I now have all the content from the textbook. Here is the complete DPDP Act coverage from Narayana Reddy:
DPDP Act (Digital Personal Data Protection Act, 2023) - KS Narayan Reddy (FMT)
Source: The Essentials of Forensic Medicine and Toxicology, 36th Edition (2026), pp. 593-595 - Chapter on Cyber Forensics & Medical Data Privacy
What is the DPDP Act?
The Digital Personal Data Protection (DPDP) Act, 2023 is India's primary legislation governing digital personal data. In the context of forensic medicine and healthcare:
- Recognizes health data as "sensitive personal data"
- Mandates explicit patient consent for data processing
- Enacted in 2023 (the book also references it as 2013 in one place - this is a typo in the text; the correct year is 2023)
Context: Indian Legal Framework for Medical Data Privacy
As per Narayana Reddy, medical data privacy in India is governed by these laws together:
| Law | Key Provision |
|---|
| DPDP Act, 2023 | Recognizes health data as "sensitive personal data"; mandates explicit patient consent for data processing |
| IT Act, 2000 + IT Rules, 2011 | Declares medical history as personal data; requires patient consent before data collection and sharing |
| MCI (Professional Conduct, Etiquette and Ethics) Regulations, 2002 | Mandates confidentiality of patient records, except where disclosure is legally required |
| Clinical Establishments Act, 2010 | Requires hospitals/clinics to maintain medical records while ensuring patient privacy |
| RTI Act, 2005 | Government-maintained medical records of convicted/detained individuals may be disclosed upon request in special cases |
| HIPAA (US reference) | Chain of custody, secure health information, documented investigation compliance |
DPDP Act in the Cyber Forensics Context
The textbook specifically places the DPDP Act within cyber forensics and medical record security:
When investigating a medical data breach, cyber forensics must ensure compliance with:
- DPDP Act, 2023 - India
- HIPAA - USA
- GDPR (General Data Protection Regulation) - Europe
- PIPL (Personal Information Protection Law) - China
Best Practices Under DPDP Compliance (as per textbook)
- Use strong encryption - AES-256 encryption for stored data; End-to-End encryption for data transmission
- Limit access - Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), automatic log-offs
- Monitor system activity - Cybersecurity tools to detect unauthorized access
- Regular security audits - Check for vulnerabilities and fix them
- Masking and anonymization - Hide personal details when sharing data for research
- Incident response plan - Have a response team ready in case of data breach
- Blockchain Technology - Tamper-proof records and access control
- Firewall and Intrusion Detection - Prevents unauthorized access, malware, and cyber threats
Future Outlook (Narayan Reddy)
- AI and machine learning will enhance forensic analysis and threat detection
- Blockchain in healthcare may offer immutable audit trails, improving trust and traceability
- Interdisciplinary collaboration between IT experts, forensic analysts, and doctors is key to advancing medical data security
- Cybersecurity-by-design integration in Electronic Health Record (EHR) systems is essential
Important Landmark Case (Related Context)
Mr. Surup Singh Hrya Naik vs State of Maharashtra (2007) - Bombay High Court:
- Addressed conflict between medical confidentiality and the RTI Act, 2005
- Ruled that RTI Act can override medical privacy in specific cases
- Held that Right to Information precedes Right to Privacy for convicted/detained individuals whose medical records are government-maintained
Key Exam Points
- DPDP Act, 2023 is India's digital personal data protection law
- Classifies health/medical data as "sensitive personal data"
- Requires explicit consent before processing patient health data
- Must be understood alongside IT Act 2000, MCI Regulations 2002, and Clinical Establishments Act 2010
- In Narayana Reddy, DPDP Act is discussed under Cyber Forensics and Medical Data Privacy - not as a standalone chapter
- Global equivalents: HIPAA (USA), GDPR (Europe), PIPL (China)
- The Essentials of Forensic Medicine and Toxicology (Narayan Reddy), 36th Ed., pp. 593-595