An analysis of India's Digital Personal Data Protection (DPDP) Act, 2023, and its implications for Medical Imaging and Artificial Intelligence.

DPDP Act & Radiology AI

The Act Key Findings Lit Review Global Comparison Best Practices About

The Act Key Findings Lit Review Global Comparison Best Practices About

Data Protection in the Era of Responsible AI

An analysis of India's Digital Personal Data Protection (DPDP) Act, 2023, and its implications for Medical Imaging and Artificial Intelligence.

By Dr. Sharad Maheshwari & Mr. Sujeet Katiyar

The DPDP Act 2023: A Primer for Healthcare

India's new data privacy law establishes a framework of rights and obligations for handling personal data. For radiology, where patient information is paramount, understanding these core concepts is the first step towards compliance and building trust.

Data Principal

The individual to whom the personal data relates. In our context, this is the patient.

Data Fiduciary

Any entity that determines the purpose and means of processing personal data. This includes hospitals, diagnostic centers, and research labs.

Personal Data

Any data about an individual who is identifiable by or in relation to such data. This covers DICOM images, radiology reports, and patient records.

Consent

Must be free, specific, informed, and unambiguous. A clear affirmative action is required from the patient for data processing, especially for secondary uses like AI training.

The Cost of Non-Compliance

The DPDP Act imposes significant financial penalties for breaches, making robust data security not just an ethical duty but a financial necessity.

What Does Non-Compliance Look Like?

Non-compliance isn't just about major hacking events. It often involves procedural gaps and day-to-day operational oversights that violate the core principles of the DPDP Act.

Scenario: Inadequate Security

A hospital's on-premise PACS server is running outdated software without the latest security patches. A ransomware attack exploits this vulnerability, encrypting thousands of patient scans and records. This is a direct failure to take "reasonable security safeguards."

Scenario: Failure to Notify

A diagnostic center discovers a misconfigured cloud storage bucket has left radiology reports accessible on the public internet for three months. They fix the issue but decide not to inform the Data Protection Board or the affected patients to avoid reputational damage.

Scenario: Improper Consent for AI

A research lab partners with a hospital to develop an AI algorithm. The hospital provides a dataset of 10,000 anonymized chest X-rays. However, the patients only signed a general consent for treatment, not a specific consent for their data to be used in AI research by a third party.

Scenario: Overlooked Vendor Risk

A teleradiology service uses a third-party vendor for transmitting images. This vendor suffers a data breach due to weak employee password policies. As the Data Fiduciary who chose the vendor, the teleradiology service is held responsible for the breach under the DPDP Act.

Key Findings from Indian Radiology Practices

Our research, based on data collected from various healthcare institutions, reveals current practices and highlights critical gaps in data protection, consent management, and technical safeguards in the lead-up to DPDP Act enforcement.

Access Control & Storage

While most institutions maintain access logs, the implementation of formal Role-Based Access Control (RBAC) systems is inconsistent. This gap can lead to unauthorized internal access to sensitive patient data.

• ✓ Observed Gap: Many facilities grant overly broad access to PACS/RIS systems, deviating from the principle of least privilege.
• ✓ Vendor Risk: A significant number of centers rely on external vendors for image handling and storage, but formal data protection agreements are not always in place.

Informed Consent Practices

There is a critical disconnect between routine clinical consent and the explicit consent required for secondary data uses like AI model training. Most patients are unaware their data might be used for research.

• ✗ Primary Challenge: General consent forms often bundle research use with clinical care, which may not meet the DPDP Act's "specific" and "informed" requirements.
• ✗ Operational Hurdles: High patient volume and lack of dedicated counseling time make obtaining detailed, specific consent for research a major logistical challenge.

De-Identification Effectiveness

While most institutions attempt to anonymize data before sharing it for research, the methods are often incomplete, leaving residual metadata that could potentially re-identify patients.

• ✓ Common Method: DICOM tag stripping is the most prevalent technique.
• ✗ Key Vulnerability: Burnt-in annotations on images and identifying details within free-text radiology reports are frequently overlooked, posing a significant privacy risk.

Data Sharing for AI Development

The demand for large datasets to train AI models creates a tension between innovation and privacy. Our findings show a need for more structured, secure protocols for sharing data with AI developers.

• ✗ The Privacy Paradox: Aggressive anonymization can reduce the utility of data for training robust AI models, creating a constant challenge in balancing privacy with data quality.
• ✓ Emerging Trend: A small but growing number of institutions are developing internal governance policies specifically for AI data usage, a positive step towards compliance.

Clinical Data Privacy Landscape: A Literature Review

This section synthesizes findings from medical journals, cybersecurity reports, and industry analyses, highlighting the most pressing data security challenges and trends observed in the broader clinical environment.

Primary Causes of Healthcare Data Breaches

Hacking and IT incidents are now the dominant cause of major data breaches, far surpassing physical theft or internal errors.

Common Threat Vectors

• Phishing & Social Engineering: Exploiting the human element remains a top initial access method.
• Unpatched Systems: Vulnerabilities in internet-facing systems like VPNs are increasingly targeted.
• Third-Party Vendor Risk: Breaches at business associates often lead to massive data exposure for multiple healthcare providers.
• Insider Threats: Both malicious intent and unintentional employee errors contribute significantly.

