India is often described as “the poster child of emerging markets” for its vast commercial potential for startups. In a country with a population of nearly 1.3 billion people, even niche products can have significant market potential. In the 1990s, economic reforms moved India towards a more market-based economic system. Startups in India as in many other parts of the world, have received increased attention in recent years. Their numbers are on the rise and they are now being widely recognized as important engines for growth and jobs generation. Through innovation and scalable technology, startups can generate impactful solutions, and thereby act as vehicles for socio-economic development and transformation.


The COVID-19 outbreak not only brought the global economy- it exposed the inadequacies of the developed world’s health systems in addressing fast-spreading pandemics. The pandemic has caused what is being called a structural shift for digital healthcare in many countries, including India. The current situation prescribes that it is time for India to reboot healthcare and support healthcare startups for closing the gaps in the traditional healthcare system.


Health-tech is the fastest-growing sector in the healthcare world. Health-tech, the term itself encapsulates this evolution, clearly referring to the intersection between healthcare and technology. The ever-evolving startup culture and faster adoption of new-age technologies like cloud computing and artificial intelligence (AI) have catalyzed the growth of health-tech startups in India. These startups facilitate medical procedures by marrying traditional practices with modern technologies. Such ventures are increasingly becoming popular in India as telemedicine, and online delivery of healthcare facilities help them tap a larger market base.


In India, the health-tech market can be broadly divided into

  • Telemedicine – it is the platform where the medicine is combined with technology to provide healthcare services remotely.
  • E-pharmacy – an online marketplace where the patient can order medicines, health products and can get them deliver at their doorsteps.
  • Healthcare and IT analytics – Healthcare organizations may use SaaS (Software as a Service) and other Cloud solutions to manage and access resources, patient records, data, and healthcare infrastructure.





Indian government plans to fabricate an ecosystem that advances entrepreneurship at the startup level and has taken various activities to guarantee that the entrepreneurs get suitable help.


Digital India is an activity drove by the Indian government to guarantee that government services are made accessible to each resident through online platform. In July 2015, the PM declared the Digital India activity that plans to interface provincial territories by building up their advanced framework. This converts into a great business opportunity for startups. Online based companies in India have been wanting to go into India’s rural region as part of the governments initiative.





We have accepted a lot of terms and conditions on various apps but have we ever read them? Many of us have not, to be honest. In these terms and conditions, they always ask for permission to collect our personal data? Like they ask for our location, contact information, storage access, and so on. Through these permissions, they monitor whatever we do on our devices and collect that data. For example, we search something on Google, Instagram, other social media apps start showing us the ads or promotion pages related to our searches. Likewise, other apps also do this. Across multiple apps and websites, for a smooth, better, and user-friendly experience, this data is used to train AI algorithms.

Even though it is done for the user’s benefit this comes at the cost of data privacy. Sometimes this data is collected only to be sold to third parties by the companies. Moreover, this data is at the risk of getting stolen by exploiting loopholes.





Now the concern is that how to keep your data safe and protected. Apart from data protection rules that binds an application or website, the user must ensure few things for better safety. Such measures include:

  • Staying away from apps not available on Play Store or App Store (iOS).
  • Not entering information without checking the credibility of the app or site.
  • Clearing cache and cookies regularly.
  • Inspecting what permissions, we are giving them to access and process our data.

These are some of the things that a user can do from their end for data protection. But actual data protection lies in the hands of the government and the developers.






It is the primary duty of a government to protect its people and keep their personal or even public data safe. Governments of different nations have different policies regarding data privacy and protection. Like in the USA, each state has its own rules regarding data protection. Apart from abiding by government rules and regulations, the developer also takes measures to protect a user’s data.


With the outbreak of the COVID-19 pandemic, many developing countries including India are on the cusp of a digital revolution. Further, as part of its Digital India Mission, the Indian Government recognizes the issue of cyber security and the need for robust laws to protect digital data. An important step in this direction is the proposed Digital Information Security in Healthcare Act (“DISHA“), which seeks to provide for electronic health data privacy; confidentiality, security and standardization; and establishment of National Digital Health Authority and Health Information Exchanges.


