Laws & Legal Compliances for BioPharma Companies involved into Genetics & Genomics
With the vast population of India also comes a vast ethnic diversity of genetic ancestry. More than knowing about familial ties, genome sequencing, with this prognostic character, has become a very useful source of information in order to predict the likely course of medical conditions that an individual is susceptible to. It points towards the mutations present in the gene, which when present, puts the person at higher risk of inducing the disease in their lifetime than the person in whom such mutation is found to be absent. However, the potential carried by such data collection and interpretation process continue to be the area with very little investigation, discussion and evaluation along with zero regulatory framework in India. Although there are a very few number of BioPharma Companies in our country and there are very few legislations to cover the ambit of genetics and genomics yet there are certain legal compliances which these Corporations have to comply by and fulfil and the same have been discussed here.
What is Genome Sequencing ?
Before appreciating the advantages associated with genetic sequencing, it becomes essential to understand the concepts behind it.
DNA: Deoxyribonucleic acid (DNA) are chemical compounds which constitute a set of unique codes that are hereditary material.
Genes: The cells of our body use specific sections of a DNA sequence along the tightly packed strands of these chemical compounds which act as templates for the body to form proteins and other important molecules for it to function. This is called genes. The differences in the sequence of the gene result in variation of the instruction and that is what makes us different from our ancestors and leads to our individuality.
Genome: The complete sum of the DNA in a living organism becomes a genome which is not uniform across humans or remains static throughout an individual’s life.
Genome Mapping vs Genome Sequencing: The two terms are often used interchangeably by the users turning a blind eye towards the fine line of differences that make them distinct from each other. Genome mapping identifies various landmarks in a genome and is less detailed in nature, whereas genome sequencing tells us the entire sequence or order of every DNA compound within the genome and gives a detailed portrait of the body. Genetic testing detects and reveals the mutations within the genome which causes illness in our bodies.
The area of genome sequencing and testing has been changing dynamically over the years and has led to transforming shift in the biotech market leading to commercialization of such tests. Direct-to-consumer companies came into picture was through international programme of Human Genome Project of 1990 which inspired the initiation of the ‘Genome India Project’ in January 2020 by the Department of Biotechnology in India. It has become an important government funded project which aims to analyse and de-code the diseases and traits that make up diverse background through genome data.
Legal Challenges & Legal Compliances to be followed by the Intermediary or the Service Provider-BioPharma Companies:
A company acts as a service provider by reaching out to the consumer and acting as an ‘intermediary’ in order to facilitate the people in getting their genetic testing and/or genome mapping results by being a point of contact between the laboratories and the consumers. With such position of an intermediary, comes various legal obligations which mandates the company to comply with statutory provisions.
i. Liability of a Company as an Intermediary: The Information Technology (IT) Act, 2000 aims to give recognition to the importance and issues of data protections and other security issues by giving it a legal framework and protect the users from its mala fide usage. Under section 2(1)(w) of the Act, an ‘intermediary’ is defined as a person who receives electronic records from one person and stores or transmits such information received electronically to provide any service with respect to these records. The definition also includes ‘online-market place’ within the ambit of qualifying as an ‘intermediary’ under law. When it comes to a company which aims at collecting ‘personal data or samples’ with the intention of transmitting such information to a laboratory in order to give their consumers their test results on genome mapping, they act an ‘intermediary’ under the IT Act. Moreover, they would fall under the ‘online-market places’ which act intermediary in connecting the buyers and sellers.
• Duties as an Intermediary: The Act of 2000 also lays down various caveats and rules that an intermediary must comply with in order to not be held liable for breach of duty. Under Section 67C, an intermediary is legally required to preserve and retain the electronic records in the manner and format the Central Government may prescribe, which when intentionally and with full knowledge is contravened, makes the intermediary liable under sub-section 67C(2). Further, an intermediary is mandated under section 69(3) to provide technical assistance to any agent authorized by the Central or State government and given them the power to access the electronic resources generating, transmitting, receiving or storing such information. If such intermediary fails to perform the required legal obligations, they will be liable under sub-section 69(4). However, the Government can only initiate such process when they have reasonable doubt that it is necessary to do so in order to:
a. protect the sovereignty & integrity of India,
b. defend India and protect the security of the State,
c. maintain friendly foreign relations and affairs, or
d. to maintain public order and prevent the incitement of any cognizable offence.
