The Laws Prevailing in India to Address Medical Data Privacy

Laws are not limited to statutes, rule books (positive laws) or courts’ determination in specific cases (precedents). Other law sources prevent a person from wrongdoing—for instance, morality, ethics, equity or religion. Understanding the laws relating to medical data privacy requires following a set of independent laws unless the Personal Data Protection Bill, 2019, comes into force as a separate enactment. Till then, the formal law's as provided in Table 13.3 related to medical data privacy in India call for independent scrutiny of interrelated laws. A much more complicated approach is involved in unravelling medical privacy law's today, than a simplistic solution like pari materia to HIPAA of US.

The existing legal system, in the absence of a comprehensive data privacy law, is vulnerable in many dimensions. The multiplicity of redressal mechanisms caused by this vacuum calls for some selective legal analysis.

Understanding Privacy Rights as a Fundamental Right

In India, where a significant number of the child populace suffers from malnutrition and goes to school primarily for mid-day-meal or has to queue up for hours in a government hospital for affordable medical advice or travel hundreds of kilometres to the local government healthcare facilities, which doctors believe to be a punishment posting, protecting privacy rights seems to be a misnomer.

TABLE 13.3

Available Legislations to Protect Medical Data Privacy in India

S. No.

Legislations (Selective)

Provisions (Selective)


Indian Telegraph Act, 1885 and Indian Telegraph Rules

Sections 4 and 5

Rule 419A of the IT Rules


Indian Post Office Act, 1898

Section 26


The Indian Wireless Telegraphy

Sections 3 and 4 vesting the power on the

Act. 1933

Government to regulate data


Information Technology Act, 2000 and

Information Technology Rules

Section 69


Unlawful Activities Prevention Act, 1967

Section 4


Code of Criminal Procedure, 1973

Section 91


Consumer Protection Act, 2019

Unfair Trade Practice to disclose the data of the consumers


Right to Information Act, 2005

Section 8 (including related provisions)


Personal Data Protection Bill, 2018

Yet to be enacted

Privacy is a fundamental right in India, however, but a “privacy right” per se is not included in Part III of the constitution and needs to rely upon an expanded notion of Article 21’s interpretation.

“No person shall be deprived of his life or personal liberty except according to procedure established by law.”

The Supreme Court has time and again stated that the term

“life in its wholesome meaning, under a beneficial interpretation, should include all those aspects of life that are essential to make a person’s life more meaningful and worth living” [30].

The apex court, while including the right to privacy within the scope of Article 21, must have considered Article 12 and Article 17 of UDHR ICCPR respectively.

Right to Information Act, 2000 (RTI Act)

RTI Act plays a very significant role in protecting individuals’ rights, mandating the state to share relevant records. In the case of Mr. Surup Singh Hrya Naik v. the State of Maharashtra, the Bombay High Court decided that the RTI Act would override and prevail over the Code of Ethics of the Medical Council of India [31]. The responsibility of the hospital to retain medical records is not explicit in any statute prevailing in India. However, in this case, the said record may be sought by an application under the RTI Act [32].

The RTI Act would, therefore, override a patient’s privacy right to prioritize public interest. However, the concept of public interest is not static, and it may vary from case to case [33].

The Information Technology Act, 2000 (IT Act)

The territorial challenge of data privacy has been addressed in Sections l and 75 of the “IT Act, 2000.” The Act requires a computer, computer system or a computer network within India to bring any extraterritorial issues within its scope.

The IT Act came up inter alia to legitimize online agreements and regulate certain acts of online offences and civil wrongs. Data privacy is also covered under this Act but not distinctively for medical data. Thus, the general rules that apply to data apply for medical data as well. Unauthorized access to data would lead to both criminal charges and civil remedies. (Chapter IX and XI of the Act.)

Indian Council of Medical Research (ICMR)

In India, ICMR formulates, regulates and coordinates biomedical research. It is the national organization responsible for the formulation of ethical frameworks and guidelines and coordination with international organizations and other research institutes

[34]. In the past few years, India has experienced a rise in “contract research organizations” (CRO). Their emergence as organized entities conducting clinical trials, the development of stem cell therapy and commercial surrogacy are also on the rise. This significant rise in biotechnological endeavour in India today calls for guidelines governing research ethics in matters of technology-assisted reproduction, therapies through stem cells and allied activities which require compliance with ICMR’s “Ethical Guidelines for Biomedical Research on Human Participants and the Good Clinical Practices, 2001,” guidelines framed by the CDSCO. Similarly, the Ministry of Health is to be adhered to while formulating research proposals involving human subjects along with approval from the Institutional Ethics Committee with prior consent from the patient or the person whose sample has to be collected for testing purposes [35].