  • Digital Information Security in Healthcare Act (“DISHA”)


DISHA lays down provisions that regulate the generation, collection, access, storage, transmission and use of Digital Health Data (“DHD“) and associated personally identifiable information (“PII“). DISHA states that health data including physical, physiological, mental health condition, sexual orientation, medical records, medical history and biometric data is information that can only be the property of the person it pertains to.


  • DHD is an electronic record of health-related information about an individual and includes information relating to an individual’s physical or mental health; donation by the individual of any body part or any bodily substance, etc.
  • PII is defined as any information that can be used to uniquely identify, contact or locate an individual specifically or along with other sources. This includes information such as name, address, date of birth, vehicle number, financial information etc.
  • The legislation creates a central regulator called the National Electronic Health Authority (NeHA), and various State Electronic Health Authorities (SeHA) to give effect to the provisions of DISHA.
  • It covers within its ambit clinical establishments (which includes hospitals, nursing homes, dispensaries, clinics, sanatoriums and pathology labs) and any other entity that collects DHD.
  • DISHA has proposed stringent penalties for defaulters in the nature of fine and/or imprisonment.


Challenges to implementation of DISHA


The most serious issue with data collection and sharing will be how to obtain informed consent from a data owner. Another concern will be effective enforcement of the provisions of DISHA, given that the costs involved in implementing security solutions may become a drain on resources for clinical establishments.

Electronically stored data is vulnerable to security breaches and therefore comprehensive and technology driven data security measures would need to be adopted. Sensitization and protection of people’s right to privacy and security of their data will be the bedrock of DISHA.


  • Personal Data Protection Bill 2019


The Government of India had introduced the Personal Data Protection Bill 2019 (PDP Bill) in the Lok Sabha on 11 December 2019.


The “PDP Bill 2019” which defines both Personal and Non-personal Data, is a substantive framework which introduces a specialized regulatory approach for the Protection and Privacy of Data in any form (digital or non-digital) in India. The proposed legal framework would be applicable to processing, storage and transfer of any form of personal data across sectors of the economy, academia, industry and the society. The Bill has also limited provisions relating to Non­Personal Data (NPD).


The key recommendations made by the Joint Parliamentary Committee in their report:


  • The “Bill” will apply only to data collected, stored and processed in digital form.
  • The JPC has recommended that all the data has to be dealt with by one Data Protection Authority (DPA). JPC have proposed to change the name of Bill to “Data Protection Bill”.
  • JPC has recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host.




  • The Information Technology Act, 2000, and the Information Technology Rules, 2011


Digital health involves a constant exchange of information between the patient and the service provider. This information is termed Sensitive Personal Data or Information (SPDI).Before a doctor or an institution does anything with the data, the patient’s written permission needs to be obtained.


The IT Act, 2000 does not apply to digital health services in such circumstances, the service provider would be classified as an intermediary under the Intermediary guidelines and IT Act . An intermediary is not liable for third-party content hosted by the intermediary if the intermediary’s role is limited to providing access to a communication system over which information is hosted or stored, and the intermediary has followed the due diligence requirements outlined in the IT Act.


The constitutionality of the Intermediary Guidelines and Section 79 of the IT Act was challenged before the Supreme Court in the case of Shreya Singhal v. Union of India (2015), stating that these provisions were vague, broad. The Supreme Court interpreted Section 79 of the  Act and the Intermediary Guidelines to indicate that the intermediary must receive a court order or communication from a government agency ordering it to remove the particular content. The court further noted that any such court order or notice must fit within the scope of Article 19(2)’s reasonable limitations, implying that any removal must be legal.




Data analytics and predictive healthcare will become more accurate as healthcare data becomes more extensive. While both the bills that is DISHA and the PDP Bill have not been passed by the Parliament and await enactment, it shall be interesting to see the shape and form in which they are both enacted. These bills will change the shape of data protection (personal or health data) in India making it more in tune with global standards. While the present law in terms of protection of health or personal data is more generic in nature, the bills bring out additional responsibilities on the data collector with stringent fines and penalties for non-compliance of such responsibilities which need to be properly assessed once these bills become law.



  1. Pradhan Mantri Gramin Digital Saksharta Abhiyaan”, accessed September 4, 2019.
  2. NASSCOM, “Indian Tech Start-up Ecosystem, Approaching Escape Velocity,” 2018.
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *