Data PrivacyGrey Areas (Part IV): Data Protection in Internet of Things (IoT) with reference to the Healthcare Sector

September 22, 20210


One of the most outstanding achievements of the 21st Century in the field of technology is the development of Internet of Things (“IoT”). At present, there is no standard definition of the term ‘IoT’, however, as per the ‘Draft Policy on IoT’ released by the Government in 2015 (“Draft Policy”), defines IoT as, “a seamless connected network of embedded objects/ devices, with identifiers, in which M2M communication without any human intervention is possible using standard and interoperable communication protocols. – Phones, Tablets and PCs are not included as part of IoT.”

In common parlance, IoT refers to a technology of interconnected devices, machines, systems connected over a network which possess the unique ability to transfer automated data over such network of devices without involving human interaction or intervention. The unique feature of such devices, machines or systems is that it consists of processors, censors, communication hardware that possesses the ability to collect, send, analyse data over such a network. Due to such unique capabilities, IoT offers tremendous opportunities across many industries and across varied devices right from wearable fitness bands to smart self-driving cars.

The data that is collected from various devices, machines and systems through the IoT, technology can be then used to detect patterns, recommendations, potential problems, etc. According to the  Draft Policy, IoT involves three distinct stages:

In the first stage, the sensors affixed to the device, machine or system collect or gather data. In the second stage, data is transmitted to an application that collects and analyses data for further consolidation. In the third stage, the collected data is transmitted to the decision making server which may be used by  Analytical engines and Big Data in the decision making process.

One of the primary objectives that the Draft Policy on IoT sets out to achieve is to make IoT industry in India a 15 billion Dollars (USD) industry. As per the Gartner Report, the total revenue generated by the IoT Industry would be 27 billion Dollars globally, where; India would assume a share of 5-6% of the Global IoT Industry. The Draft Policy also sought to promote usage of IoT in a wide range of sectors like agriculture, healthcare, water quality, natural disasters, transportation, security, automobile, supply chain management, smart cities, automated metering and monitoring of utilities, waste management, Oil & Gas, etc. The Digital India Program of the Government also served as a catalyst in promotion of the IoT Sector by promoting the Digital Infrastructure in the Country.


The IoT Technology has an immense potential in the Healthcare Sector as it offers a number of new opportunities in terms of real time monitoring, tracking patients and hospital staff. Also, the IoT enabled devices like pacemakers, insulin pumps, wearable fitness bands, hearing aids, heart rate patches, etc. which can send and receive information shall apt examples of the application of IoT in Healthcare Sector.

The application of IoT in the Healthcare Sector can provide various benefits. For example, it can be used to for early detection of major or minor health issues of a person by collecting, integrating and analysing the health data of an individual. At a larger level, such technology will benefit in creating a healthier population, something which can also be used to avoid pandemics.

While the data collected from IoT Devices in the Healthcare Sector has helped in reducing the healthcare costs, the use of IoT Devices in Healthcare Sector has also ensured and increased the patient’s safety and accessibility to healthcare services by improving the treatment plans as the decisions may be taken on the basis of data collected from health and monitoring devices.


While data collected from IoT Devices unleashes immense potential to transform the Healthcare Sector, there is one major issue that can be foreseen which  is, Security and Privacy of the collected data.

Since the health related Data is highly sensitive and confidential, the infringement of such personal data can have bad consequences. Some medical devices operating on the IoT which can be used to keep a person alive or can be used to support vital organs like pacemakers, breaches or hacking of such devices can have life or death consequences.

India has witnessed a sharp rise in cyber-attacks during the months of March and April in 2020, of which 51% of the attacks were initiated on IoT Device which make data vulnerable to malware and hacking. Furthermore, since the COVID 19 Pandemic has increased in the number of people using technology and IoT Devices, there is an urgent need to upgrade the existing cyber security infrastructure  and policy in India. The need for the implementation of the Personal Data Protection Bill, 2019 (“PDPB”) is now more than ever.


In India, the Law governing Data Privacy issues posed by IoT is still at a nascent stage. At present there is a lack of a comprehensive legislative framework pertaining to Data Privacy. At present the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”) which are notified under the Information Technology Act, 2000 (“IT Act”) govern Data Protection in India.

Apart from that the Government has framed the Draft PDPB and the Digital Information Security in Healthcare Act (“DISHA”) in an attempt to establish a framework for protection of Data in India. The IT Act is the Principal Legislation that was enacted with the objective to provide “legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication.” The legal provisions governing Data Protection at present in India is enumerated hereunder:

In 2008, an amendment was made to IT Act by inserting Section 43A.  Section 43A of the IT Act imposes a responsibility on all the body corporates, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, to maintain and implement reasonable security standards, practices and procedures while dealing with such sensitive personal data in order to prevent any unauthorised access, damage, impairment, etc.The provision further imposes a civil liability by way damages upon those body corporates whose negligence in implementing and maintaining data causes wrongful loss or gain to any person. Furthermore, Section 72A of IT Act imposes criminal liabilityamounting to a maximum imprisonment of 3 years with or without a fine not exceeding five lakh rupees in case of breach of lawful contract involving unauthorised disclosure of information.