Similar powers are extended to Central Government under Section 69B to call upon an intermediary to provide access to the resources when it reasonably believes that such is done with the intention to enhance cyber security and gather information in order to monitor traffic data.
• Provisions in case of Contravention: Under Section 72A, an intermediary who breaches their duties under a lawful contract, which guaranteed security to material containing personal information about another person, by disclosing such information with the intent or knowledge of the wrongful loss or gain without the consent of the person whose information has been recorded shall be punished with imprisonment or fine or both. However, Section 79 exempts an intermediary from any liability in case of any third-party information made available or listed by them. Under explanation of Section 79 it has been stated that ‘third-party information’ means the information collected by an intermediary in his capacity as an intermediary. It is important to understand here that section 79 only acts as a defence and does not lend a blanket immunity to the intermediaries. In order to claim the defence, the intermediary must also comply with the requirements of ‘observing due diligence’ under sub-section (2) and must not have ‘conspired, abetted, aided or induced, to commit the unlawful act under sub-section (3). They must after receiving or notified with the knowledge of such unlawful material must also disable the access to the it. In the landmark case of Shreya Singhal v. Union of India, AIR 2015 SC 1523, the Hon’ble Supreme Court examined the scope of responsibility and liability of an intermediary. It was held that the exemption granted to an intermediary is subject to the provisions of section 79(3), whereby if an intermediary receives “actual knowledge” either from Court order or is notified by the government or its agency, must disable the access to any such material complained of, simultaneously adhering to Article 19(2) of the Indian Constitution. Hence, limitations were put on the actions taken on the pretext of self-knowledge and made it mandatory for it to receive a Court Order.
iii. Liability to Protect Data: The IT Act also invites both, civil and criminal, liability on failure to meet the data protection requirements. Section 43-A of the IT Act states the compensation awarded by law in the case where there is failure to protect data which is sensitive and personal in nature. Section 43 lays down various cyber contraventions which when committed leads to civil liability. Section 72, as stated above, mentions that any person, who intentionally and knowingly, discloses any electronic data in violation of data privacy and protection that every individual has a right to, will be punished with imprisonment and fine.
iv. Application of General Data Protection Regulation (GDPR) read with Information Technology (IT) Rules, 2011: General Data Protection Regulation implemented by the European Union continues to hold the position of EU as one of the biggest markets for the Indian companies. However, due to lack of data protection laws in India, the companies face various legal challenges. Data Protection Bill, 2019 has not been enacted into a law yet, leaving the Country with relatively weaker laws to protect the data and that constantly makes it difficult for the organisations to enter into data processing agreements. Hence, to do away with this conflict, Article 3 of GDPR clearly states that these regulations are applicable to Indian organizations irrespective of the fact that ‘whether the processing takes place in the Union or not’. Article 21 of the Indian Constitution protects the right to privacy of individuals in the country. One way of protecting their right to privacy is by protecting their data which shouldn’t be compromised on any reasoning. The Supreme Court in the celebrated case of R.M. Malkani v. State of Maharashtra, (1973) 1 SCC 471, asserted that the Court, in no circumstances, will permit any impediment in the guaranteed right of privacy to any citizen of India. The landmark case of Justic K.S. Puttaswamy v. Union of India, AIR 2017 SC 4161, the Court upheld the right to “life”, “liberty” and “privacy” of all individuals. However, India currently has no statute specific to protecting medical confidentiality of any person. Under section 3(36) of the Personal Data Protection Bill, 2019 (PDPB) has categorised data into “sensitive personal data” which covers genetic data within its ambit. Along with PDPB, another Act at the Bill stage yet to be declared a law is Digital Information Security in Healthcare Act (DISHA). The objective behind DISHA is similar to that of PDPB 2019, however it primarily focuses on electronic health data, its privacy and confidentiality protection. It also applies to clinical establishments and diagnostic laboratories. It element of ‘consent’ is stricter in DISHA as compared to PDPB 2019 which comes with its exceptions. Under Chapter IV of the Draft Bill of DISHA, section 28 declares confidentiality of health data as every individuals right. The main statute currently in place in order to deal with the troubles of breach of confidentiality is Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which when read with the regulations given under GDRP lay out a set of governing laws in India which aim to protect data privacy. With the differences and similarities between the set of laws, the Indian companies are mandated to comply with both.
