data law will restrict the scope of their operations, legal experts aware of the matter said.
The Digital Personal Data Protection (DPDP) Bill, which received the President’s assent on August 11, has proposed that companies and businesses — which collect and store user data and are termed as data fiduciaries — cannot process the personal data of any user without explicit consent. It requires them to specifically state the “purpose” for which data is collected and to also delete information when user consent is withdrawn.
Typically, companies offering multiple services utilise stored data to cross-sell their other products and services are now a worried lot and seeking legal opinion, according to the experts cited above.
Narayana Health, one of India’s largest hospital chains, said current regulations do not permit hospitals to delete patient records. There is a need for “carve-out for health data” in the new privacy law, said Viren Shetty, vice chairman of Narayana Health, adding that information is required to “treat patients”.
The Bengaluru-headquartered company has 47 healthcare centres in the country. “We can make a representation to make a carve-out for health data, as data fiduciaries we are supposed to hang on to it,” he told ET.
Pointing out that “as far as defining purpose is concerned, it is self-explanatory, we take patient consent that we are going to use patients' data for treating them better,” he