THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023, AND SENSITIVE PERSONAL DATA: A FOCUS HEALTH AND GENETIC INFORMATION

1. ABSTRACT: –

In today’s digital era, where personal information is shared by individuals, it has a higher risk of it being misused by the receiver or any third party. Raising cases of cybercrimes is also leading to the misuse of digital personal data of a person, which can be a sensitive kind of genetic or health-related data as well. That’s why the protection of digital and personal data is required in many ways to protect the data privacy of individuals. In India, the Digital Personal Data Protection (DPDP) Act, 2023, is considered India’s first comprehensive data privacy law. It is specified for establishing a legal framework for the
Government and business bodies on how to operate within the digital personal data of individuals. Under section 2(t) of the Act, the definition of Personal Data is given, but is specification is provided about the factors which is considered as personal data in the provideddefinition under this section, including the health and genetic information as well. But there are many interpretations about what is considered sensitive personal data. And does it include the health and genetic information as well? As the Act only defines Personal Data, we have to know how it includes the genetic and health-related personal data as sensitive personal data, and it can be protected within this Act by the duties of a Data Fiduciary provided to proceed within such kind of data under this Act. To which scope it can be applicable, and still it does not get required protection within the provisions of this Act due to some specific circumstances which require following by the data Fiduciary or sometimes due to their fault.
In this Article, we will know what is meant by Sensitive Personal data. What is the interpretation given in many courts’ judgments related to it? What are the obligations and rights of the Data Fiduciary and Data Principal while transferring the sensitive personal data? What are the Constitutional Dimensions related to it in India? And what kind of challenges and concerns in regards of the sensitive personal data protection under the DPDP Act, 2023?

2. INTRODUCTION: –

Within the rising concerns of the misuse of Digital Personal data, the making of the law for the protection of the data of an individual has become a basic requirement to protect their Personal Data Privacy. In India, the governance of the Sensitive Personal Data is replaced by the Digital Personal Data Protection (DPDP) Act,2023, which is an earlier law governed under the ‘Information Technology Act,2000’ and the ‘SPDI Rules,2011’. The Digital Personal Data Protection (DPDP) Act, 2023, does not define or provide a category to the “Sensitive Personal Data” differently from the personal data; l defines the Personal Data
instead under Section 2 (t) of the Act as “any data about an individual who is identifiable by or in relation to such data”1. However, this definition is not enough to clarify what “General Personal Information” is and what “Sensitive Personal Information” is given by an Individual (the ‘Data Principal’) to  receiver (the “Data Fiduciary’). And the Rights and duties of the parties on the personal information are described in sections 4 to 10 of the Act. In many court interpretations, it includes the genetic and health-related data as the Sensitive Personal data of an individual, and the protection of it is provided under the applicable laws for them.

3. OBLIGATIONS OF A DATA FIDUCIARY, DURING HANDLING SENSITIVE HEALTH AND GENETIC DATA UNDER THE DPDP ACT,2023: –

According to the Digital Personal Data Protection Act (DPDP Act), 2023, the Obligations of a Data Fiduciary, which apply to any organisation that uses the Personal Data of a Person (DATA), in any manner, are discussed in Part II of the Act as the Act does not specifically address data relating to sensitive health and genetic information, but rather all kinds of sensitive data, which includes this type of information as well. According to this Part of the DPDP Act, 2023, these are the obligations of a Data Fiduciary during handling sensitive health and genetic data: –
1. Processing the Personal Data only for ‘Lawful Purposes’: – Section 4 of the Act talks about this obligation of the Data fiduciary, in which the Lawful Purposes include any purpose which is not directly or indirectly forbidden by law. Within the Consent of the Data Principal for certain legitimate uses. For Example, Personal Data of a Person cannot be used to defame them publicly.
2. Notice for obtaining consent from the Data Principal for Data Uses: – Section 5 of the act describes that the Data Fiduciary should give a Notice to the Data Principal before making any uses of the Data provided by the Person, and proceed with the consent of the person. Also, prescribe the manner in which a Data Principal can make a complaint to the Board. For example, while opening a bank account, the data principal who is required to give their personal information under the know your customer policy shall be provided with a notice related to describing the personal data and the purpose of its processing.
3. Proceed with the use of the Data only within the Consent of the Data Principal: – Section -6 of the Act describes that the Data Fiduciary should ensure the consent of the Data Principal before making any use of it and proceed after having the approval of the Data Principal. In this way, having consent from the Data Principal is mandatory for
the Data Fiduciary. For example, an app X is getting consent from Y for providing him XYZ services and accessing the mobile phone contact list of Y’s, then this access to personal data shall be limited to X for only providing the XYZ services to Y.
4. Only make Legitimate uses of the Data: – Section -7 of the act describes that the Data Fiduciary shall ensure the Legitimate Uses of the data within the consent of the Data Principal. For example: – Personal data of the Data Principal shall not be used to conduct a murder of them.