• Consent: Rule 5 of the IT Rules emphasizes on the importance of obtaining consent from the provider of information for the purpose of such collection and this shall be made in writing/fax/e-mail. The same has been stated under Article 5 of the GDPR. Although the IT Rules do not define ‘consent’, GDPR under Article 12(11) defines consent which shouldn’t be unambiguous in nature and requires data controllers to make the importance of this element explicit as a prerequisite to the provider.
• Lawful Purpose: Under the same provisions of both the regulations, it has been further stated that collection of ‘personal or sensitive data’ is not allowed unless the intent or purpose behind such is ‘lawful’ and the processing of this data should be ‘lawful, fair and transparent’.
• What qualifies for ‘Sensitive Personal Data’: Rule 3 of IT Rules enumerates a list of item which are to be considered as ‘personal information’ in the eyes of law. Rule 3(v) states “medical record and history” among other things which makes it mandatory for the company acting as an intermediary in the case of genome mapping will be held liable in case of not complying with the Rules. Article 9 of GDPR goes further and also includes other items such as “racial or ethnic origin, processing of genetic data” etc, to categorise them as ‘personal data’.
• Rights given to the Company: Rule 7 lends rights to any corporation situated in India to transfer any ‘sensitive data’ to another corporation which ensure similar levels of data protection as mentioned in the IT Rules. These transfers are allowed only in the situations where the contract makes it obligatory to perform the act and avoid breach of agreement. When an information provider withdraws their consent under the right given to them in Rule 5(7), the corporation has the right to avail the option of not providing them with the goods and services for which the information was collected. Chapter 5 of the GDPR lays down set of articles which allow and govern personal data transfers to ‘third countries or international organisations’ along with reasonable caveats and adequate decisions and procedure in order to ensure the protection of the data (Article 44-50).
• Rights given to the Information Provider: Rule 5(3) makes it necessary for the corporation to ensure that the provider has been given all the necessary information in order to make an informed decision and consent to it. The person has a right to knowledge of purpose and storage of collection. Rule 5(6) gives the right to the provider to seek the collector corporation and review the information given by the former. It also gives them the right to rectify the information that the provider finds to be inaccurate. Most importantly, the consent given by the provider has the right to withdraw their consent under Rule 5(7). The withdrawal of the consent has to be given to the corporation in writing. The Articles of GDPR only adds to the list of rights given the information providers. For example, right to erasure (Article 17), right to restrict the processing of data (Article 18), right to object (Article 21), among the few given in Chapter 3 of the regulation which talks about the rights of the data subject.
• Penalty on Disclosure: The punishment under section 43A and 72A of the IT Act has already been discussed above. In addition to this, both, the IT Rules and GDPR, contain provisions to penalise with fines and compensations in case of a breach. However, the procedure followed under both is different from each other. Rule 8(1) provides for a corporation to prove that they took security and safety measures in to ensure the protocol for information security has been followed and complied with. GDPR does not impose any criminal liability on the offender, unlike the IT Act which imposes both. It only contains of compensation for the damage done. Access to this compensation has been made a right under Article 82 of GDPR whereas IT Act convicts a person of any liability for negligence if proven that measures were taken to protect the information and hence, does not give access to any right to the aggrieved for the damage caused due to infringement.
v. Application of Consumer Protection Act, 2019: Section 85 of the Act makes any ‘product service provider’ liable under the section if the service provided to the consumer is either,
• if the product faulty, imperfect, deficient or inadequate, or
• manner of performance is not what contractually was agreed to, or
• nature of performance was not fulfilled in accordance with the contractual obligation.