Impact on Patient Care

Cyberattacks cause direct harm beyond financial costs by disrupting clinical workflows, leading to delayed treatments, increased medical errors due to inaccessible records, and a significant erosion of patient trust.

Anonymization & Consent Realities

The drive for large datasets for AI clashes with technical and ethical hurdles in data preparation.

• ✗ De-identification Gaps: Automated tools often fail to remove all PHI, especially from unstructured text in reports or burnt-in annotations on images, leaving a high risk of re-identification.
• ✗ The Consent Dilemma: Patients often feel pressured to consent to data use to receive care. "Dynamic consent" models—allowing patients to manage preferences over time—are emerging but are not yet widespread.

Emerging Risks: Cloud & Teleradiology

The shift to distributed healthcare models introduces new vulnerabilities.

• ✓ Cloud PACS Migration: The process of moving large image archives to the cloud is a high-risk period where data can be intercepted if not properly encrypted and audited.
• ✓ Teleradiology Networks: The transmission of PHI across public networks creates numerous entry points for cyberattacks, requiring end-to-end encryption and secure network configurations to mitigate risks.

Global Privacy Landscape

How does India's DPDP Act compare to established international regulations like Europe's GDPR and the USA's HIPAA? While sharing core principles, key differences exist, particularly concerning health data.

Principle	DPDP Act (India)	GDPR (EU)	HIPAA (US)
Scope	Digital personal data.	All personal data, with special categories for health data.	Protected Health Information (PHI) held by covered entities.
Consent for Research	Requires specific, informed, and unambiguous consent.	Explicit consent required, with some exemptions for scientific research under strict conditions.	Permitted without authorization if data is de-identified or under IRB waiver.
Data Breach Notification	Mandatory notification to the Data Protection Board and affected individuals.	Mandatory notification within 72 hours to supervisory authority.	Notification to affected individuals and HHS required for breaches affecting 500+ people.
Cross-border Data Transfer	Regulated by a government-notified list of countries.	Restricted to countries with "adequate" data protection levels or via specific safeguards.	Permitted for treatment, payment, or healthcare operations, with patient authorization otherwise.

A Framework for DPDP Compliance in Radiology

Moving towards compliance requires a multi-faceted approach, combining policy changes, technical controls, and continuous training. We propose a structured framework to guide institutions.

Actionable Recommendations

• 1Policy & Governance: Develop a clear internal data privacy policy. Appoint a Data Protection Officer (DPO) and establish an ethics committee checklist aligned with DPDP.
• 2Consent Management: Redesign patient consent forms to be separate, specific, and clear for clinical care vs. research/AI purposes. Implement a digital system to track consent.
• 3Technical Safeguards: Enforce strict Role-Based Access Control (RBAC). Adopt robust, multi-stage anonymization protocols that scrub DICOM tags, pixel data, and report text.
• 4Vendor Management: Execute formal Data Protection Agreements (DPAs) with all external vendors who handle patient data, ensuring they are also DPDP compliant.
• 5Training & Awareness: Conduct regular training for all staff—radiologists, technicians, and administrators—on data privacy principles and internal policies.

Proposed Data Governance Flow for AI

Patient Data (PACS/RIS)

↓

Step 1: Consent Verification

Check for explicit, specific consent for AI/research use.

↓

Step 2: De-Identification

Apply robust anonymization to images and reports. Create a "Safe Harbor" dataset.

↓

Step 3: Ethics & Legal Review

Secure approval from the internal ethics committee for the specific research project.

↓

Secure Data Sharing to AI Developers

Insights from Leading Global Institutions

Top medical centers worldwide are pioneering advanced strategies for data privacy that can serve as models for Indian institutions preparing for the DPDP Act.

Mayo Clinic

• Patient Consent: Utilizes a clear opt-out model for research, ensuring patients are informed and can easily withdraw consent.
• Data Governance: Employs a robust, centralized data governance platform to manage and audit access to clinical data for research.
• Federated Learning: Is a leader in using federated learning, an approach where AI models are trained across multiple institutions without centralizing and exposing patient data.

Stanford Medicine

• Secure Data Enclaves: Created the Stanford Research Repository (STARR), a secure environment where researchers can analyze clinical data without extracting it, minimizing breach risks.
• AI Ethics: Has a dedicated Center for AI in Medicine and Imaging (AIMI) that focuses on ethical guidelines for AI development, including fairness and transparency.

Harvard (MGH & BWH)

• Large-Scale De-identification: Have developed and published sophisticated, automated pipelines for de-identifying vast repositories of clinical notes and reports to create research-ready datasets.
• Privacy-Preserving ML: Actively researches and applies techniques like differential privacy, which adds mathematical noise to data to protect individual privacy while allowing for aggregate analysis.

About This Study

This project synthesizes clinical experience with legal expertise to provide a practical guide for the Indian radiology community in navigating the new era of data privacy. The findings are based on a structured data collection process from a diverse set of healthcare institutions across India, aiming to create a baseline understanding of current practices and future needs.

Dr. Sharad Maheshwari

Clinical Lead & Radiologist

Mr. Sujeet Katiyar

DPDP Act Expert & Legal Counsel

© 2025. This research is intended for informational purposes and does not constitute legal advice.

A project for the Indian Journal of Radiology.