News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to update your processes to be compliant with India's privacy bill Related reading: Municipal workers in India protest GPS watch surveillance

rss_feed

""

A large number of tourists visit India to get access to the wide array of health care services due to affordable prices, large number of highly skilled medical professionals, world-class infrastructure, quality and cost-effective treatments, ease of communication and travel, limited waiting time, and medical technology that is on par with the global industry standards.

Services opted for by the tourists range from basic elective procedures to complex specialized surgeries. With the steps taken by the Ministry of Tourism to promote India as a medical and health tourism destination and the introduction of the "e-Medical Visa," which enable travelers of 166 countries to visit India for medical treatments, it is expected that the number of tourists visiting India for health care services will constantly increase each year.

India’s draft Personal Data Protection Bill emphasizes the core requirement of protecting the personal data of data principal. Among other significant provisions, the PDPB proposes substantial penalty for violation of the stated requirements of INR 5 Cr (about USD 1 million) to INR 15 Cr (about USD 3 million) or 2 to 4% of its total worldwide turnover of the preceding financial year, whichever is higher. Such provisions, along with a heightened focus on collection and use of personal data, will require organizations (referred to in the bill as data fiduciary and data processor) to revisit their processes and operations and establish a robust privacy and data protection framework.

With the requirements of multiple privacy regulations, health care laws and increasing use of technology in medical devices and service delivery, the use of mobile apps and aggregator platforms to access health care services, the awareness of privacy and data protection in the health care industry becomes more and more pertinent. Although health care organizations are now starting to adopt best practices with privacy and data protection in their service delivery and device interfaces, major improvements are still needed at an operational level.

Key issues faced by health care organizations with regard to privacy and data protection and practices adopted by organizations are as follows:

Segregation and treatment of data received from multiple sources, including internet-of-things-enabled devices

  • Information footprinting: Organizations are now tracking data to identify and understand where personal data lies at all times. To support this, data discovery exercises (manual- and tool-based) are being conducted. The mapping of data helps determine the lifecycle of data, security controls, associated devices through which the data is generated, level of access to be provided to staff (doctors, nurses, contractual staff, etcetera) and sharing of information outside the organization so that the right information is accessed by the right stakeholders. Additionally, identifiers are being added to datasets to identify the source of the data, the associated consent provided, the validity of consent and also the region of origin of the user.
  • Asset management controls: Organizations have started taking into consideration key privacy and security factors that can embed privacy by design in existing and planned systems, for example, identifying privacy and security checks before a new IoT device is purchased, security configurations around data stored or held by the device, retention periods of the data stored on the device, etcetera.
  • Privacy and data protection trainings and awareness sessions: Health care organizations have started conducting role-based privacy trainings to make the staff (doctors, nurses, contractual staff, etcetera) aware of the risk associated with mishandling and misuse of data.
  • Security controls: Health care organizations now provide local access or access via multifactor authentication for patient records and reports. Mobile access to patient records and health care systems is restricted and enabled only for devices with appropriate security certificates installed.
  • Handling data of family members: In cases where a family member of one of the health care professionals is being treated, organizations monitor access to ensure that the health care professionals are not accessing records of family members unless authorized by them to do so.

Encrypting electronic medical records in a network of connected medical devices and applications

Several standards and regulations recommend encryption among other data security efforts to reduce the risk of a cyberattack; however, every organization follows its own approach to encryption based on maturity, applicable regulatory requirements and risk appetite. Some health care organizations do not encrypt data at rest as it may lead to issues in the performance of connected medical devices and other health care applications. It may also pose issues as the numerous devices and applications may have different encryption capabilities that may not necessarily be compatible with each other. Given the requirements for data access, organizations have also adopted models wherein the main devices and applications keep the data being processed currently, and once the patient is discharged, the relevant data is transferred to a more secure environment/server, and the original source is removed. For other organizations, encrypting data at rest and in transit is a common best practice that is done quite efficiently when a proper public key infrastructure is in place enabling combinations of symmetric encryption and hashing to efficiently encrypt data. Organizations that follow encryption of data at rest, adopt the practice of encryption at multiple levels based on the data being handled to decrease the impact on the performance of the systems, such as table-level encryption, field-level encryption, etcetera.

Blockchain is also being considered as a potential solution to ensure patient data confidentiality, but it has not been implemented by organizations yet.