Section 85(b): If there is any harm caused to due to an act of commission, omission, negligence or conscious withholding of information. Hence, if the information provider is given proper knowledge of the data collecting tools and such withholding of information by the service provider causes any damage to the information provider, they will be held for a product liability action.
Section 85(c): If the service provider does not issue ‘adequate instructions or warning’ in order to prevent any probable harm that can be caused by the product.
Section 86 states the liabilities of a product seller who does not manufacture the product they sell and shall be held liable for the harm caused to its consumer due to the product sold to them under circumstances as laid under the provision.
Section 87 provides for exceptions or defence from product liability action in case a product sold by a service provider causes harm to the consumer. For example, when the product is misused, altered, or modified by the consumer and this change in the purpose has caused harm to the consumer or if the danger was obvious in nature or is commonly known are a few to mention. Under the powers granted to the Central Government by the Consumer Protection Act, 2019, a notification on consumer protection on e-commerce was released in 2020. Consumer Protection (E-Commerce) Rules, 2020 put forward the duties, liabilities and rights of e-commerce entities while carrying out their business in an online marketplace. Rule 5 makes it mandatory for every e-commerce entity to include the terms and conditions governing their business with the consumers, information regarding refund, return, exchange, delivery and shipment should be provided to the consumers. Under Rule 6(5), every entity is mandated under law to provide details of redressal address which a consumer can approach for their grievances.
vi. Intellectual Property Rights (IPRs) & Intermediaries:
• Under the IT Act & Rules: The legislation in India consists very little on the liabilities arising from Intellectual Property Rights of an intermediary. Rule 3(1) of Information Technology (Intermediaries Guidelines) Rules, 2011 states that an intermediary must observe due diligence in discharging its duties that it does not ‘infringe any patent, trademark, copyright or other proprietary rights’. In Amway India Enterprises Pvt. Ltd. v. 1Mg Technologies Pvt. Ltd, (2019) 178 DRJ 95, the Division Bench held that not following the Intermediary Guidelines, 2011 will make an e-commerce platform liable under the law. Additionally, any intermediary indulging in value-added services in order to gain profits out of it does not dilute their role as an e-commerce platform and hence, cannot be prevented from using the safe harbour given to them under section 79 of the IT Act, 2000.
• Under Copyrights Act, 1957: In the case of Kent RO Systems Ltd. v. Amit Kotak, (2017) 240 DLT 3, the High Court was of the opinion that although Intermediary Rules oblige the recipient of the complaint to remove the content causing infringement, it is not required of an intermediary to detect the content infringing the copyright suo moto as it is not the power vested in the intermediary to do so and such unreasonable screening would lead to the interference in the daily conduct of the business. With the amendment of The Copyrights Act, 1957 in 2012, a new clause was added to section 52, forming the most important change brought about in the legislation. Under clause 52(1)(c), intermediaries have been provided safe harbour arising from the fact that are merely the conveyor of the information that is to be provided to the user. This clause also absolves the intermediary of any liability at the pretext of infringement of copyrights unless the offender had the knowledge of such contravention and had reasonable grounds to believe that the storage of the copy will lead to infringement. In the case of Myspace v. Super Cassettes Industries Limited, 2011 (48) PTC 49 (Del), the Delhi High Court bench held that unless an intermediary has actual or constructive knowledge and not mere awareness of the infringement, they cannot attract liability.
• Under Copyright Rules, 2013: Chapter XIV of the Copyright Rules, 2013 lays down the rules and requirements to be fulfilled by the complainant when an intermediary infringes their copyright under section 52(1)(c). Such notice, after being received by the person responsible, who once satisfied with the details given thereunder, is obligated to facilitate the changes required to undo such infringement for the next 21 days or until a competent court sends a restraining order within 36 hours of receiving the take-down notice.
