DPDP Act and digital health: Is your software fit for purpose?

The intersection of the Digital Personal Data Protection Act (DPDP) 2023 and digital health poses a critical question: Is your software equipped to meet the demands of this evolving regulatory landscape? As the digital health sector continues to expand and innovate, ensuring compliance with the stringent requirements of the DPDP Act is essential for technology providers.
The DPDP Act, with its comprehensive coverage of digital data that can uniquely identify individuals, including health-related genetic and biometric data, necessitates robust protection measures and meticulous compliance efforts. The DPDP Act 2023 mandates that personal data can only be processed after obtaining clear and informed consent from the data principal, necessitating software solutions to incorporate robust mechanisms for capturing, managing and verifying this consent in compliance with Section 6 of the Act. The Act also allows for certain legitimate uses of personal data without explicit consent, such as during medical emergencies or public health threats, requiring software to identify and categorize data processing activities while maintaining transparency effectively. Organizations that get categorized as Significant Data Fiduciaries, must conduct Data Protection Impact Assessments (DPIAs) to evaluate risks associated with data processing and software should facilitate these assessments and help implement necessary safeguards. Furthermore, the Act emphasizes adequate security measures to protect personal health data from breaches, necessitating strong encryption, access controls, and regular security audits within software solutions. Lastly, clear communication about how personal health data will be used is essential; the software should provide user-friendly privacy notices in simple language and/or in the 22 languages mentioned in the Eighth Schedule of the Constitution, ensuring users understand their rights under the DPDP Act.

QUESTIONS FOR ASSESSING SOFTWARE FIT FOR PURPOSE
The questions organizations should consider when assessing whether their software solutions are “fit for purpose” under the DPDP Act regarding personal health data management are:

1. ROBUST CONSENT MANAGEMENT:1.1. Does our software have mechanisms in place to facilitate clear and informed consent processes from patients?
   1.2. How does the software ensure that consent is obtained and documented appropriately?
   1.3. Is there a mechanism in our software that allows the patient to easily withdraw their consent should there be a need- in order to comply with the Act?
2. USER RIGHTS MANAGEMENT:
   2.1. Does the software provide functionalities that allow patients to easily access, correct, or delete their health data?
   2.2. How user-friendly are these functionalities for users/patients?
   2.3. Does our software allow a patient/user’s nominee to access in case of a user exercising their right to nominate?
3. DATA SECURITY FEATURES:
   3.1. What security protocols does our software include to protect personal health data (e.g., encryption, access controls, Pseudonymization)?
   3.2. Are there regular security audits conducted to assess the effectiveness of these protocols?
4. COMPLIANCE TRACKING:
   4.1. Does our software incorporate features that help track compliance with the DPDP Act’s requirements?
   4.2. How frequently is compliance monitored and reported within the software?
5. INTEROPERABILITY:
   5.1. Can our software integrate seamlessly with existing systems used within the organization while maintaining compliance with privacy standards?
   5.2. What measures are in place to ensure that data sharing between systems adheres to the DPDP Act?

Conclusion

For digital health software to align with the DPDP Act, companies must establish a solid legal basis for data processing and secure explicit consent from users, particularly when handling sensitive health information. Transparency in data processing activities, clear privacy notices and user-friendly consent mechanisms are crucial elements in achieving compliance. Challenges may arise in effectively communicating privacy information to users, especially with wearables and applications constrained by limited screen space. Exploring alternative methods such as accessible online privacy notices and comprehensive privacy policies can help address these challenges. In this dynamic landscape where innovation and regulation intersect, evaluating the readiness of digital health software to meet the requirements of the DPDP Act is imperative. By proactively addressing compliance challenges and embracing privacy-enhancing practices, technology providers can ensure that their software is indeed “fit” for purpose in the realm of digital health.

Khushbu jain is a practicing advocate in the Supreme Court and founding partner of the law firm, Ark Legal and assisted by Arushi Guha, Associate at Ark Legal.