In August 2017, the Supreme Court of India, in a landmark decision in the Justice KS Puttaswamy (Retd.) & Anr. vs Union of India case, recognised the right to privacy as a fundamental right under the Indian Constitution. Following this judgment, the government proposed a few versions of the Personal Data Protection Bill in Parliament before passing the Digital Personal Data Protection Act, 2023, and the Act was finally published in the official Gazette of India on the August 11, 2023, making it the official legislation of India for personal data protection and privacy.

Need for the legislation

In this busy age, most individuals — that is, data principal under the Act — provide their data to various organisations including private and state-controlled without much thought and with a belief that their data is being collected for the purpose of rendering services requested by such individuals. Some organisations have, however, gone far beyond to use the personal data collected in the garb of providing the services, for the purposes unknown to the data principals. The lack of adequate security measures by organisations has also contributed to the growing cybersecurity attacks and ransomware risks in India.

The US recognised the requirement of legislation for the protection of health data some decades back and enacted the Health Insurance Portability and Accountability Act in 1996, with the primary goal of safeguarding sensitive patient health information held by healthcare providers. At first, India introduced the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules) aiming to regulate the processing of sensitive personal data in the digital space, where it also recognised health data as a sensitive personal data. However, these rules were not consistent enough with the rapid technological advancements that took place in the subsequent years and a need for robust overarching legislation was felt for addressing an individual’s privacy concerns and for protection of personal data.

In this digital era of free flow of data, it is highly imperative that there exists a strict legislation to regulate the personal data exchange to protect and maintain the integrity of the individual’s personal data and this Act will bring confidence in the minds of the data principals that the privacy of their personal data is not just protected as their fundamental right but protected by a robust legislation giving more voice to the data principals in the manner in which their personal data is handled.


The enactment of the Act shall replace Section 43A of the Information Technology Act, 2000 (IT Act) and the SPDI Rules. The new legislation imposes onerous obligations on the persons determining the means of processing the digital personal data i.e., the data fiduciary under the Act, irrespective of the sensitivity of personal data, scrapping the classification of health data as sensitive personal data as provided in the SPDI Rules.

As the name of the Act suggests, this law only protects the personal data which is collected in a digital form or if collected physically is later digitised. So this Act, with its present provisions, may not apply to the handling of data by traditional clinics, vaccination drives, healthcare facilities which still collect a patient’s data in physical entry register and do not digitise it ever.

Most organisations today collect personal data by placing cookies on an individual’s system and the individual accepts those cookies to avoid the pop-up which keeps repeating unless an individual has not actioned on it, and consent to process personal data is deemed by these data fiduciaries upon acceptance of their privacy policy by the data principal by merely accessing the website of these data fiduciaries.

The Act imposes on healthcare providers an obligation to obtain an accurate, informed consent from patients backed by an affirmative action by such patients, which consent request need to be backed with a privacy notice detailing the manner in which the patient may exercise her rights in the digital personal data collected by these healthcare providers and the re-courses available to such patient for grievance redress. In case of children and persons with disability being the patient, the healthcare providers will have to ensure that they obtain a verifiable consent from their parents or legal guardians.

Also, the legislatures have come up with a unique provision where privacy notice is required to be made available in 22 languages officially recognised under the Eighth Schedule of the Constitution other than English, which may require the healthcare providers to implement appropriate technological measures to provide this privacy notice in the regional languages, if requested by the data principal.

These provisions not only add an obligation on the healthcare providers to obtain informed consent but will help educate the data principal about their personal data and build a nation of more informed data principals, who are more vigilant about their rights against any unauthorised processing of their digital personal data. However, for the healthcare providers, they will have to ensure proper compliance with the requirement of privacy notice to ensure there is no breach at their end.

Amongst other rights, this new Act allows the patients to nominate another individual responsible to exercise the rights on behalf of the patient in her personal data in the event of the patient’s death or incapacity, also enabling the healthcare providers to reach out to the concerned person for the consent to process the personal data of such a patient.

While the Act is a robust legislation focusing on the privacy of the individuals, it also allows the state and other data fiduciaries process the personal data for certain legitimate uses as provisioned under the Act and provides for remedies for the stakeholders under the Act.

Gautam is Partner, and Ridhi is Senior Associate, Krishnamurthy & Co (K Law), Member of NATHEALTH