The IT Rules have been incorporated vide Section 43A of the IT Act and provide for minimum standards on collection, disclosure and transfer of personal information—which is defined as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.” But Data protection law in Pharma has not yet been implemented stringently.
Data localisation is a method of safeguarding sensitive information within the borders of a country where the data is generated. In India, various sectors such as financial, telecom, healthcare have their own pre-existing laws and procedures for protection and localisation of data and other information. RBI issues guidelines, regulations and circulars to maintain secrecy of client information and propounds methods to evolve voluntary norms that banks must enforce on themselves, for payments data protection. The Medical Council of India under the ambit of the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002, governs issues relating to collection of personal data of patients, issues of consent and the extent to which complicated procedures may be carried out. A new bill should be introduced for ensuring data protection law in Pharma meets international standards, so as to safeguard interest of the country.
PDPB categorises data into personal data and sensitive personal data. (Sensitive data under the Bill means to include passwords, financial data, health data, sexual orientation, biometric data, generic data etc.)