Indian healthcare gets privacy backbone from new data protection rules

The notification of the Digital Personal Data Protection Rules 2025 has activated provisions of the DPDP Act 2023, significantly impacting the healthcare sector. The law designates medical institutions as data fiduciaries and grants patients rights over their data. Yet, ambiguities in the details pose challenges for healthcare providers.

The Digital Personal Data Protection Act 2023, along with the recently notified Rules of 2025, marks India's most significant privacy reform since the IT Act 2000. These measures promote respect for individual rights and data accountability. In healthcare, every clinic, hospital, laboratory, and telemedicine application is elevated to the status of a "data fiduciary," without distinction based on size. Personal data in digital form, or later digitized, falls under the Act's scope.

Patients become "data principals" entitled to access, correct, and erase their medical information. Hospital consent forms have often relied on blind faith rather than informed choice, but the DPDP Act introduces transparency. During medical emergencies or public health crises, data processing without consent is permitted. However, ambiguities persist in areas like post-operative ICU care, chronic illness management, and follow-up treatments.

Withdrawing consent or requesting data erasure creates complications for healthcare providers. Fiduciaries must delete the data and cease processing it, yet legal obligations in healthcare remain intact. The Act's definition of "processing" includes "erasure," potentially requiring consent even for deletions. Schedule III of the Rules prescribes data retention timelines for various sectors, but healthcare is notably absent, leaving institutions uncertain about record-keeping.

For data collected before the Act's commencement, fiduciaries must notify principals "as soon as reasonably practicable," with no defined time limit. According to authors Tishampati Sen, an advocate at the Supreme Court, and Harsh Mahajan, founder of Mahajan Labs and FICCI health mentor, the healthcare sector warrants sector-specific guidelines due to its critical nature. Overall, the law empowers patients by affirming their data rights and reminds providers that duty of care now extends to digital realms.

Mga Kaugnay na Artikulo

Interior Undersecretary Máximo Pavez speaking confidently at a press conference podium with Chilean flags in the background.
Larawang ginawa ng AI

Pavez defends migrant indication and rules out withdrawing it from bill

Iniulat ng AI Larawang ginawa ng AI

Interior Undersecretary Máximo Pavez backed the indication requiring public institutions to share data on irregular migrants. He stated the measure aims to facilitate notifications and does not create a general duty to report.

Commission III of the Indonesian parliament has sharply criticized Rien Wartia Trigina alias Erin for filing a counter report against her former domestic worker Herawati under the personal data protection law.

Iniulat ng AI

The Lower House approved a bill to revise the personal information protection law. The bill includes a provision requiring businesses that repeatedly commit violations to pay fines equivalent to the earned profit to state coffers.

Ethiopia held a national conference in Addis Ababa under the theme Data Sovereignty for Policy Freedom. Officials highlighted progress in building sovereign digital intelligence infrastructure.

Iniulat ng AI

One month after President Lula's ECA Digital decrees took effect in late March 2026, major platforms including WhatsApp, TikTok, YouTube, Spotify, Discord, and Roblox have adapted by disabling lootboxes in games and enhancing parental controls. The ANPD will regulate age verification for age-restricted content like alcohol, tobacco, and pornography throughout 2026.

Gumagamit ng cookies ang website na ito

Gumagamit kami ng cookies para sa analytics upang mapabuti ang aming site. Basahin ang aming patakaran sa privacy para sa higit pang impormasyon.
Tanggihan