Healthcare

Digital Personal Data Protection Act 2023: Impact On Indian Healthcare Industry

__
<p style="text-align: justify;"><span data-preserver-spaces="true">The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new law regulating personal data processing in India. It aims to protect the privacy rights of individuals and create a framework for data governance and accountability. The DPDP Act will significantly impact the Indian healthcare industry, which is still in its early stages of digital evolution. Some of the key impacts are:</span></p><ul style="text-align: justify;"><li><span data-preserver-spaces="true">The DPDP Act will require healthcare providers and entities to obtain explicit consent from data principals (individuals whose data is processed) before collecting, using, or sharing their personal health data, which is classified as sensitive personal data under the law</span></li><li><span data-preserver-spaces="true">The DPDP Act will also mandate healthcare providers and entities to implement appropriate security measures, conduct data protection impact assessments, appoint data protection officers, and comply with the codes of practice and standards issued by the Data Protection Board of India</span></li><li><span data-preserver-spaces="true">The DPDP Act will enable data principals to access, correct, erase, port, and restrict the processing of their personal health data and seek redressal for any grievances or violations of their rights</span></li><li><span data-preserver-spaces="true">The DPDP Act will create new opportunities for innovation and collaboration in the healthcare industry, as it will facilitate the use of personal health data for research, public health, emergency response, and other purposes, subject to certain conditions and safeguards</span></li></ul><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 14pt;">Implications of Digital Personal Data Protection Act 2023 in Healthcare Sector</span></h2><p style="text-align: justify;"><span data-preserver-spaces="true">The Digital Personal Data Protection Act, 2023 (DPDP Act) will have various implications in the healthcare sector in India, such as:</span></p><ul style="text-align: justify;"><li><span data-preserver-spaces="true">It will require healthcare providers and entities to adopt privacy-conscious and data-responsible practices, such as obtaining explicit consent, implementing security measures, conducting data protection impact assessments, and appointing data protection officers</span></li><li><span data-preserver-spaces="true">It will enhance patient trust and confidence in using their personal health data, which is classified as sensitive personal data under the law.</span></li><li><span data-preserver-spaces="true">It will create new opportunities for innovation and collaboration in using personal health data for research, public health, emergency response, and other purposes, subject to certain conditions and safeguards</span></li><li><span data-preserver-spaces="true">It will also create challenges for developing and adopting data-driven technologies, such as artificial intelligence and machine learning, which may require balancing the protection of patient privacy and the potential of these technologies.</span></li></ul><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;"><span data-preserver-spaces="true">It will interact with other existing or proposed laws and policies related to health data, such as the Ayushman Bharat Digital Mission (ABDM), which aims to create a unique health ID named ABHA and a digital health record for each person.</span></p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 14pt;">Government Initiatives to protect Patient Data</span></h2><p style="text-align: justify;"><span data-preserver-spaces="true">The Information Technology Act 2000 governs provisions related to Protected Health Information (PHI) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">Patient data, including health information, is treated as sensitive personal data or information and, under the IT Act</span><strong><span data-preserver-spaces="true">,&nbsp;</span></strong><span data-preserver-spaces="true">offers some degree of protection to the collection, disclosure, and transfer of sensitive personal data.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">Also, long before DPDP Act 2023, the Government introduced the Digital Information Security in Healthcare Act (DISHA), India&rsquo;s counterpart of the Health Insurance Portability and Accountability Act (HIPAA), aimed at providing healthcare data privacy, security, confidentiality, and standardization and establishment of the National Electronic Health Authority (NeHA) and Health Information Exchanges. While this act aims to encourage the pan-India adoption of e-health standards, DISHA has not yet come into force.</span></p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 14pt;">Penalties in Digital Personal Data Protection Act 2023&nbsp;</span></h2><p style="text-align: justify;"><span data-preserver-spaces="true">Under the DPDP Act, 2023, you have the right to file a complaint with the Data Protection Board of India (DPB), which is the enforcement body established under the act, if you suspect or experience any non-compliance by a third party that collects or processes your personal data. The DPB can inquire into the complaint, direct any remedial or mitigation measures, inspect any document, summon and enforce the attendance of any person, and impose penalties for non-compliance.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">The act allows only monetary penalties for breaches or non-compliance, ranging from INR 50 crore to INR 250 crore, with a maximum penalty of INR 500 crore for significant data breaches. You can also seek compensation from the DPB for any harm caused to you due to the non-compliance by the third party. However, the act does not provide criminal liability or imprisonment for non-compliance.