ISSN (Online) - 2349-8846
-A A +A

A Healthy Dose of Privacy

Dhvani Mehta ( is at the Vidhi Centre for Legal Policy,New Delhi.

The Supreme Court’s privacy judgment has important implications for the right to health, especially the protection of health information. The standards that laws will have to meet to impose restrictions on such protection are examined. In this context, the HIV/AIDS Act, 2017, the implications of a data protection law for health, and the unconstitutionality of mandatorily requiring Aadhaar to obtain treatment for HIV/AIDS and tuberculosis are discussed. 

The author is grateful to Shankar Narayanan for his inputs.

The almost academic nature of the Supreme Court’s judgment on the right to privacy in K Puttaswamy v Union of India (2017a) means that its practical implications will continue to be dissected until they fill several volumes. One of the most important impacts of the judgment is on health, and this article discusses its implications for the scope of the right and the extent to which it is to be balanced with other interests. Justice R F Nariman’s opinion highlights at least three aspects of the right to privacy, each of which has particular significance for health: privacy relatable to the physical body; informational privacy, vesting individual control over the dissemination of personal information; and the privacy of choice, granting individual autonomy over personal choices (K Puttaswamy v Union of India 2017c: para 81).

At various places, the judgment offers examples of the link between issues concerning health and the three aspects of privacy mentioned above. Justice J Chelameswar provides an example of bodily privacy by recognising that the refusal of life-prolonging medical treatment falls within the “zone of the right to privacy” (K Puttaswamy v Union of India 2017d: para 38). Justice D Y Chandrachud states that a reasonable expectation of privacy attaches to medical information (K Puttaswamy v Union of India 2017b: para 177), while personal reproductive choices, which have obvious implications for health, are also recognised to be at the core of the idea of privacy (K Puttaswamy v Union of India 2017b: part 3, para 3F).

The nature of the question before the Court did not, perhaps, allow it to flesh out the health-related aspects of privacy in greater detail. Nor did the Court have the opportunity to set out, exhaustively, the different kinds of public interest that might constitute reasonable restrictions on privacy in the context of health. The most specific pronouncement of this kind is made only in relation to health information: The unauthorised disclosure by a hospital of medical records submitted by individual patients would constitute an invasion of privacy.

However, it would be open to the state

to assert a legitimate interest in analysing data borne from hospital records to understand and deal with a public health epidemic … to obviate a serious impact on the population. (K Puttaswamy v Union of India 2017b: para 182)

The other context in which the judgment discusses health and privacy is in the process of describing the evolution of the privacy doctrine in India (K Puttaswamy v Union of India 2017b: para 57, 58). Justice Chandrachud discusses the Supreme Court’s decision in Mr X v Hospital Z (1998), where a person’s HIV+ status was disclosed to his fiancée and her family. In that case, the Court, while holding that the right to privacy formed an integral component of the right to life under Article 21 of the Constitution, justified the disclosure and held that the right could be restricted for the protection of health (of his partner), among other interests (K Puttaswamy v Union of India 2017b: para 28).

In the Puttaswamy judgment, the Court does not make any observation on the correctness of this decision so far as the balance struck between health and privacy. The Court also cites a judgment of the South African Constitutional Court that dealt with the disclosure of the HIV+ status of three women. But, the judges use it primarily to demonstrate the links between privacy, equality, and dignity, rather than as an example of the balancing of privacy with other interests.

For this balance, we must turn to Justice Chandrachud’s opinion, which lays down a threefold standard that must be met by restrictions on any aspect of the right to privacy: first, the restriction must be laid down by law; second, the restriction must be in pursuit of a legitimate state aim (including the preservation of public health); and third, it must be proportional to the object and the needs sought to be fulfilled by the restricting law (K Puttaswamy v Union of India 2017b: para 180).

However, it is unfortunate that the Court confined itself only to judicial examples while discussing the evolution of privacy in India and the manner in which it is to be balanced with other interests. Legislative protection of the right to privacy has, in some cases, gone far beyond the protection afforded by the courts. A good example of this is the Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Act, 2017 (the HIV/AIDS Act).


