Data PrivacyUse Of AI & Data Privacy Implications in Healthcare Sector – Part II

INTRODUCTION

Building on the foundation of Part I of the analysis, which explored and scrutinised the AI application in healthcare and biomedical research, and the data privacy guidelines regulating health-related data, this article will delve into and analyse the mechanism of review procedure and informed consent for the use of stakeholder’s data in the healthcare and biomedical research segment.

The apex authority for biomedical research in India, the Indian Council of Medical Research (hereinafter referred to as “ICMR”), has put forth a comprehensive set of guidelines titled the “Ethical Guidelines for Application of Artificial Intelligence in Biomedical Research and Healthcare” (hereinafter referred to as the “Guidelines”). The Guidelines are drafted and designed in order to address the contemporary and evolving ethical challenges associated with the application of Artificial Intelligence (hereinafter referred to as the “AI”) in the healthcare regime.

These Guidelines are released by the ICMR with the aim and objective to ensure responsible as well as transparent use of data of patients and other participants. It provides a comprehensive framework for ethical decision-making during development as well as the adoption of AI-based solutions in both healthcare and medical-based research settings.

As per the Guidelines, any organization which uses or employs AI while conducting research or maintaining data of the patients becomes obligated to carry out a risk-based assessment. The assessment is done with the aim to recognize, evaluate, and analyse the potential harms arising out of the use of AI. The hospitals and other medical research centres must establish a transparent framework and impart knowledge as to how AI contributes to the biomedical regime and impacts decisions.

Moreover, the Guidelines also provide that informed and explicit consent must be obtained from the patients and participants for further use of their health data and thorough impact assessments should be undertaken to understand the broader consequences of AI deployment. The ICMR, through the Guidelines, put forth all these measures with the aim and objective of protecting the rights and consequently promoting ethical practices in AI-driven biomedical research and healthcare applications

ETHICS COMMITTEE AND MEDICAL AI

The Guidelines provide for the set-up of an Ethics Committee (hereinafter referred to as “EC”) to maintain ethics and conduct ethical review procedures. The primary aim and responsibility of the EC is to ensure that health and biomedical research maintains both scientific integrity as well as ethical standards.

The EC must thoroughly and scrupulously assess every research proposal by verifying the credibility of the data in order to weigh and understand the potential risks and benefits for the participants and other stakeholders, thereby ensuring its safety and protection against piracy or breach. Additionally, the identification of potential data leaks and taking welfare measures for the participants is marked as one of their major duties.

The Guidelines are progressive to mandate the members of EC to receive regular training in the emerging technologies so as to effectively discharge their duties and keep up with the rapid technological advancements. The periodic training of the members ensures that they are sufficiently informed to evaluate AI-driven biomedical research proposals. Additionally, the responsibility of the EC is to provide recommendations to minimise the risks and formulate a balanced decision which is both ethical as well as research-friendly in nature.

CONSENT SYSTEM IN THE GUIDELINES

Any biomedical research that involves both humans as well as their personal data is mandatory and obligatory for the researcher or research organisation to obtain informed consent in written form from every participant and stakeholders. This requirement is grounded in the ethical principle, that every individual has the right to be informed about each and every perspective of research and thereafter make a voluntary decision whether to participate.

The notion of informed consent is not merely a formality under the Guidelines, but rather it is a comprehensive procedure. The informed consent process involves three essential components which are listed as follow:

• Imparting all information to the participant.
• To ensure that the participant is capable of understanding the information
• To confirm that the decision of the participant is voluntarily in nature and not due to any kind of coercion.

The document for the consent must clearly and properly state all the information about the research, how the data could be used, and that the participation of the individual is of a voluntary nature in the biomedical research. The Guidelines under the Informed Consent Section put forth that, the consent of the individuals must be obtained freely without any means of threats and coercion. Moreover, if the participant of the biomedical research is not competent under the eyes of law to give consent, then a legally authorized person will have to give consent on their behalf. Furthermore, the informed consent document should include a clear explanation of the potential consequences if a breach of privacy were to occur.

