“Uncovering the CoWIN Breach: Why India’s Health Data is Vulnerable to Cyber Attacks”

## Draft Data Protection Bill, 2021: Definition of Health Data Removed from Current Version

The draft Data Protection Bill, 2021, defined health data as “…the data related to the state of physical or mental health of the data principal and includes records regarding the past, present or future state of the health of such data principal, data collected in the course of registration for, or provision of health services, data associated with the data principal to the provision of specific health services.” However, this definition as well as the definition of sensitive personal data was removed from the current version of the Bill (Digital Personal Data Protection Bill, 2022).

### The Threats of Leaked Health Data

The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused.

### Notification and Penalties

While the current version of the draft DPDP Bill states that the data fiduciary shall notify the data principal of any breach, the draft Bill also states that the Data Protection Board “may” direct the data fiduciary to adopt measures that remedy the breach or mitigate harm caused to the data principal. The Bill also prescribes penalties of up to Rs 250 crore if the data fiduciary fails to take reasonable security safeguards to prevent a personal data breach, and a penalty of up to Rs 200 crore if the fiduciary fails to notify the data protection board and the data principal of such breach.

### Implications of the Removal of Sensitive Personal Data

While these steps, if implemented through legislation, would make organizations processing data take their data security more seriously, the removal of sensitive personal data from the definition of the Bill would mean that data fiduciaries processing health data will not have to take additional steps other than reasonable security safeguards. The absence of a clear indication of security standards will affect data principals and fiduciaries.

In conclusion, the removal of the definition of health data from the current version of the Digital Personal Data Protection Bill, 2022, has raised concerns about the security of health data and the implications for data principals and fiduciaries. The need for clear security standards and penalties for breaches is crucial to ensure the protection of personal data.

Leave a Comment