</span></p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 14pt;">Data Principal</span></h2><p style="text-align: justify;"><span data-preserver-spaces="true">A key ingredient in laws in other countries is the power to impose penalties up to a particular amount as prescribed for offenses or as a percentage of total worldwide turnover, whichever is higher.</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">A data principal is under an obligation to not register a false or frivolous complaint with a data fiduciary or the Board, not to furnish any false particulars or suppress any material information.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">DPDP Act 2023 has introduced a penalty of up to ₹10,000/- (Rupees Ten Thousand) on the data principal for failure to comply with its proposed obligations.</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">The proposed DPDP Act 2023 introduces the concept of&nbsp;</span><strong><span data-preserver-spaces="true">&lsquo;</span></strong><span data-preserver-spaces="true">Deemed Consent&rsquo;, where the data principal is deemed to have given consent for processing their personal data.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">Consensual processing of personal data may be done in case of medical emergencies involving a threat to life or an immediate threat to the health of the Data Principal. In the context of such processing, a parallel may be drawn with India&rsquo;s draft Health Data Management Policy by ABDM released in April 2022, which also envisages provisions relating to the processing of Personal Data in case of medical emergencies.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">Notably, the ABDM contemplates the appointment of a nominee to provide valid consent on behalf of the Data Principal in case such Data Principal becomes seriously ill or mentally incapacitated or where the data principal is facing a threat to life or a severe threat to health and is unable to give valid consent.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">Unlike the DPDP Act 2023, the ABDM does not propose Deemed Consent in the absence of a nominee but instead shifts the right to give valid consent on behalf of the Data Principal to an adult member of the family of the Data Principal.</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">Despite the recommendation under the JPC Report, the DPDP Act 2023 has kept the 'Non-Personal Data' of the individuals, such as information collected by the Government, NGOs, and other private sector entities, outside its ambit. The usage of phrases 'as it may consider necessary' and 'as may be prescribed' can lead to administrative ambiguities. The autonomy of the Data Protection Board, which is entrusted with overseeing the protection of individual's personal data and ensuring compliance with the provisions of the law, is not reassuring. Further, the Government and its instrumentalities can retain personal data for an indefinite period irrespective of whether the purpose for which data was processed has been fulfilled.</span></p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 14pt;">Conclusion</span></h2><p style="text-align: justify;"><span data-preserver-spaces="true">By 2030 India is projected to be the world&rsquo;s third-largest economy and will have one of the world&rsquo;s largest digital personal data footprints in motion and at rest.&nbsp;</span></p><p style="text-align: justify;"><span data-preserver-spaces="true">The DPDP 2023 Act&rsquo;s essentiality shines in our strengthening role in the global order. With the G20 Presidency and multiple Free Trade and Regional Trade Agreements in place, we must find solutions for Data Free Flow with Trust and cross-border data flows.</span></p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;"><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;"><span data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span style="font-size: 10pt;"><em>This article was contributed by our expert <a href="https://www.linkedin.com/in/sujeetkatiyar/" target="_blank" rel="noopener">Sujeet Katiyar</a></em></span><br />&nbsp;</p><p style="text-align: justify;">&nbsp;</p><h3 style="text-align: justify;"><span style="font-size: 18pt;">Frequently Asked Questions Answered by Sujeet Katiyar</span></h3><h3 style="text-align: justify;">&nbsp;</h3><h2 style="text-align: justify;"><span style="font-size: 12pt;">1. What measures does the Digital Personal Data Protection Act 2023 propose to ensure the security and confidentiality of sensitive health data in the Indian healthcare sector?</span></h2><p style="text-align: justify;"><span data-contrast="none">The Digital Personal Data Protection Act 2023 will have significant implications for the healthcare sector, as it will regulate the collection, storage, and processing of digital personal data of patients and healthcare providers.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">The Act will require entities such as hospitals, clinics, pharmacies, diagnostic labs, health apps, and insurance companies to obtain consent from the data principals (the patients) before collecting and using their personal data. </span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">The Act will also mandate data fiduciaries (the entities) to ensure the security and confidentiality of personal data and to report any breaches to the authorities.