[10/08, 11:38 am] Dr. Avinash Kumar Gupta: Project idea - Dpdp bill impact on UDHC/PaJR model. (If anyone wanna try)
+ve/-ve/recommendations.
[10/08, 11:40 am] Dr. Rakesh Biswas sir: Will mention it today in the SWOT time permitting
What do you feel?
Would the bill be a threat to what we are doing?
[10/08, 11:41 am] Dr. Avinash Kumar Gupta: Thanks sir!
Not a barrier but an enabler I feel. (Based on my prior exposure with hipaa in context of UDHC)
[10/08, 11:42 am] Dr. Rakesh Biswas sir: Enabler in what way? Share in the context of the bill
[10/08, 11:42 am] Dr. Avinash Kumar Gupta: Sure sir, I am yet to open it's pdf and read. I will try today and update in a few hours.
[10/08, 11:44 am] Dr. Rakesh Biswas sir: Will be looking forward to your quotes from this
[10/08, 11:44 am] Dr. Avinash Kumar Gupta: Sure sir
[10/08, 12:29 pm] Dr. Avinash Kumar Gupta: Page 3
(t) “personal data” means any data about an individual who is identifiable by or
in relation to such data;
(u) “personal data breach” means any unauthorised processing of personal
data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss
of access to personal data, that compromises the confidentiality, integrity or availability
of personal data;
[10/08, 12:35 pm] Dr. Avinash Kumar Gupta: *CHAPTER II*
OBLIGATIONS OF DATA FIDUCIARY
4. Grounds for processing personal data.
5. Notice.
6. Consent.
7. Certain legitimate uses.
8. General obligations of Data Fiduciary.
9. Processing of personal data of children.
10. Additional obligations of Significant Data Fiduciary.
*CHAPTER III*
RIGHTS AND DUTIES OF DATA PRINCIPAL*)
11. Right to access information about personal data.
12. Right to correction and erasure of personal data.
13. Right of grievance redressal.
14. Right to nominate.
15. Duties of Data Principal.
[10/08, 12:41 pm] Dr. Avinash Kumar Gupta: Page 9 ( _we don't have good mechanism for this but its doable_ )
(1) The Data Principal shall have the right to obtain......
....(a) a summary of personal data which is being processed by such Data Fiduciary
and the processing activities undertaken by that Data Fiduciary with respect to such
personal data;
(b) the identities of all other Data Fiduciaries and Data Processors with whom
the personal data has been shared by such Data Fiduciary, along with a description of
the personal data so shared; and
(c) any other information related to the personal data of such Data Principal and
its processing, as may be prescribed.
[10/08, 12:45 pm] Dr. Avinash Kumar Gupta: _With PaJR approach (whatsapp) we don't have deletion mechanism_ but it's not needed as we already remove personal data (I.e. identifiers)
(3) A Data Principal shall make a request in such manner as may be prescribed to the
Data Fiduciary for erasure of her personal data, and upon receipt of such a request, the Data
Fiduciary shall erase her personal data unless retention of the same is necessary for the
specified purpose or for compliance with any law for the time being in force.
[10/08, 12:54 pm] Dr. Avinash Kumar Gupta: _Enabler point_
“Data Fiduciary” means any person who alone or in conjunction with other
persons determines the purpose and means of processing of personal data;
[10/08, 12:56 pm] Dr. Avinash Kumar Gupta: _Enabler point_
(g) “Consent Manager” means a person *registered with the Board*, who acts as
a single point of contact to enable a Data Principal to give, manage, review and
withdraw her consent through an accessible, transparent and interoperable platform
[10/08, 1:02 pm] Dr. Avinash Kumar Gupta: _Enabler point_ (we already mention about open sourcing data in consent and more importantly its already deidentified so no "personal data")
4. (1) A person may process the personal data of a Data Principal only in accordance
with the provisions of this Act and for a lawful purpose,—
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.
[10/08, 1:11 pm] Dr. Avinash Kumar Gupta: *Summary*
This bill clearly defines 1) personal data, 2) data fiduciary, 3) consent manager.
We do not share or process personal data explained in the bill as we already remove it by deidentification.
I need to understand more about consent manager, we already have consent management in place though there is always scope for improvement.
This bill doesn't clearly list what is a personal data and what is not as in hipaa but it's understandable based on the definition. Our deidentification process is robust for that.
This bill doesn't talks about deidentified data and also about its open sharing, but if we are deidenfying responsibly then we are correct with our process.
So overall we don't need to make any changes in the process to be compliant to it (except probably *board registered consent manager person* )
[10/08, 1:15 pm] Dr. Avinash Kumar Gupta: Yes. In that case all rights of data principle will be applicable and must be done.
But you may recall, we don't add the patient but a patient advocate/care manager who knows the patient. This way the patient is deidentified.
[10/08, 1:53 pm] Dr. Avinash Kumar Gupta: If the bill had a line that open sharing of data after removing "personal data" is allowed with consent then it could be 100% fit for us.
People dealing with hipaa and gdpr do share open access data
*Recommendations and conclusion*
We have several recommendations for sharing sensitive healthcare data within the EU (Fig. 4). First, it is important to have a multidisciplinary team of experts with in-house knowledge to tackle legal, ethical, economic, and technical issues. Second, external parties can be involved in assessing the privacy and data protection risks to acquire unbiased risk assessments. Third, the risk of re-identification (for both anonymised and pseudonymised data) should be adequately accounted for. The de-identification methodology we recommend is K-anonymisation, as performed by AmsterdamUMCdb. Fourth, patient consent is not always required by the GDPR, as indicated in Fig. 1. Fifth, adherence to transparency when publishing open data and trust between patients and other stakeholders is crucial when sharing health data30,31. This includes the legal obligation for the hosting institution to inform patients through its privacy statement that their data can be shared and reused for investigation purposes. Sixth, the commitment of the hosting institution is required for a successful publication process. The institution should be willing to back up the project when unforeseen obstacles present themselves (i.e., costs and/or effort). Ultimately, data should be stored and analysed in the cloud, if possible, so the data cannot be downloaded. If infeasible, strict governance should be implemented. To guide future initiatives in sharing open healthcare data, we included a Gantt chart in the supplementary information14 as a planning guideline. In conclusion, publishing open health data in the EU might be challenging, but it is essential for developing modern-day healthcare. The experiences and lessons learned from these four successful databases can guide the development of new open European ICU databases.
Reference to above paragraph. It's not from dpdp bill. It's from "A guide to sharing open healthcare data under the General Data Protection Regulation" https://www.nature.com/articles/s41597-023-02256-2
[10/08, 2:00 pm] Dr. Avinash Kumar Gupta: Ref - https://www.nature.com/articles/s41597-023-02256-2
[10/08, 2:01 pm] Dr. Avinash Kumar Gupta: Reference to above paragraph. It's not from dpdp bill. It's from "A guide to sharing open healthcare data under the General Data Protection Regulation"
