Healthcare Data Protection in India

India’s healthcare market is invariably changing. A growing healthcare market in India seems very majestic as it is expected to bring the latest medical technologies, recruitment of more employees, and improve the treatment level for us. But there can be more uncertainties, as it directly stimulates the healthcare IT sector to prevent any disclosure of critical information of the patients. The more the data that is processed online, the higher risks of hacking and data theft there is.[1] That’s why the healthcare sector needs to be managing higher responsibility. Though India has been working on the healthcare data privacy and security bill for the last two years, the bill hasn’t come into force yet. 

As per section 2(21) of Personal Health Data Protection Bill, 2019, the term “health data” is defined as the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associating the data principal to the provision of specific health services.[2] In the present era, the recommended legislation includes the entire life cycle of a person’s health information. The modern healthcare set-up has emerged into a stage where the patients now prefer the continuity of care and their expectations about the preservation of health data/records range from the womb to the tomb.

Considering the present case of COVID-19, the WHO has declared coronavirus as a pandemic. Currently, the only possible measure to combat the virus is to choose social distancing. In this context, as a precautionary measure, the use of scrutiny mechanisms to keep records of infected individuals and latent patients present in the neighborhood seems to be an active way. To transmit such data, various web and mobile applications have been promoted to discover diseases in the surroundings of a person that also provides alarms as a prudent measure.[3]  In India, one such application named ‘Aarogya Setu’ has been exhibited for discovering viruses but some cyber security specialists raised some issues concerning the privacy of the COVID-19 patients and the clarity of the internal working of the app.   

Present Legislation for Data Protection in India

The Information Technology Act 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which was passed under section 43A of the IT act is the prevailing legislation dealing with electronic data protection. This says that where a corporate body is consigned with the personal data of individual then they should operate proper systems for managing and supervising the said data and if they are not able to secure such data and are casual in handling it which ultimately causes any wrongful gain or loss then, they will be responsible to pay damages to the individual whose data is abused. Since the IT act was not enacted particularly for the purpose of health data protection, it has not covered the problem in a way it is required to do, this essentially deals with corporate bodies and neglect other endowments. Therefore other enactments are required for the same.

As mentioned above there has consistently been a requirement for better security and safety of patient digital health data in India. However, it is very challenging to maintain a sole digital data reserve for each person that is reliable, modernized and guarded due to the humongous population that India possesses. In spite these difficulties the government of India suggested creating a digital health technology ecosystem involving large scale collection, organization and sharing of health data in The National Health Policy 2017.[4] The initial step regarding this ecosystem was taken in 2012 when the government makes it mandatory for the clinics to maintain electronic health records of their patient under Clinical Establishments Rules.[5] The National policy just made this primer digitalization numerous strides further. The point of this development towards such an ecosystem was, from one viewpoint, to incorporate guaranteeing coherence of care across different degrees of healthcare services.


To date, there is no legislation in India which guards the healthcare data. However Through an updated Electronic Health Records Standard of India, the government tried creating the ecosystem in 2016 but, due to its low acceptance by the industry, it didn’t work out. Hence, the Ministry Of Health And Family Welfare proposed DISHA (Digital Information Security in Healthcare Act) in March 2018. DISHA expects to be an enactment concentrated on data protection, secrecy, and security. At both the central and the state level DISHA aims at creating administrative specialists to carry out the rights and obligations as given under the said enactment. At the center, the setting up of a National Electronic Health Authority (‘NeHA’) was recommended, which would be the topmost authority dealing with setting standards, issuing guidelines, and regulating the collection, organization, and transfer of the health data. The State Electronic Health Authority (‘SeHA’) was suggested at the state level which will be accountable for assuring that the necessities of DISHA are obeyed by the organizations.[6]

Personal Data Protection Bill

The government established a panel in 2017 to study the issue concerning data protection. The committee led by Justice BN Srikrishna, after a year of work, gave a draft in July 2018 titled Personal Data Protection Bill. This bill was initiated for review and recommendations from various experts. Later a revised draft was offered namely Personal Data Protection Bill 2019 which would create the first cross-sectoral legal structure for data protection in India.[7] The Bill controls the administration of citizens’ very own personal data by government, companies incorporated in India, and outside companies that are leading individual sensitive data of users in India.[8] The bill deals with data that are described in three fronts i.e. personal data[9], sensitive data (includes health data)[10] and critical personal data. However, the Protection of Personal Data Bill also says that in case of a medical emergency the protection of data may be waived off without the consent of the individual.[11] This bill tackles the problem of data protection but it is still in the parliament for the final approval.

Right to Privacy

The SC with a nine-judge bench on 24th august, 2017 acknowledged right to privacy as a part of Article 21 i.e. Right to life and personal liberty [12]and overruled previous judgment where this right was not recognized.[13] The court also held that privacy is not an absolute right like most of the other fundamental rights; they are subject to certain confinements and various experiments were devised to identify whether there is a violation of privacy or not. The bench held that in order to test the efficacy of act the first thing to be recognized is that the activity must be sanctioned by law (lawfulness), second the activity must be basic for a real point (need) and last that the activity (infringing privacy) must be proportionate to its specification.

Aarogya Setu

The app is generated under the Ministry of Electronics and Information Technology by NIC (National Informatics Centre). This app is focused on “tracing technology” by applying mobile Bluetooth and GPS ability. Aarogya Setu is projected to observe other app consumers that an individual socialized with. It at that point cautions clients if any of the contacts tests positive for COVID-19. The app holds the health data on an individual who has downloaded this app and uses this data only to warn others. The government made this app accessible in 11 languages and asked each and every citizen to download it for their security.