In addition to these, it is also vital to mention that currently, in India, the Digital Personal Data Protection Act of 2023 (hereinafter referred to as the “DPDPA”), as well as the Draft Digital Personal Data Protection Rules of 2025 (hereinafter referred to as the “Rules”), provides for the informed consent mechanisms. In DPDPA and the Rules, consent is one of the most vital aspects. Section 6 of the DPDPA provides for the consent, and it says that the consent must be informed, specific, unconditional as well as unambiguous in nature.

This section can be observed as a principal pathway for processing the data of data principals. Apart from this, the DPDPA also provides for the consent by a legally recognized person for those who are disabled or incapable of giving their own consent. Therefore, it depicts that, the DPDPA as well as the Rules, both have a systematic framework for consent management and the system of informed consent under the Guidelines is also similar to them.

The Guidelines by the ICMR put forth the various responsibilities of the researcher while conducting biomedical research. The responsibilities are as follows:

• Researcher have the duty to inform participants about available alternatives along with associates risks and benefits.
• Researchers must confirm that participants understand the information and process should be documented properly and effectively.
• Researchers have the obligation to inform the possibility of errors at each stage of the AI procedure and the risks involved.
• Standard consent procedure has to be followed along with proper documentation and other related procedures.
• In exceptional cases, where there is minimal risk, the researcher can apply to the EC for a waiver of consent.

GOVERNANCE IN AI HEALTHCARE RESEARCH

AI is rapidly transforming the landscape of healthcare and biomedical research around the globe through enabling accurate diagnostics, improved outcomes and detailed research. From predictive analysis to accurate outcomes, AI powered methods are becoming integral part of the system. However, alongside all these benefits, there are some intricate legal and ethical challenges which need a comprehensive framework and proper governance.

As defined by the International Medical Device Regulators Forum (“IMDRF”), Software as a Medical Device (“SaMD”) is a software intended for one or more medical purposes that performs those purposes without being part of a hardware medical device. It offers a transformative potential to improve the outcomes, but at the same moment it also poses a significant regulatory challenge. Globally, the governing rules and legislations for these technologies are still in the nascent stage, even in various advanced regions like the European Union and the United States.

The European Commission’s Artificial Intelligence Act that aims to establish the first legal framework to ensure safety, along with protecting fundamental rights, while endorsing innovation and investment across the EU. In India panorama, similar strides have been made through initiatives like the National Health Policy of 2017, and the National Digital Health Blueprint of 2019. These frameworks emphasise the formation of e-health records and ethical data management of the same.

In addition to all these measures, the Digital Information Security in Healthcare Act of 2018 made an attempt to ensure privacy and confidentiality while handling e-health data. Last but not least, the Medical Device Rules of 2017, which were further amended in 2020 have expanded the scope of medical device, as it includes software which is intended for medical purposes.

AMLEGALS REMARKS

As observed in Part I, it is of utmost importance in the contemporary world because the technology is constantly evolving. The ICMR released the Guidelines with the aim and objective of maintaining ethics while conducting research, handling data of participants or transferring data of patients under treatment. The Guidelines also provided a proper system for obtaining consent and for its management.

In addition, the DPDPA, along with its corresponding Rules, establishes a robust framework for consent management and emphasizes the importance of informed consent. The ICMR Guidelines align with this framework by outlining clear procedures to safeguard personal data, ensuring that data principals are adequately informed about how their data will be used. The Guidelines also set out strategies for responding to data breaches, thereby reinforcing the principles of transparency, accountability, and data protection in biomedical research and healthcare settings.

– Team AMLEGALS assisted by Mr. Aditya Raj Pandey (Intern)

For any further queries or feedback, feel free to reach out to rohit.lalwani@amlegals.com or mridusha.guha@amlegals.com