In discussions on “Privacy” we often debate how can the service provider use my data for purposes which are commercially beneficial to him but I am neither aware nor benefiting from such usage.
In India “Click Wrap” contract through an “I Accept button” is not recognized in law and hence all such consents only become “Deemed consent” which is “Voidable” at the option of the customer at least as to some fine print clauses of the standard contract.
Under these circumstances, if the data user had over stepped the consent terms and used the data for commercial exploitation, the data owner normally could only grumble without a proper legal remedy.
It appears that now there is a new door being opened in the Privacy legislation in India applicable to “Health information” which is also a “Sensitive Personal Information” under ITA 2008.
The recently amended EHR guidelines released by the Ministry of Health and Family Welfare which is a pre-cursor to the Health Care Data Privacy and Security Act make a categorical statement that
- The contained data which are the sensitive personal data of the patient is owned by the patient.
- The medium of storage or transmission of such electronic medical record will be owned by the healthcare provider.
- The physical or electronic records, which are generated by the healthcare provider, are held in trust by them on behalf of the patient
This provision actually lends substantial strength to the “Consent” by not only making it a part of a Contract under the Indian Contracts Act but also introduces the element of possibility of “Breach of Trust” if the data user uses the data other than as provided for in the consent.
Though the EHR does recognize the national interests in denying some privacy rights (which we shall discuss in a subsequent article), the use of the term “Data is owned by the patient” makes a strong case for legal interpretation of “Data” as “Property” and all the rights associated with it including the right of the data owner to place a price on it. If the data user makes any substantial profit out of aggregation of individual data, it would therefore be reasonable to expect that part of the commercial benefit arising thereof should go to the data owner.
This concept though laid out specifically in the case of health data, should be extendable to all types of data including financial data.
It would require some time for understanding the full implications of this concept in the era of data analytics and data aggregation over IoT devices and a multitude of platforms.