“Privacy” is a vigorous concept and with the evolution in time and excellent technology, the concept of privacy has seen severe inconstant phases. As the right to privacy is only derived from the right to life and personal liberty, so it is almost difficult to decide whether the gathering of data is an infringement of fundamental rights. The information distributed between the users is not attainable by the users themselves but are only on the server. Despite all these, it is important to know whether data collection is a violation of our rights or is legitimate.

A French noble hacker “Elliot Alderson” suspected the security and the privacy of India’s COVID-19 tracker app Aarogya Setu[14]. According to his allegations, any intruder can get to know who is infected anywhere in India, in the area of his choice. Apart from the legal deceptions, there are scientific loopholes as well, as it improves the probability of identification breaches. Another obstacle is the app applies both Bluetooth as well as GPS source points, which could be seen as genocide[15]. Also, a matter was put that there is no documentation administration convenient to the app. The cyber experts contended that there should be more clarity on the internal working of the app.

The right to privacy may be overwhelmed by the duty of conserving and recovering public health as states are bound to keep public health as among its elemental duties (Article 47 of the Indian Constitution). Omitting or setting aside public health the public may be disclosed to the risk of life may get devoid of their direct right to life (Article 21 of the Indian Constitution).[16]

Looking towards section 2 of the Epidemic Disease Act 2005, the Central government has all the powers to take all necessary steps to prevent the spread of any epidemic disease for the interest of the public at large.[17] Accordingly, the government has this power to develop an app for providing the users the data whether they are in contact with the COVID-19 virus or not. Also, we can see that the whole country has been put under the lockdown and curfew. Section 2(d) of the Disaster Management Act reads as: “Disaster means a catastrophe, mishap, calamity or grave occurrence in any area, arising from natural or man-made causes, or by accident or negligence which results in substantial loss of life or human suffering or damage to, and destruction of, property, or damage to, or degradation of, environment, and is of such a nature or magnitude as to be beyond the coping capacity of the community of the affected area.” [18]The section is not only limited to earthquakes or tsunamis but it has a much wider concept. The Ministry of Home Affairs declared the spread of COVID-19 as a “notified disaster”, thus bringing into the definition of “disaster”.[19] Hence, as per section 6(2)(i) of the Disaster Management Act 2005, the National Authority has the power to take effective measures to prevent its spread across the country and for this reason, the government can also take any measures such as enforcing lockdown across the country, making of mobile or web application to prevent the citizens from coming into the contact of this disease.[20] Announcing COVID-19 as a “notified disaster” is a first-of-its-kind step taken to increase the extent of government powers that can be used in order to make fast administrative decisions to fight this disease.


The rule as stated by several jurists is worthless if it fails to change to the dynamic environments in which it functions and digital data protection can be seen as the demand. The government has reacted to this requirement but as the saying goes it’s not done till it’s done and these proposals ended up just on paper and nothing more. The so-called protector of people from COVID-19 “Aarogya Setu” with its creation brought many questions along with it, ‘privacy’ was one of them but as we got immersed into the lane it was clear that various laws are defending the actions of the government. The mystery still hikes around the data protection, Aarogya app act according to the current and possible statutory requirement but the issue that whether the current law is adequate and enough to tackle the problem is still not decided. The only answer to this obstacle is to bring in force the drafts that are still abiding there at the door of the legislature for the concluding stamp of endorsement.

[1] Incoming! Healthcare Protection Law in India, ZNETLIVE Blog (Nov 18, 2019),

[2] Personal Health Data Protection Bill, 2019

[3] Privacy and Public Health: A-line to be defined in between, Mondaq (May 14, 2020);

[3] Ikigai law, DISHA and the draft Personal Data Protection Bill, 2018: Looking at the future of governance of health data in India, (25 February 2019),

[5] Clinical Establishments (Central Government) Rules, 2012, rule 9(iv).

[6] Dr. Milind Antai et al., DISHA the first step towards securing patient health data in India,(3 August 2018),

[7] Anirudh Burman, Will India’s Proposed Data Protection Law Protect Privacy And Promote Growth,(9 March 2020),

[8] Rudra Srinivas, All You Need To Know About India’s First Data Protection Bill,( 3 January 2020),

[9] The Personal Data Protection Bill, 2019, Section 3(28).

[10] The Personal Data Protection Bill, 2019, Section 3(36) (ii).

[11] The Personal Data Protection Bill, 2019, 2019, Section 12.

[12] Justice K. S. Puttaswamy (Retd.) and Anr. Vs. Union of India and Ors. (2017) 10 SCC 1.

[13] Kharak Singh vs. State of U. P. & Others, 1964 SCR (1) 332.

[14] Privacy issues in Arogya Setu, Business Insider (May 7, 2020; 11:51 IST); 

[15] What are the concerns around the Arogya Setu app?, The Hindu (May 7, 2020; 00:15 IST); 

[16] Supra 15

[17] The Epidemic Disease Act of 1897

[18] COVID-19: The law of Lockdown, Jurist (April 25, 2020; 01:45 IST);

[19] Supra 18.

[20] The Disaster Management Act, 2005

Malini Raj from University of Petroleum and Energy Studies

Editor: Sanskriti Sood

Success! You're on the list.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: