Data PrivacyData Privacy in Pharmaceutical Industry in India

February 16, 20220


Data Privacy refers to the protection of personal and sensitive personal data and concerns proper handling of data. It focuses on the rights of a person to choose when, how, and to what extent their personal information is shared with or disclosed to others. This personal information can include a person’s name, address, phone number, and online or offline activities.

The Right to Privacy was effectively recognized as a fundamental right by the Supreme Court in 2017 because it is “intrinsic” to the guarantee of “life and personal liberty” under Article 21 of the Constitution of India, as well as other fundamental freedoms.

The importance of data privacy has increased with the increase in the number of internet users. Few sectors such as the pharmaceutical industry, collect massive amounts of data and processes the same for commercial purposes. Such collection of data in bulk has raised privacy concerns amongst the consumers.

Individuals have been exposed to the danger of identifying as a result of electronic storage of medical information at various phases of data collection and processing. Various apps and platforms may not put enough controls in place to protect the medical data they collect, which could lead to a data breach that threatens user privacy.

Privacy is seen as a fundamental human right in many nations, and data protection regulations exist to defend that right. Individuals must believe that their personal data will be handled with care before they will engage in online activities. Data protection measures are implemented by businesses to show their customers and users that they can be trusted with their personal information.


The ability to automatically interpret data provided by thousands of patients has proven essential to healthcare service providers around the world, from tracking illegitimate medicine prescriptions to measuring the efficacy of different therapies on patients.

In the use of patient data, it has also become critical for healthcare practitioners to ensure patient privacy and data security, especially when the information has stigmatizing implications.

To make data anonymous, the Data Controller must first remove any personal information from the information submitted by the subjects. The use of such de-identified information in combination with other information accessible by the Data Processor should not reveal the identity of the data subject as a second level of security.

Unauthorized use of identifiable personal information is penalized in the United States under Part C of the Health Insurance Portability and Accountability Act, 1996 (HIPAA), which mandates ‘administrative simplicity’ in the health sector.

India currently lacks comprehensive and specific data protection legislation. Some provisions of the Information Technology Act, 2000 (IT Act), as well as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules), stipulate the protection of personal information  and sensitive personal data and information .

In recent years, there has been a lot of discussion around data protection. The Personal Data Protection Bill, 2019 (PDP Bill) has been introduced in Parliament and is expected to be enacted in the near future.


The General Data Protection Regulation (GDPR) is the most comprehensive privacy and security legislation in the world. The GDPR imposes obligations on any organisation that targets on or collects data from the users situated in the European Union (EU).  The entities violating the GDPR’s data privacy and security rules face strict penalties, with fines ranging from tens of millions of euros.

The GDPR indicates the hard stance of the EU on Data Privacy and security at a time when more individuals are committing their personal data to cloud services and data breaches are becoming more common.

India is preparing to introduce its first data privacy regulations, with the GDPR serving as a model which might be stumbling block for corporations doing business in India.

The GDPR defines “data concerning health” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”  

In the backdrop of the same, the GDPR imposes an additional responsibility on the healthcare institutions to maintain such data concerning health and other data pertaining to ‘genetic data’ and ‘biometric data’.

Article 9 of the GDPR explicitly states that the processing of data concerning health, among other sorts of data, is prohibited. However, such prohibition shall not be applicable when the Data Subject has given expressed consent to the processing for specific purposes, or the processing is necessary for carrying our any particular obligations or specific rights of the Data Controller or Data Subject or is necessary for public interest, etc.


After conducting research, the Competition Commission of India stated that until the Government introduces the data protection law, necessary rules must be enforced to preserve patient privacy and sensitive personal medical data.

Online pharmacies should develop self-regulatory mechanisms in the areas of data collecting, data usage, data sharing, and data privacy.

The Indian Antitrust Law is broad enough to allow for the assessment of any potential competition harm caused by disproportionate data collection/use by digital organizations with market dominance. In the areas of data collecting, data usage, data sharing, and data privacy, online pharmacies should establish self-regulatory procedures. However, until the data protection law is implemented, necessary restrictions must be implemented to secure patient privacy and protect sensitive personal medical data.

With privacy regulations, healthcare legislation, and the rising use of technology in medical equipment and healthcare services, data privacy and data security are becoming increasingly important in India’s healthcare business. The basic need of securing the personal data of the Data Subject is emphasized in India’s proposed PDP Bill.

Blockchain is also being examined as a possible option for ensuring patient data confidentiality, but it is yet to be deployed by companies. Because the healthcare industry handles such large amounts of personal and sensitive data, it may be designated as a significant Data Fiduciary, requiring them to meet additional requirements. Given the size and complexity of the healthcare ecosystem, it would be beneficial for companies to conduct data privacy impact assessments and identify best practices for ensuring timely readiness in accordance with the criteria led down by the PDP Bill.

-Team AMLEGALS assisted by Mr. Shashank Gupta (Intern)

For any query or feedback, please feel free to connect with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.