• Trademark Act, 1999 & Patents Act, 1970: Section 81 of the IT Act declares that the Act has an overriding effect in case of any inconsistencies with other statues. However, in the case of Christian Louboutin Sas v. Nakul Bajaj, (2015) 216 DLT (CN), the Court held that the provisions Trademark Act, 1999 is to be read harmoniously with the provisions of IT Act as sections 29, 101 and 102 of the Trademark Act define the scope of ‘conspiring, abetting, aiding or inducing’ an unlawful act as stated under Section 79(3) of the IT Act. Hence, the two cannot be stated as inconsistent with each other and section 81 will not have an overriding effect if there are any contraventions made by an e-commerce platform with respect to the Trademark Act. Moreover, an intermediary will be denied safe harbour if there is an infringement of the Trademark Act. The same has been held to be equally valid in the case of Patents Act, 1970.
vii. Role of Advertising Standards Council of India (ASCI):
• What is ASCI?: ASCI was established in 1985 and is primarily a regulatory body in charge of issuing guidelines, rule and standards to be followed while making advertisements. Their aim is to promote honesty while representations and avoid any misleading claims the advertisements which can in turn prove to be detrimental and hazardous to the audience or consumer. ASCI comprises of Consumer Complaints Council and a board which consists of one members from advertisers, the agency indulging in advertisement, press and other related sectors. The advertisements governed and regulated by ASCI can be visual or audio or both. However, ASCI is voluntary self-regulatory council and is non-binding. But the Delhi High Court took a different approach in analysing the jurisdiction of ASCI in the case of Metro Tyres Ltd v. MRF Ltd, (2019) 262 DLT 734. It held that ASCI shouldn’t be excluded from the purview of adjudicating a case of infringement within the powers conferred upon the District Court under Section 62 of Copyright Act and Section 134 of the Trademark Act, 1999. It led to the expansion of powers and the scope of its role as a self-regulatory body.
• ASCI Code read with Drugs and Cosmetic Act, 1940: Section 3(b)(iv) defines “drug”, among other things, as a “device intended for internal or external use in diagnosis, treatment, mitigation or prevention of disease or disorder in human beings”. Hence, any sample collection kit intended for a diagnosis can be regulated as “drugs” under the Act, for example, a syringe meant for blood collection. Chapter IV of the Act defines ‘misbranded drug’ with respect to manufacture, sale and distribution under Section 17(c) as a drug which contains of any “statement, design or device which makes any false claim for the drug, or which is false or misleading’. ‘Misbranded drugs’ and their manufacture and sale is prohibited under Section 18(a)(i). Rule 109-A of Drugs and Cosmetics Rules makes it mandatory for the medical devices to be labelled and other details in order to identify the device and its usage. Schedule R-1 under the 1945 Rule states that the medical device shall conform to the standards laid down under Bureau of Indian Standard. Further, under Chapter XI of Medical Devices Rule of 2017, provisions for sale of medical devices has been laid down, subject to the provisions of Drugs and Cosmetics Rules, 2015. Depending on the classification of devices given under Medical Devices Rules, a State Drugs Controller shall be the licensing and competent authority in the matter relating to sale or distribution of devices depending on the class they belong to. Hence, both ASCI and the Drug Control Administration work to safeguard the public from any misleading advertisement and prevent exploitation of gullible public on false claims and therefore, are read in compliment with each other.
• ASCI Code read with Drugs and Magic Remedies (Objectionable Advertisements) Act, 1954: The DMR Act, 1954 and its objectives are similar to the ASCI, that is, to govern and regulate the advertisement of drugs in order to prohibit false claims of it being connected to “magic remedies and qualities”. If a consumer complains to the ASCI of any such fraud being conducted against them through advertisements, they can hold such advertisement liable under the contraventions of DMR Act. In a company facilitating genome sequencing, it is important to note that it is to inform the person of probable diseases and health problems likely or unlikely to occur in them. However, it heavily depends on the lifestyle of the person undergoing the process and cannot be a “magic remedy” to his concerns of health concerns.
viii. Website Compliances: The website of an intermediary must comply with the Intermediary Rules, 2011. Rule 4 states that the Terms and Conditions and Policies of the corporation must be published on its website in order to ensure an informed decision from the people engaging. Rule 5(9) makes it mandatory for every corporation to assign a Grievance Officer and public his/her details on the website to address the discrepancies of its consumers. The same has also been stated under Rule 3 and due diligence required to be observed by the corporation. These policies must be in accordance with the laws of India in order to defend the corporation in a situation of any legal conflict or disagreement.