The HIV/AIDS Act contains comprehensive provisions on the protection of confidential health information. Section 8 of the act imposes a general prohibition on the disclosure of a person’s HIV status, permitting it only in the limited circumstance of a order of a court that deems it “necessary in the interest of justice for the determination of issues in the matter before it.” When information about HIV status has been imparted in confidence through a relationship of a fiduciary nature, such information shall not be disclosed without the informed consent of the concerned person. Informed consent may be waived, again, only in limited circumstances. These will include disclosure in the case of a judicial order; for the care and treatment of HIV+ persons; in cases where the information is shared between two healthcare providers for the purpose of treatment; where only statistical information (that could not reasonably be expected to lead to identification) is disclosed; and to officers of the central or state governments for the purposes of monitoring and evaluation.

Unlike the judgment in Mr X v Hospital Z (1998), there are strict conditions laid down for the disclosure of the HIV status of a person to their partner in the HIV/AIDS Act (Section 9). Every healthcare establishment that keeps records of HIV-related information is also under an obligation to adopt data protection measures to ensure the confidentiality of the information (Section 11). Section 39 prescribes a penalty for breach of confidentiality, which may extend to a fine of `1 lakh, although this is confined to the disclosure of information obtained during the course of court proceedings.

The act also protects bodily and decisional aspects of privacy by stating that no person shall be compelled to undergo an HIV test or be subjected to medical interventions, treatment, or research, except with the informed consent of such a person, and in accordance with specified guidelines (Section 5). Informed consent may be waived by a court for the use of a human body or any part thereof in medical research and therapy, for epidemiological purposes, and for screening purposes in a licensed blood bank (Section 6).

These provisions demonstrate that legislation, rather than judicial determination, is more suited to providing a context-specific and nuanced balancing of rights and interests. Each encroachment on privacy imposed by the HIV/AIDS Act is the least restrictive it can be, narrowly tailored to achieve legitimate state interests in the administration of justice and the protection of health of others, encompassing both individual and public health interests.

The value of the Puttaswamy judgment lies in the fact that it will ensure that the HIV/AIDS Act does not remain the exception. The judgment imposes a positive obligation on the state to, first, ensure that all existing restrictions on privacy are contained only in the form of law, and, second, to update or amend existing laws to make sure that they strike a reasonable balance between privacy and other interests.

Review of Health Legislation

There are nearly 100 central laws that have a direct or indirect bearing on health, ranging from the Epidemic Diseases Act, 1897 to the Transplantation of Human Organs and Tissues Act, 1994 and the Protection of Children from Sexual Offences Act, 2012 (POCSO Act). The Ministry of Health and Family Welfare (MoHFW), in consultation with the Ministry of Law and Justice, must undertake a thorough review of these laws to determine whether they meet the standards laid down in the Puttaswamy judgment. For instance, Section 19 of the POCSO Act requires all persons, including medical practitioners who suspect that an offence has been committed under the act, to report it to the Special Juvenile Police Unit or the local police. Although there is obviously a legitimate state interest in the prevention of crime against children, there are concerns about protection of privacy involved in compulsory reporting (Chandra 2017). The act may need additional safeguards to allow the doctor to provide treatment while keeping the patient’s identity confidential.

Varying standards apply to health-related information collected under different legislations. For instance, the Information Technology Act, 2000 and the rules framed under it will apply to confidential prescription information held by online or e-pharmacies (Drugs Consultative Committee 2016), while the protection of information collected during clinical trials is governed by the Guidelines for Clinical Trials on Pharmaceutical Products in India (Good Clinical Practice Guidelines). The Transplantation of Human Organs and Tissues Rules, 2014 itself contains different standards, neither of which provides much detail. Rule 28(f)states that tissue banks applying to be registered must use a unique donor identification number for each donor and restrict access to donor records. They do not specify who may access the records or the conditions under which such access is to be restricted. Rule 32(11), in relation to organ donation and tissue registries, merely states that “measures shall be taken to ensure security of all collected information” without any indication of the different factors that such measures ought to take into account.

