Digital Personal Data Protection(DPDP) Act 2023: Impact On Indian Healthcare Industry

What is DPDP

The Digital Personal Data Protection Act, 2023 ("DPDP Act") is the latest legislation governing how organizations will process, retain and protect the digital personal data of individuals. Each organization that collects and processes digital personal data of any individual, including its own employees, will be required to comply with these new regulations. It is important to note that personal data can only be processed with proper consent and for certain outlined legitimate uses.

The PDPA legislation characterizes personal data as "any information concerning a person who can be identified by or in connection with said data". This encompasses various types of personal identification details, including name, address, contact number, Aadhaar, PAN card, Passport, and so on.

Impacts on Healthcare

The DPDP Act will require healthcare providers and entities to obtain explicit consent from data principals (individuals whose data is processed) before collecting, using, or sharing their personal health data, which is classified as sensitive personal data under the law

The DPDP Act will also mandate healthcare providers and entities to implement appropriate security measures, conduct data protection impact assessments, appoint data protection officers, and comply with the codes of practice and standards issued by the Data Protection Board of India
The DPDP Act will enable data principals to access, correct, erase, port, and restrict the processing of their personal health data and seek redressal for any grievances or violations of their rights
The DPDP Act will create new opportunities for innovation and collaboration in the healthcare industry, as it will facilitate the use of personal health data for research, public health, emergency response, and other purposes, subject to certain conditions and safeguards

Penalties

Up to INR10,000 Breach in observance of duty of Data Principal

Up to INR200 Crore Breach in observance of additional obligation in relation to children

Up to INR200 Crore Breach in not giving notice of Personal Data Breach

Up to INR250 Crore Noncompliance of the provisions by Data Fiduciaries

FAQ

frequently asked questions

What all can a 'data principal' ask me for in respect of his/her data?

My organization is only processing data on behalf of others. Does it still need to comply with the DPDP?

Am I allowed to transfer data outside of India?

Get started today

NodalHealth

A wide range of services for Healthcare Industry

Support

+91-9036492352

support@nodalhealth.com

Office hours

Mon–Sat: 8am–6pm
Sun: Closed

NodalHealth

A wide range of services for Healthcare Industry

Support

+91-9036492352

support@nodalhealth.com

Office hours

Mon–Sat: 8am–6pm
Sun: Closed

NodalHealth

A wide range of services for Healthcare Industry

Support

+91-9036492352

support@nodalhealth.com

Office hours

Mon–Sat: 8am–6pm
Sun: Closed

Penalty

Under the DPDP Act, 2023, you have the right to file a complaint with the Data Protection Board of India (DPB), which is the enforcement body established under the act, if you suspect or experience any non-compliance by a third party that collects or processes your personal data. The DPB can inquire into the complaint, direct any remedial or mitigation measures, inspect any document, summon and enforce the attendance of any person, and impose penalties for non-compliance.

The act allows only monetary penalties for breaches or non-compliance, ranging from INR 50 crore to INR 250 crore, with a maximum penalty of INR 500 crore for significant data breaches. You can also seek compensation from the DPB for any harm caused to you due to the non-compliance by the third party. However, the act does not provide criminal liability or imprisonment for non-compliance.

Penalties in Digital Personal Data Protection Act 2023