Legal Challenges & Legal Compliances to be followed by the Pathology Laboratories & Testing Labs:
i. Consumer Protection: Section 2(1) of the Consumer Protection Act, 2019 defines an “appropriate laboratory” as one that is either recognised by the Central or the State government, unless specified otherwise. Section 38(2)(f) allows a consumer to contest the correctness of the method of analysis or test adopted by the “appropriate laboratory”. In the case of Vidya Devi (since deceased) through LR’s v. Dr. R. Mahendroo, II (2008) CPJ232 (NC), it was held that an overdose or incorrect diagnosis of the patient by the doctor leads to medical negligence. The laboratories must comply with the rules and requirements of duty of care which need to be undertaken in order to avoid any medical negligence. In another important case of Chandigarh Clinical Laboratory v. Jagjeet Kaur, IV (2007) CPJ157 (N.C.), it was held that it is immaterial a wrong or ‘deficient’ blood report has caused harm or not. It will, in all circumstances, amount to medical negligence or be called as ‘deficiency in service’ under the Consumer Protection Act. The same view was taken by the Hon’ble commission in the case of Sh. Arvind Kumar v. Dr. Surendra Kumar Kaushik, Appeal No. 383/2007. The Commission discusses the degree of care that needs to be complied by the diagnostic labs in the case of Smt. Yashoda Goyal v. Dr. Ahuja Pathology & Imaging Centre, Consumer Complaint No. 04/2006. It was held that the degree of diligence, skill and care required can be adjudged through the reasonable care, knowledge, expertise of practitioner, which if complied with, cannot be held liable for medical negligence.
ii. The Clinical Establishments (Registration and Regulation) Act, 2010: The Act makes it mandatory for all “clinical establishments” to be registered. Section 2(c)(ii) defines a “clinical establishment” as an independent or established entity in connection with the diagnosis of diseases where biological investigations or other diagnostic or investigation services are carried out”. Hence, a laboratory must be registered under this Act according to the procedure mentioned. Section 11 of the Act states that no “clinical establishment”, unless registered in accordance with the procedures of the Act, can carry out its business and run it. Section 31 lays down the ground of cancellation of registration of a clinical establishment if the authority is satisfied that such entity has not complied with mandated provisions of the act.
iii. Clinical Establishments (Central Government) Rules, 2020: Amendment to the existing Rule of 2012 brought about some important changing in the requirement of compliances by the laboratories in the matters of ‘authorised signatories’. Depending on the area of diagnosis covered by the lab, the minimum qualifications of the Technical Head of Laboratory or Specialist or Authorised signatory must be assigned who will also be the person liable in case the authenticity of the report is proved to be otherwise in a Consumer Court, Medical Council or other Courts.
• Report Signatories and Right to Information: The validity of the report signed by a non-medical person was challenged in the case of Dr. Rohit Jain v. Medical Council of India, 2019 SCC OnLine CIC 11378, where the appellants, under Right to Information application, sought information regarding the authorised signatory of the medical report. It was held by the Supreme Court that the laboratories must, under their FAQ section of the website, provide clarifications and interpretation of the policies for the convenience of the citizens and their right to information.
iv. Accreditations Required: National Accreditation Board for Testing and Calibration Laboratories (NABL) is an autonomous body gives accreditation to diagnostic testing laboratories. In the case of medical laboratories, the accreditation is given in accordance with ISO 15189. NABL accreditation, although voluntary, is a practice that is advised to follow for reasons such as monitoring of lab records, examination and inspection of machines involved, quality of technicians participating checked.