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">However, the Act also has some limitations, such as allowing the government to exempt certain data fiduciaries from their legal obligations and not requiring data fiduciaries to inform data principals about sharing their data with third parties. These may pose challenges to the protection of privacy and rights of the data principals in the healthcare sector.</span></p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">2. How will the Digital Personal Data Protection Act 2023 impact individuals and their personal data?</span></h2><p style="text-align: justify;"><span data-contrast="none">The Digital Personal Data Protection Act 2023 aims to protect personal data privacy in India. The Act applies to the processing of digital personal data within India, where such data is collected online or offline and digitized.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">It will also apply to such processing outside India if it is for offering goods or services in India. The Act proposes that personal data may be processed only for a lawful purpose upon an individual's consent. Consent may not be required for specified, legitimate uses such as voluntary data sharing by the individual or processing by the State for permits, licenses, benefits, and services.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">Data fiduciaries will be obligated to maintain data accuracy, keep data secure, and delete data once its purpose has been met. The Act grants certain rights to individuals, including the right to obtain information, seek correction and erasure, and grievance redressal.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;"><strong><span data-contrast="none">Provisions of the DPDP Act</span></strong><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">The DPDP Act introduces robust provisions concerning notice and consent obligations, delineates the permissible 'legitimate uses' for processing personal data without explicit consent, establishes an 'Appellate Tribunal' for grievance redressal, and imposes enhanced responsibilities upon data fiduciaries when handling the data of children, among other changes.&nbsp;</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">The Act provides the following rights to individuals:</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><ul style="text-align: justify;"><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><span data-contrast="none">Right to access information about personal data processed</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="14" data-aria-level="1"><span data-contrast="none">Right to correction and erasure of data</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="15" data-aria-level="1"><span data-contrast="none">Right to grievance redressal</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="16" data-aria-level="1"><span data-contrast="none">Right to nominate a person to exercise rights in case of death or incapacity</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li></ul><p style="text-align: justify;"><span data-contrast="none">To enforce his/her rights, an affected Data Principal may approach the Data Fiduciary in the first instance. In case he/she is not satisfied, he/she can complain against the Data Fiduciary to the Data Protection Board in a hassle-free manner.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">The DPDP Act also provides the following obligations for the data fiduciary:</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><ul style="text-align: justify;"><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="17" data-aria-level="1"><span data-contrast="none">To have security safeguards to prevent personal data breaches</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="18" data-aria-level="1"><span data-contrast="none">To intimate personal data breaches to the affected Data Principal and the Data Protection Board</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="19" data-aria-level="1"><span data-contrast="none">To erase personal data when it is no longer needed for the specified purpose</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="20" data-aria-level="1"><span data-contrast="none">To erase personal data upon withdrawal of consent</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="21" data-aria-level="1"><span data-contrast="none">To have in place a grievance redressal system and an officer to respond to queries from Data Principals</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="22" data-aria-level="1"><span data-contrast="none">To fulfill certain additional obligations regarding Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessments to ensure a higher degree of data protection.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li></ul><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">3. What strategies can healthcare organizations adopt to ensure a smooth transition to compliance with the Digital Personal Data Protection Act 2023, and how might this impact their operations and cost structures?</span></h2><p style="text-align: justify;"><span data-contrast="none">The Life Sciences and Health Care (LSHC) industry heavily relies on data, including Intellectual Property (IP), Personal Health Information (PHI), and Personally Identifiable Information (PII). As organizations embark on the journey towards preparedness by prioritizing a comprehensive data inventory, a consent management mechanism, data retention policies, data security measures, and regular audits and assessments, understanding the provisions of the law and what they mean for organizations will be crucial.