How COVID-19 affects personal health data

By Deeksha Manchanda, Chandhiok & Mahajan

Governments and civil societies worldwide are making dramatic efforts to contain the spread of COVID-19. In India, notices have been placed outside the homes of people under quarantine or with the names of those who have tested positive for COVID-19. This raises questions concerning the personal privacy and data protection rights of those affected by COVID-19. This article deals with the protections offered in respect of health data and to what extent the disclosure of information is permissible. There is no comprehensive framework to provide protection for the health data of individuals. The provisions regulating health data are scattered across a multitude of statutes and judgments, and are far from adequate.

Deeksha Manchanda
Chandhiok & Mahajan

The Information Technology Act, 2002: One of the main data protection provisions is the Information Technology Act, 2002 (act), as read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (rules). The rules define personal and sensitive personal information, and set out obligations of collectors of such information.

Travel histories are likely to fall within the scope of personal information, and medical records and history are sensitive personal data (SPD) as defined in the legislation. The rules extend to a “body corporate” i.e., companies, firms, sole proprietorships and other association of individuals engaged in commercial or professional activities. The rules require the body corporate collecting information to:

  • have in place privacy policies that cover the purpose for which the information is collected, its usage and its disclosure;
  • obtain consent for the collection of information and set out the purpose of the collection and the intended recipients;
  • disclose information only where the provider has agreed, either while information is being collected or afterwards, or when public agencies require it to verify identity;
  • disclose the SPD only under a lawful order, including an order issued for reasons of public health;
  • ensure that the SPD is not published.

The medical profession: A myriad of rules and regulations requires confidentiality in a doctor-patient relationship. The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, and the Code of Medical Ethics, both impose a secrecy obligation on physicians. Whether the obligation of confidentiality is absolute was decided by the Supreme Court in Mr X v Hospital Z. The court held that the obligation was not absolute and may give way to the protection of public health or the right to life of another person. Hospitals and consequently the doctors working with them, also fall within the scope of the rules if they are a body corporate.

The constitutional framework: Article 21 of the constitution has been interpreted to include the right of individuals to privacy. Some guidance about whether and to what extent the right to privacy nonetheless permits disclosure about an individual suffering from a communicable disease can be found in the Supreme Court’s decision in KS Puttaswamy v Union of India, where the court notes that:

  • privacy of health and individual information is part of the fundamental right to privacy;
  • right to privacy is not absolute and may be subject to reasonable restrictions for such purposes as the protection of public health;
  • anonymized data may be used by the government for the preservation of public health and for appropriate policy interventions;
  • any restriction on the right to privacy by the government are amenable to judicial review and must fulfill the test of proportionality, that is there must already exist a law permitting the restriction, the restriction must serve legitimate government aims and should be proportional.
  • Given the above, the situation for patients and those otherwise affected by COVID-19 are as follows:
  • they have the choice whether to consent to disclose their information to an employer or a hospital;
  • employers, or a hospital that is a body corporate may be required by law to disclose information regarding a patient. Disclosure may also be permitted where a patient has consented to it;
  • the government may by law require the disclosure of names and other personal data of a patient from hospitals and employers;
  • all laws made and measures taken by the government, either requiring the disclosure of personal data or publication of it through notices, will be amenable to judicial review. The courts will determine whether such a law is proportionate to the need to combat the risk to public health and the unprecedented nature of the crisis.

Deeksha Manchanda is a counsel at Chandhiok & Mahajan.


Chandhiok & Mahajan
C-524, Defence Colony
New Delhi – 110 024

Mumbai | Bengaluru
Contact details
Tel: +91 11 4163 0033
Fax: +91 11 2433 9075