Health laws require a review to minimise such differences and to evolve common principles that will govern the collection, storage, and disclosure of health information. The expert committee on data protection mentioned earlier will do some of this work, but the MoHFW must also play an active role in adapting these principles to the context in which they will operate, and framing detailed rules to put these principles into operation. A sense of the work that will be required is evident from the overview of the existing standards on electronic health records.

Electronic Health Records

An Electronic Health Record (EHR) is a “collection of various medical records that get generated during any clinical encounter or event” (National Health Portal 2015). The purpose of collecting such records is to improve evidence-based care, allow quicker diagnosis, and avoid multiple clinical investigations. Currently, EHR standards are largely confined to prescribing the software and hardware requirements for the capture, storage, and exchange of health information.1 These standards are explicitly held not to apply to “wider implementation scenarios of an administrative, legal, or regulatory nature,” although the document setting out these standards also provides its own definitions of data privacy and security (National Health Portal 2015).

The first requirement of the Puttaswamy judgment is that any restriction on the right to privacy may only be imposed by a law. The EHR standards, which currently exist only in the form of a circular issued by the MoHFW, do not meet this requirement, and will have to be revised based on the data protection framework that is likely to be enacted on the recommendations of the expert committee. The standards will now have to be extended explicitly to administrative, legal, and regulatory scenarios, and the definitions of data privacy and security will have to be harmonised with the more general data protection principles that will be developed. These standards should additionally be harmonised with those prescribed for the maintenance of records under Section 12(1)(iii), read with Section 52(2)(f) of the Clinical Establishments (Registration and Regulation) Act, 2010.2

As important as the protection of individual health records is, the Court in the Puttaswamy case explicitly recognises the value of such data for the protection of the larger public health interest. The need for this and the conditions under which such data may be used require some discussion.

Privacy and Public Health Interests

There is a vital role that big data can play in solving some of India’s more acute public health problems. Outbreaks of infectious diseases can be predicted with the use of “collated data sources” (Kang 2016). However, accurate data collection in India is very difficult, especially given the lack of available information in rural areas (Merten 2013). To remedy this, states like Karnataka are making cancer reporting mandatory and creating cancer registries that can provide an
accurate picture of the disease burden in the state (Ghosh 2015). While a legitimate state interest in registries created by such mandatory reporting is clearly made out, what are the safeguards that can be implemented to ensure that the confidentiality of individual patient’s information is preserved to the extent possible?

In 2017, the Indian Council of Medical Research issued the National Ethical Guidelines for Biomedical and Health Research Involving Human Participants. Section 8 of the guidelines deals comprehensively with public health research. This includes the manner in which data may be collected and used, and the instances in which informed consent for the use of such data may be waived.3

However, these guidelines may not be sufficient for the conduct of such research, given that the Puttaswamy judgment clearly requires any restrictions on the right to privacy to be imposed through a law. A bill to regulate biomedical research has now been in the offing for nearly four years (Dhar 2013). The Puttaswamy judgment might provide the right impetus to give it the shape of law.

Mandatory Use of Aadhaar

A discussion on health and privacy would not be complete without considering the implications of the mandatory submission of the unique identifier, Aadhaar, to obtain treatment for HIV/AIDS at anti-retroviral therapy (ARTs) centres or cash benefits under the Revised National Tuberculosis Control Programme. When the linking of the Aadhaar number was introduced as a pilot programme by the National AIDS Control Organisation, the move was initially welcomed as a way to track patients who might drop out of their treatment regime (Chatterjee 2014). However, the compulsory submission of Aadhaar details (introduced by the Madhya Pradesh State AIDS Control Society) is alleged to have made patients avoid government hospitals and ARTs centres for fear of disclosure of their identity (Tomar 2017).

