DISHA 2018 is the proposed law for India applicable to the Privacy and Data Protection related to the Health Care sector in India.
The IT industry is in the midst of discussion on GDPR and how it will impact Indian Companies. At the same time, the Srikrishna Panel is also due to submit its recommendations on the General Data Protection law in India.
Behind all these developments, there is already ITA 2000/8 which defines Personal Data, Sensitive Personal Data, the responsibilities of protecting the Confidentiality, Integrity and Availability of “Data”, “Personal Data” and “Sensitive Personal Data”, defines penalties, the dispute resolution mechanism etc.
Unfortunately each Ministry of the Government wants to have a separate law for itself addressing Data Protection in its own domain. This multiplicity of laws is unlikely to benefit the people and will increase the cost of Administration enormously.
Today is the last day for submission of comments by the Public on DISHA 2018 or the “Digital Information Security in Health care Act 2018”. Public comments are expected to be provided before April 21, 2018 to be sent to email@example.com .
In order to enable stake holders to form their views and forward to the ministry, Naavi has provided his own immediate views on the proposed 45 section draft legislation in the form of the following articles.
- DISHA 2018- Proposed Health Information Security Act in India
- Consequences of Health Data Breach under DISHA 2018
- Data is a Property owned by the Data subject under DISHA 2018
- New Regulatory Agencies under DISHA 2018
Readers may peruse these articles and send their own comments to the Health Ministry on DISHA 2018.
It is our firm belief that “Data Protection” requires a comprehensive regulation for multiple sectors and there has to be an “Umbrella Law” that is supported by “Sectoral Security Standards”. ITA 2000/8 already has the concept of “Reasonable Security Practice” with flexibility for sectoral regulators to define their own standards.
It is therefore redundant to have multiple Data Protection Legislations leading to multiple Data Protection Authorities, Officers, Committees, Chairpersons etc. Such sectoral laws will be unproductive and create conflicts.
If Mr Modi Government believes in Minimal Governance and Best use of technology, there is a need to complete re-think on the approach to such sectoral laws, sectoral CERTs etc. These suggestions are created by Bureaucrats who think all legislations are for the benefit of creating new organizations and bloating up the Government expenditure and the law is only an excuse.
Public donot relish such approach. These laws only increase the cost of administration and also create corruption centers in the country. They donot bring proportionate benefit to the public.
I look forward to the right thinking persons in the Modi Government to give a thought to the above comment and proceed with such duplicate legislations.
At a time Mr Modi is considering the National Health Mission which is a huge political and financial investment, having an efficient organization to back it up in terms of legislation and authorities is considered necessary. But what we need to consider is whether “Medical Data” is also “Data” which is already addressed by the ITA 2000/8 and Data Protection Act (Srikrishna panel) and whether we can merge these proposed legislations into one existing legislation which should ideally be the “Information Technology Act 2000 as amended in 2008 and to be further amended in 2018”.
We can then have one State level Adjudication Authority, One Central Level Adjudication Authority for Data in general and one Data Protection Authority supported by sectoral standard committees and sectoral CERTs.
If this basic concept is accepted, we may have to re work on DISHA 2018 and substitute it with one chapter on Health Data Security in ITA 2000/8 (with some changes in Adjudication and Appellate Tribunal aspects of ITA 2008 which could be as suggested under DISHA 2018).
I hope a reasonable thought is given in this direction also.