v. Biological Samples at the Lab & Intellectual Property Rights for R&D: Laboratories with the access to biological samples hold a valuable position with respect to potential interventions essential for the purpose of Research and Development (R&D). The sharing of these biological materials for research attracts the implication carried by the laws governing Intellectual Property Rights. This issue has been explored very little in India. The research may also result in new inventions which then require to be protected under patent or copyright laws. In 1997, the government released a set of guidelines under the title “Exchange of Human Biological Material for Biomedical Research Purposes”. It broadly covered guidelines to comply with in case transactions between parties where one is a ‘donor’ of the biological material and the other one is ‘recipient’ of the material for biomedical research. It also includes exchange of the materials with foreign countries. The laboratories must comply with the principles of material transfer agreement (MTA) which emphasizes on marking and maintaining the proof of ownership of the provider. From the point of view of a recipient, any new invention must be protected that has arisen out of research conducts on the biological materials received. The donor must also maintain the confidentiality of the information of the person whose biological material is put to research use. In case of any necessary disclosure required, a prior consent must be obtained.
vi. Laboratories and Data Confidentiality: The laws which govern the intermediaries with respect to data privacy and data protection are the laws which govern the laboratories as well. Section 43-A of the IT Act, 2000 mandates the laboratories to comply with the obligation to protect ‘sensitive personal information’ of any individual that they are in possession of. This also includes information like health, sexual orientation or medical records in general. The breach of compliance is punished under Section 72of the Act. In 2016, the Ministry of Health and Family Welfare released a notification of Electronic Health Record Standards which seek the compliance of Privacy and security standards to ensure the data safeguards. The laboratories must ensure that their workforce complies with such standards, policies and procedures too.
vii. ICMR’s Guidelines for Good Clinical Laboratory Practices, 2021 (GCLP):
i. Chapter 2 of the guidelines include “Genetics” within the scope of clinical laboratories which need to follow GCLP.
ii. Chapter 22 emphasises on data integrity and data protection/confidentiality that should be maintained at any cost.
iii. Laboratory Information System (LIS), as mentioned under Chapter 22 of the guidelines, must be used by a laboratory which is the means of recording data electronically of individual samples in order to protect security of the data.
Compliance with GCLP allows a laboratory to provide data on which people can rely on. It is ensure inspection of facilities available for clinical research and activities to safeguard the integrity of data generated from the tests conducted at the laboratories.
The laboratories in India continue to stay highly unregulated either due to the fact that States have not notified or implemented statutes, like Clinical Establishment (Registration & Regulation) Act of 2010 enacted by the Parliament, within their territories, considering the fact that “Health” falls under State List of the Indian Constitution, or the laws in place are not followed and goes unnoticed due to lack of authorities in the area to keep a check on them. Minimum efforts have been taken to form regulations to govern the establishment or regulate the existing laboratories in India. There are hardly any existing laws governing the MTAs in India which leads to various issues in case of a foreign transaction with the countries which already have IPR laws in place and gives rise to asymmetry of power.
Lack of any data security laws in place has proved to make people hesitant when it comes to medical records which put them at a potentially vulnerable place. India is a party to various Conventions, Treaties, Agreements bilaterally as well as multilaterally. However, this has proved to be of little use when it comes to legal challenges faced by the medical and e-commerce sector within the borders of the Country. With the application of GDPR rules in India comes various challenges such as risk of huge penalties on Indian Companies in case of non-compliance.
Other jurisdictions like the US has provisions like Health Insurance Portability and Accountability Act (HIPAA) of 1996 which ensures the protection of health information of its patients. Whereas India still only has few regulations and rules governing the issues very loosely and nowhere exclusively. EU has GDPR which recognizes laws exclusive to health data protection. Despite the advantages of genome mapping and sequencing, there exists only a few labs in India which aim to make differences in the society. A rise and shift has been observed in the past few years within the area of practice as corporations have taken up molecular diagnostics to offer health solutions based on genetic tests, advisory and counselling. This upsurge has brought the attention of Parliament and adjudicators, who have initiated the steps towards filling the legal void in the area.
Authored By; Adv. Anant Sharma & Rukman Banka