The Information Technology Act 2000 which was substantially amended in 2008 (ITA2008) and presently under another revision, was enacted as a “Special Act” that was applicable to “Electronic Documents”. In view of the international obligations, only the IPR regulations like the Copyright Act was kept as an overriding provision in case of any conflict. Otherwise wherever an “electronic Document” was a subject matter of law, ITA 2008 was considered as the final law to resolve conflicts if any.
ITA 2000/8 was generous to extend its provisions to every other law and did not negate any law since Section 4 simply stated that “Wherever any law requires a document to be in writing, it can be rendered in electronic form”. Similarly, Section 5 extended the validity of a “Signature” by stating that “Wherever any law requires a document to be signed, the requirement can be fulfilled in the form of digital signature as defined under section 3 (later extended to electronic signature defined under section 3A)”
The ITA 2008 made many provisions under “Data Protection” which indirectly provided protection to “Privacy” though there was no other legislation providing privacy protection in India. There were civil and criminal remedies and the Adjudication proceedings to render justice. By defining “Health Information” as “Sensitive personal Information”, it was also prescribed that there had to be “Reasonable Security Practices” to protect the Confidentiality, Integrity and Availability of such information when Body Corporates handled the same. Under the concept of “Due Diligence” under Section 79, all the known best principles of Privacy protection used in International practice were made part of ITA 2008.
Now therefore when HDPSA is enacted with the specific provisions that are meant to protect the privacy and security of health information there could be several overlapping provisions between HDPSA and ITA 2008.
Ensuring that the conflicts are avoided not only in the provisions but in enforcement would be one of the prime considerations of the new law makers who draft HDPSA.
For example, “Hospitals or Health Care Providers” under HDPSA may be considered as “Body Corporates under Section 43A of ITA 2008” if they are companies. But if they are “Trusts” or a medical practitioner who is not an “association of individuals”, there could be a debate on whether it falls under the explanation of Section 43A which states
“body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”
On the other hand, whether any of the covered entities under HDPSA are considered “Intermediaries” would also be debated.
Another point of debate would be while ITA 2000/8 is restricted to electronic documents, will HDPSA be available for protecting privacy when data is breached in non electronic form?… Will the security cover physical security of privacy documents in paper or voice form?
There will also be a debate…When things go wrong, is there a remedy under HDPSA with its own adjudicator or is the remedy under ITA 2000/8 with the adjudicators appointed under Section 46 of ITA 2000/8?
It is therefore necessary to understand the possible areas of conflict and steer clear of them at the drafting stage itself.
Hope the ministries will take necessary steps