Handling data and communication via Whatsapp

While regulatory requirements may not allow the use of WhatsApp or may term the communication as one with insufficient safeguards, it is still being used by health care professionals and patients to interact with one another, share documents and advice. Organizations that have discouraged the use of WhatsApp have enabled communication via chat applications, hospital portals or web forms that adhere to the requirements of applicable privacy laws.

Organizations that have accepted the use of WhatsApp have prepared organizational WhatsApp usage policies and guidelines to inform health care professionals of their responsibilities toward the usage of WhatsApp for communication and handling of the associated data. These policies and guidelines usually include practices such as:

  • On receipt of requests or information, inform the patient of the commitment to privacy of patient data, potential risks of using unsecure channels or modes of communication and other appropriate communication channels. Delete or archive the message once the patient has sent the request through the appropriate channel.
  • Interact with the patient, respond to the query on WhatsApp, upload necessary details as a part of the central patient record or print a copy of the communication and add it to the patient file, delete or archive the original information. In some cases, organizations allow communication only via organization-owned devices.

Managing risks on using personal data for business intelligence and analysis

Organizations use BI tools for analysis and management reporting of patient data. Reports include trends of users and customers in the past few months, services most and least sought by users, etcetera. Organizations deal with privacy and data protection risks in the use of BI tools and associated analysis in the following ways:

  • Documenting the personal data used by the BI tool for the analysis, the purpose of the analysis and making the patients aware of the same.
  • Pseudonymizing or anonymizing patient data.
  • Ensuring that secondary databases created for use or for references are aligned with the original purpose of the analysis.
  • Identifying access levels and associated controls to restrict access and BI and analysis to a specific group.
  • Identifying controls for retention of data.
  • Limiting the involvement of third parties unless absolutely necessary.
  • Frequent monitoring of data being processed and related accesses.
  • Enabling built-in encryption on tools and configuring the access per user role so that visualizations, worksheets, etcetera, can be encrypted/decrypted at the client side.

Managing the personal health data of VIPs and celebrities 

Organizations that service VIPs and celebrities have to consider an additional layer of security and privacy specifically for such personal data. The first task carried out is to restrict access to such patient records by assigning permissions. Thereafter, an automated workflow is initiated wherein notifications are provided to the privacy team every time the file is requested/accessed/updated. This can also be configured via the existing security, incident and event management or user and entity behavior analytics tools. Security information and event management use predefined rules to determine if certain scenarios are met and raise an issue as per the configured rules. User behavior analytics, on the other hand, are able to monitor peer groups and compare the behavior and deviation between the behavior from a specific user and their peers.

In cases in which the automated workflow is not initiated, organizations perform an audit of the accesses to medical records of VIPs and celebrities to identify unauthorized access. In such instances, the data protection officer is informed without delay and the unauthorized accesses are dealt via the organization disciplinary process.

Some health care organizations use separate servers or modules and require multifactor authentication to provide access to records of VIPs and celebrities.

Since the health care industry process high volumes of personal and sensitive personal data, they may be identified as significant data fiduciaries that will impose more obligations on them. As the health care ecosystem is very large and involves multiple stakeholders, it would be useful for organizations to perform readiness assessments and identify the best practices that can be adopted to ensure timely readiness as per the requirements of the bill.

Photo by Srikanth D on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Ambika Bahadur, CIPP/E, CIPM, FIP IAPP Member Contributor
Tags
Middle East
Privacy Law
Privacy Operations Management
Security Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
Credit card details breached in Southeast Asia
Details from credit cards issued by banks in Singapore, Malaysia, the Philippines, Vietnam, Indonesia and Thailand have been leaked online, the South China Morning Post reports. India-based cybersecurity startup Technisanct found the breaches and notified the Computer Emergency Response Team in each...
Read More queue Save This
Roundup: EU, India, Romania, South Korea, US and more
In this week’s Privacy Tracker global legislative roundup, IAPP Legal Research Fellow Cathy Cosgrove dissects a new federal U.S. privacy law proposal. Fomer IAPP Legal Extern Darya Balybina, CIPP/E, CIPP/US, brings clarity to data protection impact assessments under the EU General Data Protection Re...
Read More queue Save This
Op-ed: Where India's adequacy status may stack up
When the EU General Data Protection Regulation was first introduced in 2016, 12 countries were deemed adequate by the European Commission. In 2019, a new draft of the Indian data protection framework was announced and has been referred to the Joint Parliamentary Committee for further action. “It’s h...
Read More queue Save This
Related Stories
Tags
Middle East
Privacy Law
Privacy Operations Management
Security Operations Management
Recent Comments