ICMR guidelines also include an important aspect of consent, “informed consent.” First, the informed consent of all the human participants for all biomedical must be obtained. The “informed consent form” must be detailed and signed by the participants [20]. Only after the participants approve the form, are specific alphanumeric codes allotted to the samples.

In 2010, this process was revised, leading to the Biomedical Ethics Bill’s submission in 2014. After passing the proposed Ethics Bill, a “Biomedical Research Authority” is expected to be set up to regulate and implement the various facets of biomedical research. This would, inter alia, include multiple aspects of biobanks as well. While ICMR has been playing an essential role in biobank guidelines, an authority created through the law (with representatives from stakeholders and having comprehensive powers) thus would be in a better position for regulation and governance in this sector, rather than the already existing guidelines which only have substantial value under Indian municipal laws. The new law inter alia would encourage bioethical standards.


Medical data is an emerging market for economic dominance. Personalized healthcare systems will slowly and steadily bridge the gap between clinical and real-world data. Controlling the health conditions of every individual and application of AI is going to be the order of the day and big data (or relevant data) will play a very significant role. As this transformation takes place, the possibilities for the misuse of data become a reality. The vulnerability of the state in regulating big data has been exposed and highlighted by the apex court in many cases. Where laws pertaining to medical data are going to be a reality, anticipating what is around the corner would eventually put the state in an advantageous position.

The state must play the role of a guardian to the people and ward off the misuse of data access, storage and transfer by private operators for mere financial gains. The market in medical data in India is at its nascent stage, and so are the related challenges. But the situation will be more complicated by the next decade. For India, the first step is surely the passing of the Data Privacy Bill of 2019. In its absence, a significant number of grey areas will keep on cropping up, with regard to medical data privacy in India.

Issues like linking Aadhar with healthcare databases, developing a uniform standard for e-health records, the regulation of health insurance records, maintaining data concerning the medical termination of pregnancy cases, regulations of DNA-based technology, etc., should be properly addressed at this juncture. India has a long way to go when it comes to data protection and more importantly medical data protection. A dedicated team of experts must be set up which would, inter alia, raise and address those issues democratically to achieve a balance between data availability, its regulation and the protecting of privacy rights. Said authority should also be empowered with adequate powers to impose sanctions. The proposed legislation and regulations must incorporate global standards of data management in both the public and private domains. As the world becomes a global village, Indian data privacy laws must adequately serve the need of the hour; unfortunately, they are insufficient today.


