Data Governance in Healthcare: Must-Have Checks and Balances

Introduction  

India is currently undergoing a major shift in how medical information is handled, moving from paper files to a, unified digital ecosystem. At the heart of this transformation is the Ayushman Bharat Digital Mission (ABDM), a government initiative designed to create a seamless digital health infrastructure. By assigning every citizen a unique Ayushman Bharat Health Account (ABHA), the mission enables the interoperability of health records across clinics, hospitals, and pharmacies nationwide. The mission enables the interoperability of health records across clinics, hospitals, and pharmacies nationwide. 

However, massive data comes with massive responsibility. The path has been redefined by the Digital Personal Data Protection (DPDP) Act, 2023. This legislation classifies healthcare providers as Data Fiduciaries, placing the burden of privacy and ethical data processing squarely on their shoulders. 

At the same time, healthcare in India is undergoing rapid digitalisation. Electronic medical records (EMRs), hospital information systems (HIS), laboratory information systems (LIS), telemedicine platforms, AI-driven diagnostics and even wearable IoT devices are now standard tools in clinical practice. Each of these systems collects, stores and shares personal data across multiple touchpoints: registration desks, diagnostic labs, pharmacies, insurance providers, third-party cloud vendors and research institutions. When data is accessible in different digital forums; the risk that occurs is complex and different from that of a traditional ledger. What is required instead is a structured, continuously monitored framework of checks and balances that ensures data is protected at every stage of its lifecycle. n India, effective data governance is a statutory obligation for healthcare centres to ensure that sensitive personal data that encompasses health data is secured in an increasingly digitized environment. 

The shift toward digital healthcare in India is anchored by a sophisticated framework of governance that prioritises patient autonomy. Unlike traditional models where data is often siloed and static, the Indian ecosystem under the Digital Personal Data Protection (DPDP) Act, 2023 operates on the checks and balances that ensures accountability. 

Must Have Checks & Balances 

1. Consent Management (The Consent Manager Model) with Healthcare specific Nuance 

India has a unique Consent Manager mandate through the Ayushman Bharat Digital Mission (ABDM). Unlike Western systems that often rely on broad opt out clauses, the Indian model uses an electronic framework where a Consent Manager acts as a blind intermediary. Patients can grant, manage, and revoke consent. For instance, a patient can choose to share their lab reports with a specialist for exactly 48 hours without granting access to their entire medical history. 

GoTrust’s Consent and Preference Management platform helps healthcare organisations design purpose-specific consent flows that can be embedded at different touchpoints: registration forms, patient portals, telemedicine apps and even offline paper forms that are later digitised. The system records when and how consent was obtained, the exact text shown to the patient, and the context. This creates a verifiable audit trail that satisfies the DPDP requirement that Data Fiduciaries bear the burden of proving valid consent. 

2. Data Discovery and Classification.  

One of the foundational problems in healthcare data governance is simply knowing where personal data lives. A mid-sized hospital might operate an EMR system, a separate billing system, a laboratory information system, a radiology picture archiving system (PACS), a pharmacy management system, patient portals, appointment scheduling tools, telemedicine platforms and various departmental spreadsheets and shared drives. Each of these systems collects and stores different slices of a patient’s personal data. Without continuous, automated data discovery, it is nearly impossible to honour data subject rights requests, enforce retention policies or respond accurately to breach investigations. 

GoTrust’s Data Discovery and Classification tools are built precisely for this complexity. The platform scans structured databases (EMR tables, billing records) and unstructured sources (PDF discharge summaries, scanned consent forms, email attachments) to identify and classify personal data, including health-related fields such as diagnoses, medications, lab results, imaging reports and doctor’s notes. The classification engine uses AI-driven pattern recognition and industry-specific regex models to detect PII even when it is not neatly labelled. The Act requires that personal data be collected and used only for a lawful purpose and in accordance with the notice shared with the Data Principal, helping prevent the collection of unnecessary or excessive information. This embodies the principle of Data Minimization, which means organisations should gather only what is genuinely needed for a specific clinical or administrative purpose. For instance, if a diagnostic centre conducts a blood sugar test, it should request only the information relevant to that test and not unrelated details such as genetic or demographic data. Limiting data collection in this way also helps reduce exposure risks in the event of a breach. 

3. Vendor Risk Management for Healthcare Centres 

The challenge is that healthcare vendors often have access to the most sensitive data: full medical histories, diagnostic images, genomic data and mental health records. A breach at a vendor can be just as damaging or more so than an internal breach, yet many healthcare organisations lack structured processes for vendor oversight. Contracts may not include DPDP-aligned clauses on breach notification timelines, sub-processor approval, data deletion on termination or audit rights. Vendor security postures may not be assessed before onboarding or monitored continuously after the contract is signed. 

GoTrust’s Vendor Risk Management platform addresses this by creating a centralised, structured processor registry. Healthcare organisations maintain an inventory of all vendors who process personal data, including the categories of data they handle, the systems they access and the contractual terms governing their processing. The platform automates periodic vendor assessments, distributing security questionnaires, collecting evidence such as ISO 27001 or SOC 2 certifications, and scoring vendor risk based on their responses. 

4. Breach Notification and 72 Hour Breach Report Check  

Under Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, healthcare organisations must notify the Data Protection Board of India and affected Data Principals of personal data breaches “without undue delay”. The Rules clarify that the detailed breach report must be submitted to the Board without delay and within 72 hours, and patients must be notified immediately in clear, non-technical language, specifying the nature of the breach, its likely consequences and the steps taken to mitigate harm. 