5. General Obligations: – according to Section -8 of the Act, all the terms and conditions prescribed by this Act shall apply to the Data Fiduciary while proceeding with the
Personal Data of the Data Principal. Data Fiduciary shall ensure a well-mechanised process while processing the data to protect the data from any leakage or misuse. In the event of or condition of leakage of data or misuse, Data Fiduciary should inform theBoard and provide the required help to the Data Principal in all manner. For example: – After fulfilling the purpose behind the  transfer of personal data uses there are no other extra uses that can be made of it by the Data Fiduciary. If the data of the Data Principal is being misused by a third party or person, then the data fiduciary shall inform the board and ensure to help the data principal and get a solution to save them.
6. Obtain consent from the Parent before processing the personal data of a Child or a Person with disability: – Section -9 of the Act describes that for proceeding within the Personal Data of a Child or a disabled person, the Data Fiduciary shall ensure the consent from the parent of them or from the lawful guardian as applicable under the circumstances.
7. Additional Obligations of the Significant Data Fiduciary: – According to the Section-10 of the Act, the Government shall describe the Additional Obligations of the Significant data fiduciary relating to security of the nation, maintaining peace and order, for military support, etc., and a Data Protection Officer shall be appointed by the Government for this purpose, and a Data Auditor shall be appointed for making an Audit of such Data.

4. CONSTITUTIONAL DIMENSIONS:

Articles 21 and 14 of the Constitution of India deal with the fundamental rights of a person relating to the Right to Life and Right to Equality, under Part III. Article 21 of the Indian Constitution deals with the Right to Life and Personal Liberty of a person, which includes the right to live by having various kinds of liberties and freedoms, including the right to Privacy in some personal matters. This Article guarantees the Right to Privacy, including the personal sensitive information of a patient related to health records, any genetic information, and biometric data. And restrains any misuse of this kind of data by a Data Principal or Patient.
Case Law: – K.S. Putt Swamy v. Union of India (2017) 10 SSC 1: – In this landmark Case, the Hon’ble Supreme Court held that the Right to Life and Personal Liberty under Article 21 of the Indian Constitution also includes the Right to Privacy of sensitive information and data related to health, genetic information, and any biometric data as well. Rao v. Rustom (2015): – In this case, the court addressed the confidentiality of the medical reports and orders for the health providers to maintain the patients’ information confidential, including the genetic reports. In this case protected the misuse of the genetic or health-related data is protected under Article 21 of the Indian Constitution. Article 14 of the Indian Constitution deals with the Right to Equality before the law and equal protection of the laws, which includes various kinds of equality regarding a person. Misuse of health or genetic data can lead to various kinds of inequalities related to employment and
i nsurance, including any kind of social stigma as well. In this way, Article 14 of the Indian Constitution also restrains the misuse of any genetic or
health-related data for retraining the inequalities that breach the fundamental Rights of a person in any manner. In this way, Articles 21 and 14 of the Indian Constitution restrain any misuse of health or
genetic data in various ways, and any kind of large-scale misuse of genetic/health data can be challenged as a violation of the Right to Privacy (Art. 21) and Right to Equality (Art. 14).

SCOPE FOR A CONSTITUTIONAL TORT REMEDY AGAINST PRIVATE CORPORATIONS FOR HEALTH-DATA MISUSE: –

Constitutional Tort is a remedy in the form of compensation provided on the event or condition of breach of Fundamental Rights of the State and is applicable against the state. Traditionally, it’s only applicable to the Public Institutions. As the principal of Vicarious Liability is held liable the principal for the acts of employees during the course of business, which includes a private corporation as well. According to the K. S. Putta Swamy v. Union of India (2017) case, the court held that the Right to Privacy is a Fundamental Right which includes any sensitive information or data related to health, genetic information, and biometric data. By providing restrictions on the misuse of the health data. In this way, being a fundamental right, any misuse of the health data can lead to a Constitutional tort remedy against Private corporations by applying it against the State.

6. CHALLENGES AND CONCERNS: –

1. No clarification about the “Sensitive Personal Data”: – The Digital and Personal Data Protection Act, 2023, does not provide a clear definition and categorisation of the sensitive personal data, including the genetic and health data.
2. Risk of Discrimination: – Data Principal can face discrimination based on their Sensitive Personal data misuse in the workplace or in society, and can be a victim of social stigmatisation.
3. Broad grounds for processing without Consent: – For the benefit of the public or safeguarding the interests of the large community of people, data of the data principal can be processed without their consent.
4. Cross-Border Transactions: – Under section 16 of the Act, cross-border transactions of data can take place as well.
5. Lack of Awareness and Informed Consent: – The Data Principal who is sharing sensitive data on the online platforms sometimes has no awareness about their sharing and future uses of it by the receiver.

7. CONCLUSION: –

In this way, the protection provided to Sensitive Personal Data related to genetic and health-related data under the Digital Personal Data Protection (DPDP) Act, 2023 is established by following the Rights and duties of both parties under the Act. Data Fiduciary should ensure the legitimate uses of the Principal Data within the Consent of the Data Principal ( In the cases of proceeding with Personal data of a child or person within disability shall ensure from parents or legal guardian as applicable in the case ) and on event of leakage of such data should inform the Board and provide required help to the Data Principal, and provide information to the Data Principal for filling a Complaint against the Board on the event of unauthorised use of the data during handling sensitive health and genetic data under the DPDP Act,2023. There are also some drawbacks to the Act in establishing proper protection for Sensitive Personal Data, which need to be improved.