion, Section 37 should penalise entities and other healthcare establishments as in Section 38 for an incident of a normal breach as well.
- Section 41 of DISHA only talks about the situation when one obtains the digital health data of an owner when he is not authorized to under the provisions of DISHA. In addition, the act of sharing information with a person or a party not authorized under the provisions of DISHA should also be criminalized. Although it might be a logical deduction, it would make more legal sense to explicitly mention the aforesaid.