India’s digital landscape is evolving rapidly. With it comes a growing need to protect personal data, especially in a world where data is constantly collected, shared and stored. The Digital Personal Data Protection (DPDP) Act of 2023 marks a major turning point in how India approaches data privacy. The DPDP Act provides for the processing of digital personal data that recognises the rights of individuals to protect their personal data. With the enactment of the DPDP Act, India's data governance framework places heightened focus on issues of privacy, informed consent, and data protection mechanisms. At the heart of the Act are two key stakeholders – Data Principals (whose data is collected) and Data Fiduciaries (apps, hospitals, service providers and data collectors in general that process data). Data Principals have control over their personal data and Data Fiduciaries are obligated to uphold transparency and accountability in how they collect, process and use this data.
Informed Consent and decision making in the DPDP Act
The Digital Personal Data Protection (DPDP) Act underscores that users, or Data Principals, have the capacity to provide informed consent for the processing of their personal data. Section 11(1) grants them the right to access details about how their data is used, including summaries of processing activities and third-party disclosures.
People living with severe mental health condition may experience limitations in their decision-making capacity. In such instances, the Mental Healthcare, 2017 (MHCA) enables them to nominate a representative who can temporarily support with decision –making. Rights and processes for informed consent under the DPDP Act are exercised In line with these provisions of the MHCA – a commitment to a right-based approach promoted by the MHCA.
Mental Health in a contemporary Digital Age
The rise of digital mental health platforms, especially post COVID-19 has led to the increased collection and storage of sensitive data through platforms like Tele MANAS, which is and other electronic mental health records. This surge highlights the urgent need to understand the legal protections in place for users’ personal data and privacy rights amid ongoing privacy concerns and limited safeguards. Cyberattacks on institutional health data, seen during the November 2022 ransomware attack on the servers of the All India Institute of Medical Sciences in Delhi sparked serious concerns about the protection of sensitive data stored in its patient databases.
How is Mental Health data unique?
Mental health data does not resemble other data. It is often personal and is deeply contextual to a individuals' mental health journey. Disclosures around diagnoses particularly for people with severe mental health conditions can have profound implications – exposing individuals to stigma and structural discrimination, if not handled with stringent privacy safeguards and sensitivity. As more individuals turn to online platforms for mental health support, these platforms collect significant information on users' emotional states, behavioural patterns, and at times, even vulnerable moments of crisis. While the DPDP Act provides a foundational legal framework for data protection, it does not sufficiently address the unique risks associated with mental health data, with no special protections for or recognition of sensitive personal data. Additionally, Section 17 of the DPDP Act provides the State and state instrumentalities blanket exemptions to use data collected for services (such as subsidy, benefit, service, certificate, license or permit) for any other purposes. In this context, systems like Aadhaar which involve centralised storage of biometric and demographic data raise concerns about the protection of privacy for individuals with mental health conditions.
The Mental Health Data Challenge
The DPDP Act is an important step toward establishing a regulatory framework to safeguard personal data in India’s evolving digital health ecosystem, including mental health services. By granting individuals rights such as informed consent, access to data, and the ability to appoint nominated persons in cases of impaired capacity, the Act reflects a rights-based approach that is particularly relevant in mental health contexts. These provisions hold promise for promoting autonomy and transparency into how sensitive data is handled. However, the Act also presents challenges such as broad exemptions for the State and insufficient protection for sensitive data – all of which raise concerns about the potential misuse or inadequate protection of mental health data. To ensure that the digital mental health infrastructure facilitates care without compromising rights, it is essential to strengthen the DPDP framework through more robust safeguards for sensitive data and account for the unique vulnerabilities of individuals with mental health conditions.
For a detailed brief on the relevance of the Digital Person Data Protection Act on the mental health sector in India, please click here.