GoTrust’s Policy and Breach Management platform provides structured incident logging, risk rating and notification preparation tools. When a suspected breach is detected, whether through internal security monitoring, a vendor alert or a patient complaint the platform guides the organisation through a structured response workflow: logging the incident, classifying it by severity, determining whether it qualifies as a notifiable breach under the Act, conducting root cause and impact assessments, and preparing templated notifications for the Board and affected patients. 

5. Access Controls, Audit Trails and Security Safeguards 

Section 8 of the DPDP Act requires Data Fiduciaries to implement “reasonable security safeguards” to prevent personal data breaches. Rule 6 operationalises this by specifying that safeguards must include encryption of data at rest and in transit, multi-factor authentication, role-based access controls and comprehensive activity logging with at least one year of retention. 

GoTrust’s compliance automation platform integrates with identity and access management (IAM) systems to enforce role-based access controls. Access is provisioned based on documented roles and responsibilities, and de-provisioned automatically when staff change roles or leave the organisation. The platform also aggregates activity logs from EMR systems, billing platforms, lab systems and file servers into a centralised audit trail. Every instance of personal data access who accessed which patient record, when, from which device and what actions were taken is logged with tamper-proof timestamps. 

6. Data Retention and Deletion with Legal Nuance 

The DPDP Act requires Data Fiduciaries to retain personal data only for as long as necessary to fulfil the specified purpose, and to delete it when the purpose is fulfilled or consent is withdrawn, unless retention is mandated by another law. For healthcare, this principle collides with a complex web of retention obligations imposed by other statutes and regulations. The Clinical Establishments Act and its Rules require hospitals to maintain medical records for specified periods. The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations require doctors to maintain patient records for at least three years. Insurance and medico-legal considerations may require even longer retention. 

At the same time, the DPDP Rules introduce a 48-hour deletion notice requirement: before erasing personal data, the organisation must notify the Data Principal 48 hours in advance, giving them an opportunity to object if they believe retention is still justified. GoTrust’s retention and deletion workflows are built to handle this complexity. Organisations configure retention matrices that specify how long each category of health data is retained for each purpose, with explicit links to legal obligations where they apply. For example, “diagnostic imaging retained for seven years per Clinical Establishments Act; discharge summaries retained for three years per Indian Medical Council regulations; billing records retained for seven years per Income Tax Act”. The platform continuously monitors data age, flagging records that are approaching their retention expiry. 

7. Integration with Sector-Specific Laws  

Healthcare organisations must ensure compliance not only with the DPDP Act but also with sector-specific laws such as the Clinical Establishments (Registration and Regulation) Act, 2010, the Mental Healthcare Act, 2017, the Indian Medical Council regulations, insurance laws, and, where applicable, the Drugs and Cosmetics Act and the Biomedical Waste Management Rules. Each of these imposes distinct obligations concerning data handling, confidentiality, patient rights, and record-keeping. Notably, the Mental Healthcare Act grants individuals with mental health conditions the right to confidentiality and access to their medical records, except where disclosure may cause serious harm, and permits the nomination of representatives to exercise data-related rights when a person lacks decision-making capacity. The DPDP Rules also allow for such nominations, but healthcare entities must ensure that these align with the more stringent representative framework prescribed under the Mental Healthcare Act. 

GoTrust’s governance platform allows healthcare organisations to map DPDP obligations alongside sector-specific requirements, ensuring that consent flows, retention policies, access rights and breach procedures respect both frameworks. This prevents situations where compliance with one law inadvertently creates non-compliance with another. 

Operationalising Checks and Balances at Scale with GoTrust  

While healthcare compliance tasks such as managing consent, maintaining vendor inventories, sending breach notifications, and reviewing access rights can theoretically be handled manually, such processes quickly become unmanageable in large healthcare settings that process vast amounts of patient data daily. 

GoTrust’s integrated platform automates these governance functions, transforming them from periodic checks into continuous workflows. It enables real-time data discovery, consent management, vendor risk monitoring, and breach response through automated schedules, alerts, and audit-ready dashboards. Access controls integrate with identity management systems, while retention and deletion operations run on defined timelines with verified execution.  

For Significant Data Fiduciaries handling large-scale personal data, the platform also facilitates compliance with enhanced obligations like publishing DPO details, completing annual DPIAs, and conducting security audits. Overall, GoTrust provides a scalable, transparent, and auditable compliance framework that offers real-time assurance of lawful health data management.  

Conclusion  

The integration of the Ayushman Bharat Digital Mission (ABDM) and the Digital Personal Data Protection (DPDP) Act, 2023 marks a defining moment for Indian healthcare. We are moving away from a fragmented ecosystem toward a Privacy-by-Design ecosystem where the patient is the true custodian of their health information. While the shift brings heavy mandates such as mandatory Data Protection Officers and Consent Managers the long-term benefits far outweigh the initial compliance burden. 

The checks and balances outlined in this blog, consent management with healthcare-specific nuance, continuous data discovery and classification, structured vendor risk oversight, 72-hour detailed breach report response workflows, role-based access controls and audit trails, retention and deletion aligned with sector laws, and integration with the Mental Healthcare Act and Clinical Establishments framework are not aspirational. They are the minimum necessary to meet DPDP obligations in a healthcare context. 

GoTrust’s platform provides the operational layer that turns these checks from policy commitments into living, auditable workflows. By automating discovery, consent, vendor management, breach response, access controls and retention, the platform allows healthcare organisations to focus on their primary mission, delivering care, whilst maintaining robust, scalable data governance. In a sector where personal data is inseparable from patient safety, that alignment is not optional. It is foundational.