The Digital Personal Data Protection Act, 2023, and Indian medical research. (Part 1)

The Digital Personal Data Protection Act of 2023 (DPDP-2023) received the Indian President's assent on 11 Aug 2023, thereby ushering in higher regulatory requirements for all digital personal data collectors and users.

As per the act, “personal data” means any data about an individual who is identifiable by or in relation to such data. All medical/health information by its link to personal identifiers like name, date of birth, and sex will come under 'personal data.'

The health information collected in medical records is used for research purposes. Most of this information is now in digital formats or is digitalized at some stage of the data collection process. Hence, research stakeholders must understand the impact and requirements of the DPDP 2023.

This article is Part 1 and will address the following topics-

1. Scope of DPDP 2023
2. Definitions in the context of research
3. What is a personal data breach, and what are its implications?

First, let us look at the scope of the law. The law applies to all digital personal data within the territory of India, where the personal data is collected––

(i) in digital form; or

(ii) in non-digital form and digitized subsequently (e.g. PDF files, Lab Reports)

The regional jurisdiction of the law includes "processing of digital personal data outside the territory of India if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.

In the research context, this will include Data Management systems, Central Pharmacies, and labs out of India.

The law does not apply to

(i) personal data processed by an individual for any personal or domestic

purpose; and

(ii) personal data that is made or caused to be made publicly available

by—

(A) the Data Principal to whom such personal data relates; or

(B) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available.

To comprehend the scope, we should also understand what 'data' is per the law and what the 'person' in personal data means.

“data” means a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by human beings or by automated means.

“digital personal data” means personal data in digital form.

Let's consider these definitions in correlation to research. All health information collected, stored, or transmitted in the digital form linked directly by personal identifiers or indirectly by alphanumeric numbers (pseudo-anonymization) shall come under the purview of this law.

The law has a broad scope and covers information beyond medical records. As per the definition in this law, a “person” includes—

(i) an individual;

(ii) a Hindu undivided family;

(iii) a company;

(iv) a firm;

(v) an association of persons or a body of individuals, whether incorporated or not;

(vi) the State; and

(vii) every artificial juristic person not falling within any of the preceding sub-clauses

Hence, if any pharma, medical device, or contract research organization (CRO) collects study personnel details like resumes and medical registrations in digital format (including PDF files), this data must also be protected per the DPDP 2023.

All research stakeholders should be well aware of some of the basic definitions of this act, their roles, and how they correlate with research terminology. The law prescribes specific roles to different entities. Many of these are related to the roles played by research stakeholders.

The research patient/subject/participant would be called “Data Principal” per the law. The individual to whom the personal data relates and where such an individual is—

(i) a child, includes the parents or lawful guardian of such a child;

(ii) a person with a disability, includes her lawful guardian, acting on her behalf

The clinical trial site/ hospital/clinic/Investigator shall be the Data Fiduciary in case of medical records. The law defines the "Data fiduciary" as any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.

This is an interesting definition and, in the case of research, may create confusion and conflict between the study sponsor/CRO. As per my understanding, the sponsor/CRO shall be the data fiduciary for the Case report forms or any data collected directly on their formats or systems, e.g., e-Case Report Form (e-CRF); e-Patient Reported Outcome (e-PRO) or e-Diary.

"Data Processor" is any person who processes personal data on behalf of a Data Fiduciary. The clinical trial site/ investigator shall be the data processor for e-CRF, e-PRO, and e-Diary. The study sponsor/CRO shall be the data processor for health records. In the current law, there are no liabilities on the data processor.

This role shall also include Central Pharmacies, Local or Central Labs, Data Management vendors, and Statistical analysis vendors. In other words, any third party associated with the collection, storage, or transmission of data in digital format who is NOT the primary determinant of the 'purpose and means of processing of data.' (Role of the data fiduciary)

Other roles/ entities described by the DPDP 2023 are not found in research functions. The "Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government. The classification of such an entity shall be done based on-

(a) the volume and sensitivity of personal data processed;

(b) risk to the rights of the Data Principal;

(c) potential impact on the sovereignty and integrity of India;

(d) risk to electoral democracy;

(e) security of the State, and

(f) public order.

Considering the volumes and sensitivity of data handled by hospitals/ clinics, it is likely that the Indian government may label such institutions as significant data fiduciaries along with financial institutions.

The “Data Protection Officer” shall be an individual appointed by the Significant. Data Fiduciary to meet the requirements of the DPDP 2023.

The Central government shall establish the Data Protection Board of India to investigate and provide/instruct remedial measures for data breaches. They will also adjudicate on the penalties listed in the DPDP 2023.

“Consent Manager” is a person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. The Consent Manager shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed. The Data Principal may give, manage, review, or withdraw her consent to the Data Fiduciary through a Consent Manager.

According to our understanding, the consent manager will be an independent person with the qualifications and experience outlined by the Central government in the rules (to come later) who must be registered with the Data Protection Board to handle grievances of data principals.

Next, we examine what a personal data breach is as per law. The DPDP 2023 has been enacted to protect the misuse of personal data. A data breach is "any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data."

The responsibility of protecting the data lies on the data fiduciary. "A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach."

Hence, it shall be imperative for the study sponsor, CRO, and investigator sites to do due diligence on data safety measures of the data processors (vendors) and have the obligations for protection clearly defined in agreements.

If a data breach occurs, the data fiduciary must inform the Data Protection Board and each data principal affected by the breach. (Time to inform and means to intimate shall be outlined in the rules that the government will soon release.)

The Data Protection Board shall enquire and investigate the breach and, based on their assessment, adjudicate the penalties on the Data fiduciary. These penalties may go up to two hundred and fifty crore rupees depending on various factors. If the breach is due to the data principal not complying with their duties as per DPDP 2023, the penalty on the data principal shall be up to ten thousand rupees.

Scary! Well, there is more. In the next part, we shall talk about.

1. Consent and Notice in DPDP 2023 in correlation to Informed consent document and procedures.
2. Special requirements when dealing with data of children and persons with disabilities.
3. Rights and duties of the Data principal. (study participant)
4. Obligations of the data fiduciary (i.e., Study sponsor, CRO, Site, Investigator)