Pursuant to the enactment of Section 43A of the IT Act, the IT Rules were issued by the Central Government which aimed at establishing a general framework of data protection in India. Rule 3 of the IT Rules for the first time sought to determine the types of data included within the purview of ‘Sensitive Personal Information’ (“SPI”). According to this Rule, SPI includes the following types of personal data: password, financial information such as Bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health condition, sexual orientation, medical records and history, Biometric information, any detail relating to the above clauses as provided to body corporate for providing service, and any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise. The Data collected by the IoT Devices shall fall under the purview of SPI.

However, as mentioned above, at present the Privacy Laws in India are at a nascent stage. While the IT Act read with IT Rules do provide some form of Regulations in this regard, it is not sufficient and therefore, inadequate as the primary focus of the IT Act is information security rather than protection of Data. Therefore, in order to boost the IoT sector while addressing the privacy concerns, India needs a comprehensive legislation that governs all aspects of Data Collection and Protection. It is now therefore pertinent to look at the PDPB.


The PDPB was introduced in the Lok Sabha in 2019 and has currently been referred to the Parliamentary Standing  Committee. The PDPB is the first of its kind which seeks to safeguard and provide protection of Personal Data of individuals processed by entities in India or outside India that process data in connection to a business in India. The PDPB shall have a broader scope for the regulation and protection of Data. The PDPB is based on similar lines with the General Data Protection Regulation (“GDPR”) of Europe.

Furthermore, the PDPB also seeks to establish a Data Protection Authority with an aim to protect the interests of individuals and regulate misuse of data by directing entities to conduct data protection impact assessment and provide permission for cross-border transfer of data.

The PDPB defines Personal Data’ as, “data about or relating to a natural person who is directly or indirectly identifiable information about a natural personwho is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or 35 any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;”

The PDPB also seeks to augment the scope of SPI as defined under the IT Rules by including the Data relating to Religious or Political Beliefs, Financial Data and Genetic Data. It further enumerates certain rights afforded to the individuals like;

  1. Right to obtain confirmation regarding the processing of Data
  2. Right to require transfer of Personal Data to another Data Fiduciary
  3. Right to restrict disclosure of Data by Data Fiduciary
  4. Right to seek correction of inaccurate, incomplete or out of date Personal Data

In order to ensure the compliance with the aforementioned, the PDPB seeks to establish stringent punishments for non-compliance of the provision of the PDPB. For example; processing or transferring of Personal Data in contravention to the provisions of the PDPB is punishable with a fine of Rs. 15 crores or 4% of the annual turnover of the fiduciary, whichever is higher.

The enactment of the PDPB will therefore, aid in the making the persons misusing the Personal Data accountable for their actions. Thus, the data collected by the IoT Devices shall also be regulated under the PDPB.


The draft for the DISHA was released by the Government in 2018 that is presently proposed to be tabled before the Parliament. It is one of the first legislations that shall seek to provide a framework for Healthcare Security law in India. The purpose for the introduction of DISHA is to standardise and regulate the process pertaining to the use, collection, storage and transmission of Digital Health Data in an attempt to maintain Data Privacy, Security and confidentiality of Digital Health Data which includes information regarding a person’s mental, physical or physiological conditions, sexual orientation as well as medical records. The draft of DISHA is the corollary of the Health Insurance Portability and Accountability Act, 1996 of the United States of America which seeks to provide a framework for Data Privacy and Data Protection involving information about the personal health of individuals.

The draft for DISHA seeks to protect Digital Health Data by establishing a framework wherein organisations dealing in Digital Health Data will have to adhere to compliances like informing the owner before collecting the Data along with the intimation of the purpose behind such collection. In addition to that, the organisations are also obligated to inform the owners about the entities and people with whom such Data is shared and can be accessed.

Furthermore, in order to ensure strict compliance, the draft of DISHA provides penalty of a minimum of one lakh rupees to a maximum of one crore rupees. Apart from that, the draft of DISHA also provides specific provisions for imposition of a criminal liability upon any person or an entity that breaches the Digital Health Data by using it for unauthorised commercial purposes whether intentionally or fraudulently for a term of imprisonment ranging from three to five years with or without a fine of more than five lakh rupees.


IoT is the future of technology across the Globe. While the advantages of this technology in transforming wide range of sectors like healthcare, transport, agriculture, finance, manufacturing, etc., it is also imperative to ensure that the challenges of Data Security and Data Privacy are properly dealt with. The IoT Devices can surely aid in saving lives but if the use of the collected information is not regulated, it may lead to misuse of such Data.

The Data collected by the IoT Devices if shared then can be misused by certain connected industries from Healthcare and Pharma Sector in as much as they will be largely benefitted from the collected information. The sharing of such information shall be detrimental to the interests of the Patients as their SPI would become public and it would be in breach of their Right to Privacy. The use of information collected from the IoT Devices must therefore be regulated. This can be achieved by creating a robust framework that not only governs Data Protection but also regulates it. The PDPB and the Draft of DISHA shall play a crucial role to increase the use of IoT Devices in Healthcare Sector in India.

– Team AMLEGALS, assisted by Ms.Kriti Goswami (Intern)

For any queries or feedback, please feel free to connect with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.