  • 1. Bellazzi, R. 2014. Big data and biomedical informatics: A challenging opportunity. Yearbook of Medical Informatics, 9(1), 8.
  • 2. Vora, J.. Italiya. P.. Tanwar, S.. Tyagi, S„ Kumar. N.. Obaidat. M. S., & Hsiao. K. F. 2018. Ensuring privacy and security in E-health records. In International Conference on Computer, Information and Telecommunication Systems (CITS) (pp. 1-5). IEEE.
  • 3. 1948. Universal Declaration of Human Rights, laration-hu man-rights/.
  • 4. Abouelmehdi K., Beni-Hessane A., and Khaloufi H. 2018. Big healthcare data: Preserving security and privacy. Journal of Big Data, 5:1.
  • 5. Barrows Jr, Randolph C., and Paul D. Clayton. 1996. Privacy, confidentiality, and electronic medical records. Journal of the American Medical Informatics Association, 3(2): 139-148.
  • 6. Borry, P., Bentzen, H. B., Budin-Ljpsne, I.. Cornel, M. C., Howard, H. C., Feeney, O.,... & Riso, B. 2018. The challenges of the expanded availability of genomic information: An agenda-setting paper. Journal of Community Genetics, 3: 103-116.
  • 7. 1976. International Covenant on Civil and Political Rights, publication/unts/volume%20999/volume-999-i-14668-english.pdf.
  • 8. 1950. European Convention on Human Rights. Convention_ENG.pdf.
  • 9. 1981. Convention for the Protection of Individuals with Regard to Automatic Processing.
  • 10. 1995. Directive 95/46/EC of the European Parliament, -content/EN/TXT/?uri=celex%3A31995L0046.
  • 11. 1997. Oviedo Convention,
  • 12. European Group on Ethics in Science and New Technologies. 2016. The Ethical Implications of New Health Technologies and Citizen Participation. https://op.europa ,eu/en/publication-detail/-/publication/e86c21fa-ef2f-lle5-8529-01aa75ed71al/langua ge-en/format-PDF/source-77404221.
  • 13. 1995. World Medical Association Declaration of Lisbon on Rights of the Patient, https ://
  • 14. 2005. WMA Declaration of Lisbon on the Rights of the Patient, wp-content/uploads/2005/09/Declaration-of-Lisbon-2005.pdf.
  • 15. 2015. WMA Declaration of Lisbon on the Rights of Patient, ies-post/wma-declaration-of-lisbon-on-the-rights-of-the-patient/.
  • 16. European Group on Ethics in Science and Technologies; European Commission, 1999.
  • 17. 2017. Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, -protection/home/-/asset_publisher/RMbj8Pkl ApgJ/content/the-bureau-of-the-consu ltative-committee-of-the-convention-for-the-protection-of-individuals-with-regard-to- automatic-processing-of-personal-data-t-pd.
  • 18. 2000. Charter of Fundamental Rights of the European Union. https://www.europarl ,
  • 19. Wright, A. 2017. 8 Things You Need to Know about India’s Economy, https://www.wef
  • 20. Karegar, Farzaneh, Gerber, N., Volkamer, M., & Fischer-Hiibner, S. 2018. Helping john to make informed decisions on using social login. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (pp. 1165-1174).
  • 21. Coos. A. 2018. EU vs US: How Do Their Data Privacy Regulations Square Off? https:/ / -square-off/.
  • 22. Pernot-Leplay, E. 2020. Data Privacy Law in China: Comparison with the EU and

U.S. Approaches, e-usa/.

  • 23. Kobie, N. 2019. The Complicated Truth about China's Social Credit System. https://ww
  • 24. Walters, R. 2018. China and US Compete to Dominate Big Data, https://www.ft.eom/c ontent/e33a6994-447e-lle8-93cf-67ac3a6482fd.
  • 25. Ghidini, G. 2006. Intellectual Property and Competition Law. tual-property-and-competition-law-the-innovation-nexus.html.
  • 26. WTO. Agreement on Trade Related Aspects of Intellectual Property, https://www.wto ,org/english/docs_e/legal_e/27-trips.pdf.
  • 27. 1996. Health Insurance Portability and Accountability Act (HIPAA). https://www.cdc .gov/phlp/publications/topic/hipaa.html.
  • 28. Dove, E. S., & Phillips, M. 2015. Privacy law, data sharing policies, and medical data: A comparative perspective. In Medical Data Privacy Handbook, 639-678. Cham: Springer.
  • 29. U.S.-EU Safe Harbor Framework, ivacy-and-security/u.s.-eu-safe-harbor-framework.
  • 30. Olga Tellis and ors. v. Bombay Municipal Corporation and ors, 1985 SCC (3) 545 (Supreme Court of India July 10, 1985).
  • 31. Mr. Surupsingh Hrya Naik vs State Of Maharashtra, AIR 2007 Bom 121 (Bombay High Court March 23. 2007).
  • 32. Arjesh Kumar Madhok v. Centre for Fingerprinting & Diagnostics (CDFD) 2007, Decision_26102007_06 (RTI Commissioner 2007).
  • 33. Wetzels, M., Broers, E„ Peters. P„ Feijs, L., Widdershoven, J.. & Habibovic, M. 2018. Patient perspectives on health data privacy and management: “Where is my data and whose is it?”. International Journal of Telemedicine and Applications, 2018.
  • 34. The Indian Council of Medical Research,
  • 35. 2006. Ethical Guidelines for Biomedical Research on Human Participants. https://et or_human_participants_2006.pdf.
< Prev   CONTENTS   Source