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;"><span data-contrast="none">To ensure a smooth transition to compliance with the Digital Personal Data Protection Act 2023, healthcare organizations can adopt the following strategies:</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><ul style="text-align: justify;"><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="23" data-aria-level="1"><span data-contrast="none">Define a data protection governance framework by setting up data inventories, privacy policies, controls, risk assessments, and consent forms compliant with the Digital Personal Data Protection Act 2023</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="24" data-aria-level="1"><span data-contrast="none">Implement a comprehensive consent management mechanism that includes obtaining explicit consent from patients for collecting their personal health information (PHI) and personally identifiable information (PII)</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="25" data-aria-level="1"><span data-contrast="none">Develop data retention policies that specify how long PHI and PII will be retained</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="26" data-aria-level="1"><span data-contrast="none">Implement data security measures such as encryption, access controls, firewalls, intrusion detection systems, and intrusion prevention systems</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="27" data-aria-level="1"><span data-contrast="none">Conduct regular audits and assessments to ensure compliance with the Digital Personal Data Protection Act 2023</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li></ul><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;"><span data-contrast="none">The impact of these strategies on healthcare organizations' operations and cost structures will depend on various factors, such as:</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><ul style="text-align: justify;"><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="28" data-aria-level="1"><span data-contrast="none">Size of the organization</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="29" data-aria-level="1"><span data-contrast="none">Existing IT infrastructure</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="30" data-aria-level="1"><span data-contrast="none">Current level of compliance with data protection regulations</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="31" data-aria-level="1"><span data-contrast="none">Budget</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li></ul><p style="text-align: justify;">&nbsp;<br /><span data-contrast="none">However, it is important to note that non-compliance with the Digital Personal Data Protection Act 2023 can result in significant fines and penalties.</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><p style="text-align: justify;">&nbsp;</p><h2 style="text-align: justify;"><span style="font-size: 12pt;">4. How must Data Fiduciaries handle sensitive personal data under the Digital Personal Data Protection Act 2023?</span></h2><p style="text-align: justify;"><span data-contrast="none">Data fiduciaries are required to handle sensitive personal data under the Digital Personal Data Protection Act 2023 as follows:</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></p><ul style="text-align: justify;"><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="32" data-aria-level="1"><span data-contrast="none">Data fiduciaries must process personal data only for a lawful purpose with an individual's consent. Consent may not be required for specified, legitimate uses such as voluntary data sharing by the individual or processing by the State for permits, licenses, benefits, and services</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="33" data-aria-level="1"><span data-contrast="none">Data fiduciaries must maintain data accuracy, keep data secure, and delete data once its purpose has been met</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="34" data-aria-level="1"><span data-contrast="none">Data fiduciaries must have security safeguards to prevent personal data breach</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="35" data-aria-level="1"><span data-contrast="none">Data fiduciaries must intimate personal data breaches to the affected Data Principal and the Data Protection Board</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="36" data-aria-level="1"><span data-contrast="none">Data fiduciaries must erase personal data when it is no longer needed for the specified purpose</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="37" data-aria-level="1"><span data-contrast="none">Data fiduciaries must erase personal data upon withdrawal of consent</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="38" data-aria-level="1"><span data-contrast="none">Data fiduciaries must have a grievance redressal system and an officer to respond to queries from Data Principals</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&quot;335552541&quot;:1,&quot;335559683&quot;:0,&quot;335559684&quot;:-2,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}" aria-setsize="-1" data-aria-posinset="39" data-aria-level="1"><span data-contrast="none">Data fiduciaries must fulfill certain additional obligations regarding Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure a higher degree of data protection</span><span data-ccp-props="{&quot;134233117&quot;:false,&quot;134233118&quot;:false,&quot;201341983&quot;:0,&quot;335551550&quot;:0,&quot;335551620&quot;:0,&quot;335559738&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</span></li></ul><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p><p style="text-align: justify;">&nbsp;</p>
KR Expert - Sujeet Katiyar

Core Services

Human insights are irreplaceable in business decision making. Businesses rely on Knowledge Ridge to access valuable insights from custom-vetted experts across diverse specialties and industries globally.

Get Expert Insights Today