Every establishment, including those in the private sector, keeping the records of HIV-related information of protected persons shall adopt data protection measures in accordance with the guidelines to ensure that such information is protected from disclosure. Data protection measures shall include procedures for protecting information from disclosure, procedures for accessing information, provision for security systems to protect the information stored in any form and mechanisms to ensure accountability and liability of persons in the establishment.

National AIDS Control Organisation, Department of Health & Family Welfare, GOI collects data on components related to HIV/AIDS through various mechanisms including routine monitoring, sentinel surveillance systems, Behavioral Surveillance surveys and other evaluations / operations research studies. The main objectives of this information collection through integrated M&E system are to track the progress of HIV/AIDS epidemic in the country and to track performance of National AIDS Control Program. The data collected through these mechanisms is used for various purposes including program management, resource allocation and taking corrective decisions.

The Draft E-Commerce Guidelines, 2019 provides that cross border data flows shall be governed by principles of data localisation for data generated in India. However, such restrictions will not apply to business-2-business data sent to India as a part of a commercial contract between a foreign entity and an Indian one, software/cloud computing related data flows and multinational companies moving data across the international ecosystem (as long as it does not contain data generated by Indian users). It also envisages a framework for sharing data with start-ups and firms in furtherance of larger public interest, which shall be governed by a data authority. There have been concerns of overlap between the jurisdiction of such Authority and the DPA established under the PDP Bill 2019. The Draft also states that financial transactions pertaining to e-commerce shall protect privacy and sensitive data, prevent data leaks/theft and enable secured transactions.

Direction 33.2 covers cyber security policies for NBFC’s, including management of vulnerability in the organizations IT systems, ensuring cyber security preparedness through resilience indicators, a cyber crisis management plan and board and providing digital signatures so as to ensure high security of online transactions and protect private information that is exchanged on the basis of such digital signatures.

This National Digital Health Blueprint is an extension of the National Health Policy of 2017 (NHP 2017) that was formulated to provide universal healthcare to all citizens of India based on digital technologies for achieving higher efficiency and effectiveness. The National Digital Health Blueprint (NDHB) is the architectural document for the implementation of National Health Stack (NHS). Launched in 2018, the National Health Stack (NHS) was envisioned as the foundational component for UHC to leverage Big Data Analytics, Machine Learning and Artificial Intelligence.

The Personal Data Protection Bill, 2019 (PDP Bill) was introduced in the Lok Sabha on 11 December 2019, after the Justice Srikrishna Committee submitted the Draft PDP Bill in 2018. The PDP Bill governs the collection, processing, transfer and storage of personal data within the territory of India, or by the State or any Indian individual/company, or by a foreign entity dealing with personal data of individuals in India. The PDP Bill 2019 is largely premised on the 2018 Bill, but does deviate in some aspects. At present, the Bill is pending consideration before a Parliamentary Standing Committee.

Guideline 3.7.1.2 states that the Registered Medical Practitioner (RMP) would be required to fully abide by Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 and with the relevant provisions of the IT Act, Data protection and privacy laws or any applicable rules notified from time to time for protecting patient privacy and confidentiality and regarding the handling and transfer of such personal information regarding the patient. This shall be binding and must be upheld and practiced. However, guideline 3.7.1.3 states that Registered Medical Practitioners will not be held responsible for breach of confidentiality if there is reasonable evidence to believe that a patient’s privacy and confidentiality has been compromised by a technology breach or by a person other than RMP. The RMPs should ensure that a reasonable degree of care is undertaken during hiring of such services.