The Role of Law in Protecting Medical Data in India

5. P. Chakrabarty, S. Mukherjee and A. Rod ricks

Introduction

Quantum physics, with its theory of relativity, has made staggering developments in the area of telecommunication and satellite technology. In turn, today, people have become more dependent on GPS than their brains to find a new place. Technology today is dominating major aspects of human life. Significant jurisdictions consider the right to access the Internet today as a fundamental right. This technological inclusion eliminates those limitations that time, distance and money would have otherwise imposed. Virtual reality has enrooted and challenged the concept of nationality and traditional ways of life, and given us a new global village called cyberspace. This growth in the technological sector has touched all the areas humans interact with in the general course of life, and the healthcare sector is no stranger to this evolution. This change has brought a lot of people, and with them their thoughts, under an umbrella. With the major players in the world health sector coming closer, the three Vs which have proven to be of much significance come as a consequence. Volume, variety and velocity: The volume of medical records available is increasing at a staggering pace, and almost all counties have started relying on it. The variety of medical data is also huge, as multiple areas need to be diagnosed and identified for choosing the right course of action for the patient. The velocities at which these medical records are increasing are phenomenal and unprecedented, as major developing countries are now transitioning to digitalization [1,2]. As tech giants like “Fitbit” and “Apple Health” are collecting an enormous amount of data from all parts of the world from various users and patients [3,4], data management becomes a key area of concern.

These modern technological marvels have replaced a plethora of outdated, unscientific thoughts and notions, including lex loci (laws of the land). The biggest challenge that the law needs to address today is the jurisdictional challenges inherent in colonial laws where the concept of state and formation of the government has always been based on territoriality.

In cyberspace, there is no territoriality. The laws fit for a specific jurisdiction with its implementational machinery are suddenly outdated today. The question of privacy, amidst this technological evolution, has challenged all regulatory mechanisms searching for an answer. Medical data privacy, being a species of the genus privacy, is also struggling for a static regulatory mechanism. In a highly globalized world, healthcare issues are no longer limited to a specific jurisdiction. This global issue, prior to its resolution, requires retrospection from a global standpoint.

There are certain normative aspects involved in multidisciplinary research. Caution must be exercised while dealing with technical and medical data concerning privacy, ethics and similar other normative issues. Informed consent plays a significant role as patients should be aware that the said data are subject to commercial availability and that they form a part of big data [5, 6].

In this chapter, the authors intend to unravel the struggle developed countries have undergone to formulate laws and frame policies to prevent the misuse of data of patients. The importance of this global issue, as has been addressed by the world community through various international instruments, is also highlighted. The collective approach of European nations, the US and Asian countries, including India, in regulating the issue of medical privacy has been analysed and grey areas unravelled. The absence of adequate literature in this area of research was noticed; hence primary sources like international instruments, enactments and judgements of the apex courts have largely been relied upon. The study proposes to bridge the gaps that have not been addressed by the existing laws and what should be the best way forward from the regulatory and legal standpoint.

International Instruments Regulating Medical Data Privacy

The fundamental source of data is the society we live in, and said data are used and applied to people living in that society. Medical data privacy is multifaceted, including, but not limited to, cybersecurity, cyber frauds, etc. Laws and regulations pertaining to this area of discourse require scrutiny. Significant development in the process of law-making for a subject matter of international concern certainly requires international law to play a vital role. International laws and international instruments, as reflected in Table 13.1, are connected to the people through domestic legislation. The primary modes by which this process materializes are through three theories: Specific adoption theory, the delegation theory and the transformation theory. Laws and regulations of medical records have to be managed. Hence, the proper classification of medical, non-medical and non-healthcare medical data is to be developed. Specific laws need to be made on accessing and using those data diligently.

The “Universal Declaration of Human Rights” was intended to recognize individuals’ privacy and dignity [3]. Article 12 therein prohibited “arbitrary interference” in the privacy and dignity of individuals and their families. At that juncture, i.e., post-Second World War, the potential threat of interference was primarily anticipated from the state machinery [3]. A similar position is reiterated in Article 17 in 1966 in the “International Covenant on Civil and Political Rights” [7]. “The Convention for the Protection of Human Rights and Fundamental Freedom,” popularly known as “European Convention on Human Rights,” also respects the privacy

TABLE 13.1

Collective Measures for Medical Data Privacy

of every individual; however, it also provides that this right can be interfered with, if issues pertaining to public safety, national security, the economic well-being of the state, crime prevention, protection of health or the moral state or rights and freedom of others demand such interference; albeit such intervention should be done in accordance with the law [8]. In the initial stage, the law of privacy was concerned with the protection of individual privacy, from arbitrary interference of the state, and is considered one of the most significant human rights. The authors have made a comprehensive study of almost all international instruments pertaining to medical data privacy along with laws in various jurisdictions and have identified some very crucial missing areas that have to be bridged in the upcoming laws of data privacy in India.

Convention 108

With technological evolution, reforms needed to be brought in the law of privacy irrespective of jurisdictions. The European nations acknowledged the need to address the issue of protection of data privacy as a collective. The member nations of the European Council, with a view' of protecting fundamental rights, especially the right to privacy and a significant rise in automated personal data processing (“data protection”), came up w'ith the “Convention for Protection of Individuals wdth regard to Automatic Processing of Personal Data, 1981” also known as “Convention 108” [9]. As per the Convention,

“The automatic processing meant storage of data, carrying out of logical and/or arithmetic operation on those data, alteration, erasure, retrieval or dissemination.”

The member states were under obligation to take appropriate measures to legislate domestic laws based on the fundamental principles laid by the Convention. The Convention explicitly places the responsibility on the parties prohibiting automatic processing of data relating to race, political or religious belief, health and sexual life. However, the parties may bypass such prohibitions through enactment of domestic legislations. This very Convention could be considered as the first international instrument which explicitly addressed the issue of potential risks associated with the abuse of privacy law' involving medical data. The Convention further provided for guidelines on additional safeguards that entail rectifying or erasing such data which were obtained or processed violating or ignoring the domestic legislations, by effecting the provisions of Article 6 drafted precisely to safeguard sensitive information including restrictions on the flow'ing of personal data across borders. Furthermore, a specific exception was made to the basic principles for the protection of data reflecting similar provisions as provided in the “European Treaty on Human Rights” [8].

Oviedo Convention

In 1995, the European Parliament took another significant step by issuing a directive addressing personal data processing and its free movement. The directive’s very objective was to protect the right to privacy of personal data and allied processes involved in handling such data. The directive clarifies personal data as that information related to a natural person, whether directly or indirectly. These data may include information relating to the physical, mental or physiological features as well as the social, economic or cultural characteristics of an individual [10].

The European Council followed up Convention 108 with the “Convention for the Protection of Human Rights and Dignity of the Human Being” concerning the “Application of Biology and Medicine: Convention on Human Rights and Biomedicine of 1997” (Oviedo Convention). This Convention was drafted in the wake of accelerated development in biology and medicine and the realization that the potential misuse of biology and medicine could endanger human dignity. The Convention primarily dealt with human rights, biology and medicine. The Convention further bestows the right to the individual of not receiving health-related information [11].