A constitution bench of the Supreme Court will soon hear petitions that have challenged the mandatory use of the Aadhaar under several such schemes (Indian Express 2017). In the absence of any evidence to demonstrate that patients fraudulently obtain HIV/AIDS treatment (and it is very hard to see why they would) or cash assistance for tuberculosis, it is unlikely that the mandatory use of the Aadhaar under these two schemes will withstand constitutional scrutiny. It is difficult to point to any legitimate state interest. The compulsory submission of this information is entirely disproportionate to the aim of stemming the “dissipation of social welfare benefits” (K Puttaswamy v Union of India 2017b: para T[I][5]). Instead, by depriving persons of their right to obtain medical treatment, it violates the right to health guaranteed by Article 21 of the Constitution.


The Puttaswamy judgment also has implications for laws like the Medical Termination of Pregnancy Act, 1971 and the Surrogacy (Regulation) Bill, 2016, where the bodily integrity and decisional autonomy aspects of privacy are involved. However, a discussion of these issues is beyond the scope of this article. On the whole, the judiciary will continue to play an important role over the coming months in ensuring that the principles articulated in the Puttaswamy judgment are given meaningful content in practical challenges to executive encroachment, particularly in the form of the Aadhaar. In the meantime, civil society must continue bringing pressure to bear on Parliament to ensure that a healthy dose of privacy is injected into our legislative framework.


1 ISO standards have been prescribed for an Electronic Health Record Architecture, while different international standards are recommended for imaging, scanned or captured records, and data exchange.

2 One of the requirements for the registration of establishments under this act is that they fulfil the prescribed provisions for the maintenance of records.

3 These guidelines lay down that informed consent may be waived in cases of research conducted on routinely collected data under national programmes, where people concerned have been informed at the time of collection that data may be used for other purposes; where obtaining consent is impractical and research is to be conducted on stored anonymous data.


Chandra, Aparna (2017): Panel Discussion on Privacy and Reproductive Rights hosted by the Vidhi Centre for Legal Policy, India International Centre, New Delhi, 13 October.

Chatterjee, Pritha (2014): “Plan to Link Benefits for HIV Patients to Aadhaar No,” Indian Express,
24 November, viewed on 31 October 2017,

Dhar, Aarti (2013): “Bill to Make Biomedical, Health Research Ethical,” Hindu, 19 September, viewed on 31October 2017,

Drugs Consultative Committee (2016): “Report of Subcommittee Constituted by the Drugs Consultative Committee to Examine the Issue of Regulating the Sale of Drugs over Internet under the Drugs and Cosmetics Rules, 1945,” 30 September, viewed on 30 October 2017,

Ghosh, Padmaparna (2015): “Karnataka Takes the First Step towards Reducing Cancer Rates—By Mapping the Epidemic,”, 9 October, viewed on 30 October 2017,

Indian Express (2017): “Aadhaar Case: Supreme Court to Set up Five-judge Constitution Bench to Hear Pleas,” 30 October, viewed on 31 October 2017,

K Puttaswamy v Union of India (2017a): SCALE,
SC, 10, p 1.

— (2017b): SCALE, SC, 10, p 1 (plurality opinion).

— (2017c): SCALE, SC, 10, p 1 (Nariman, J, concurring).

— (2017d): SCALE, SC, 10, p 1 (Chemaleswar, J, concurring).

Kang, Gagandeep (2016): “Mapping Disease with Big Data,” Hindu, 25 December, viewed on
30 October 2017,

Merten, Martina (2013): “The Problem with Data Collection in India,” Pultizer Center, 25 October, viewed on 30 October 2017,

Mr X v Hospital Z (1998): SCC, SC, 8, p 296.

National Health Portal (2015): “Electronic Health Records Standards,” 3 June, viewed on 30 October 2017,

Tomar, Shruti (2017): “Linking Benefits for AIDS Patients to Aadhaar Triggers Privacy Concerns,” Hindustan Times, 3 April, viewed on 31 October 2017,

Updated On : 27th Dec, 2017


(-) Hide

EPW looks forward to your comments. Please note that comments are moderated as per our comments policy. They may take some time to appear. A comment, if suitable, may be selected for publication in the Letters pages of EPW.

Back to Top