Is DISHA inspired by Europe's general data protection act?

Harsh Walia and Shobhit Chandra

The Ministry of Health and Family Welfare (MoHFW), recently released a draft of the Digital Information Security in Healthcare Act (DISHA) for public consultation. The purpose of DISHA is to provide for privacy, confidentiality, security, and standardisation in respect of electronic health data. It also envisages the establishment of National and State-level Digital Health Authorities, as well as Health Information Exchanges.

The timing of the release of this draft raises numerous questions, as discussions in relation to a comprehensive data protection framework for India are already at an advanced stage. An expert committee headed by Justice (Retd.) B.N. Srikrishna (Expert Committee) released a white paper last year, which set out their preliminary views on various data protection principles such as purpose limitation, data minimisation, storage limitation, and accuracy of data, and the shape in which they should be incorporated in the forthcoming law. DISHA also echoes these principles. Since overlap with an encompassing data protection legislation is inevitable, DISHA’s draft may prove to be premature.

DISHA appears to be heavily inspired by the European Union’s General Data Protection Regulation (EUGDPR), which is unanimously regarded as one of the most comprehensive data protection legislations globally. Several corporations world-over are now making the final dash to meet the compliance requirements before EUGDPR takes effect on 25 May 2018. Despite years of research that have culminated in the enactment of EUGDPR and the two-year long window granted before it takes effect, the industry is still questioning several compliances contemplated under it. On the other hand, DISHA, when it is enacted in its current form, does not provide for any transition period to enable organisations to prepare themselves for it. In other words, organisations will most likely be labelled non-compliant from the very instant DISHA takes effect.

Some stringent provisions of EUGDPR have only been made applicable on organisations of a particular size. For instance, the obligation to maintain records is not applicable on enterprises and organisations having less than 250 employees. On the contrary, the wide definition of a ‘clinical establishment’ and ‘entities’ under DISHA enlarges its applicability by making all provisions applicable to all clinical establishments (including nursing homes, clinics or dispensaries owned, controlled and managed by single doctors) and ‘entities’, regardless of their size. Some compliances under DISHA will require individuals and smaller organisations to expend extraordinary resources in achieving them. An indiscriminate, universal application of DISHA may also lead to it being rendered infructuous in the longer run.

According to EUGDPR, a data controller is required to notify the supervisory authority (and not the data subject) in case of a data breach. However, the obligation to notify the data subject arises only where there is a high risk to the rights and freedom of such an individual. Notably, even in such case, a defined time frame has not been prescribed under EUGDPR. In contrast, under DISHA, an owner of digital health data (DHD) must be notified by clinical establishments immediately (and not later than 3 days in any case) in the event of any security breach. This is not only expected to result in a flurry of non-compliances, but also appears to be commercially infeasible.

Another important distinction is that under EUGDPR, organisations that implement pseudonymisation techniques enjoy various benefits. However, as an unprecedented step, under DISHA there is a blanket prohibition on the use of anonymised data for commercial purposes. Big Data analytics has shown us that anonymised data sets form a reservoir for development and innovation and as such, a blanket restriction appears to be unreasonable in the present-day scenario.

In addition to clinical establishments and health information exchanges, DISHA imposes various obligations on other ‘entities.’ Interestingly, the term ‘entities’ is defined to inter alia include even those body corporates that are incorporated under laws of any country outside India. Consequently, DISHA is expected to have extra-territorial application, making entities incorporated outside India liable to comply with it depending on their role in a particular transaction.

Another facet of DISHA is that the right of a clinical establishment to refuse provision of health services has been ousted, even when the patient may not consent to generation, collection, storage, transmission and disclosure of their DHD. This is a departure from the prevalent rules framed under the Information Technology Act, 2000, which provide a body corporate with the option to not provide services when consent for processing sensitive personal data has been refused or withdrawn by a data subject. Besides, the liability of clinical establishments will need to be considered in a scenario when they administer health care in the absence of critical health information.

Undeniably, the efforts of MoHFW in drawing up a comprehensive draft legislation are commendable. However, for reasons mentioned above, the draft fails to take into account prevalent issues, industry trends and practical difficulties that may impede its successful implementation. The consultative process initiated by MoHFW has provided an opportunity to the industry to voice their concerns, which if considered, may result in a legislation that is both pragmatic and stringent.