The report by a German cybersecurity firm that medical details of millions of Indian patients were leaked and are freely available on the Internet is worrying. The firm listed 1.02 million studies of Indian patients and 121 million medical images, including CT Scans, MRIs and even photos of the patients, as being available. Such information has the potential to be mined for deeper data analysis and for creating profiles that could be used for social engineering, phishing and online identity theft, among other practices that thrive on the availability of such data on the Darknet — restricted computer networks which exchange information using means such as peer-to-peer file sharing. The reason for the availability of this data is the absence of any security in the Picture Archiving and Communications Systems (PACS) servers used by medical professionals and which seem to have been connected to the public Internet without protection. Public data leaks have been quite common in India — from government websites enabling the download of Aadhaar numbers to electoral data rolls being downloaded in bulk, among others. Unlike the data protection regulations in place in the European Union and in the U.S., India still lacks a comprehensive legal framework to protect data privacy. The Draft Personal Data Protection Bill 2019 is still to be tabled but could enable protection of privacy.
The draft Bill follows up on the provisions submitted by a committee of experts chaired by Justice B.N. Srikrishna to the Ministry of Electronics and Information Technology in 2018. The committee sought to codify the relationship between individuals and firms/state institutions as one between “data principals” (whose information is collected) and “data fiduciaries” (those processing the data) so that privacy is safeguarded by design. While the 2019 version of the Bill seeks to retain the intent and many of the recommendations of the Justice Srikrishna committee, it has also diluted a few provisions. For example, while the Bill tasks the fiduciary to seek the consent in a free, informed, specific, clear form (and which is capable of being withdrawn later) from the principal, it has removed the proviso from the 2018 version of the Bill that said selling or transferring sensitive personal data by the fiduciary to a third party is an offence. There are other substantive issues with the Bill pertaining to the situations when state institutions are granted exemption from seeking consent from principals to process or obtain their information. Yet, considering the manner in which public data are being stored and used by both the state and private entities, a comprehensive Data Protection Act is the need of the hour.