ABSTRACT India’s digital personal data protection (DPDP) Act 2023 was enacted in the background of evolving digital data environment, global digital governance changes, and recognition of Right to Privacy as a fundamental right by the Supreme Court. The DPDP Act is an umbrella legislation for all forms of digital personal data including healthcare data. Mental health establishments (MHEs) by collecting sensitive healthcare data fall within the ambit of this Law. Key provisions of the act include informed consent, stringent norms for data privacy, processing and localization and rights-based approach to correct and erase digital personal data. The Draft DPDP Rules (January 2025) provide operational guidelines for implementation. The Act and the rules attempt to provide clear definitions and operational guidelines. However, certain ambiguities remain that will be hopefully clarified in due time through legislative process. The Act emphasizes patient autonomy and mandates that consent be free, informed, unambiguous, specific, revocable, and recorded through interoperable platforms maintained by Board-registered Consent Managers. The Act clarifies legitimate purposes of data processing, including public interest. Data Fiduciaries like MHEs have heightened statutory responsibilities and stringent compliance requirements. It would involve a considerable investment in manpower training, upgradation of IT infrastructure and outsourcing/hiring of consent managers and resultant escalation of both capital and operational costs. MHEs are already facing challenges of MHCA implementation. Implementation and aligning both the legislations can be an uphill task.
Chail et al. (Fri,) studied this question.