The Sri Lankan Data Protection Act, And Its Impact on Digital Health

The data protection act in Sri Lanka is a highly awaited and timely act to enable data protection in Sri Lanka. It was passed in the parliament on 9th March 2022 [1]. Even though there are similar acts to protect personal data in other countries such as the HIPAA (Health Insurance Portability and Accountability Act) since 1996 and the GDPR (Health Insurance Portability and Accountability Act) since 2016.

History of data protection in Sri Lanka

The constitution of Sri Lanka in 1978 does not believe that privacy is a fundamental human right. However, several acts since 1978 has being implemented to protect personal information of the citizens of Sri Lanka, [2]

  • The banking act of 1988
  • The telecommunication act of 1991
  • The intellectual property act of 2003
  • The electronic transaction act of 2006
  • The computer crimes act of 2007
  • The right to information act of 2016
  • Code of conduct for health research in Sri Lanka 2018
  • National health performance framework 2018

The latest bill to be introduced to the parliament regarding privacy is the Personal Data Protection (PDP Bill) in 2021, which has been drafted since 2018 by the Ministry of Digital Infrastructure and Information technology.

Importance of Personal Data Protection act to protect health data

Today, large amounts of personal data is being collected via electronic medical records and digital health providers. The amount of data being collected will only grow in the years to come.

Health data regarding patients is intimate and has high personal value, and a potential target for cyber criminals and data brokers. Since there is no personal data protection act in Sri Lanka these organizations which collect health data are not held accountable for their violation in user privacy. 

More accountability and responsibility for organizations to protect health data

The deletion of the database of the NMRA in 2021 is one example of a recent mishandling of health data in Sri Lanka. [3]

A data protection act makes an organization accountable in handling health data and protecting user privacy and the organization will be more responsible in handling this data.

Establishment of the data protection authority

The personal data protection act of 2021 establishes an authority to govern how organizations should process personal information.

According to the act an organization such as hospitals or EMR providers where a data breach has occurred, must inform the Data Protection authority about such breach.  

Establishing the role of data protection officer

The PDP act will ensure that every organization processing health data has a data protection officer and their contact information communicated to the data protection authority. 

The responsibility of the officer include,

  • Advice the organization and employees about personal data protection
  • Making sure an organization ins complying to the PDP act
  • Capacity building of staff in protecting personal data protection
  • Corporate and comply with all instructions issued by the PDP authority 

This means that EMR providers, hospitals and other health data processors will have a PDP officer in future, and this is an essential requirement that will help to protect personal data of patients. 

PDP act defines penalties for not adhering to PDP act

Unlike earlier where above mentioned acts which partially handles personal data, the PDP act clearly defines penalties for not adhering to the act. 

The penalties for mishandling of health data will be determined by the guidelines setup by the PDP act.

This is a great step forward in protecting personal health data, and prevents mishandling and data breaches from the organizations using this health data.

PDP act provides binding rights for health data processors towards patients

The section II of the PDP act defines an important binding rights towards organizations processing health data, these include the right to [4]

  • Access
  • Object
  • Refticiation 
  • Deletion
  • Refrain from further processing 
  • Review automated decision making
  • Appeal to the PDA

 These are very important binding rights for patients to gain control over their data, and not it’s being provided by the PDP act. 

Health data is considered as a special category of data 

Health data,  genetic data, biometric data, data related to sex life and sexual orientation are some of the data considered as special category of data by the PDP act.

The schedule I and II of the PDP act outlines how these special categories of data/health data should be collected and processed. 

These include 

  • The subject should give the processor the consent to collect and process their health data
  • The personal data is necessary for the processor to provide functionality that they have obliged to the client to provide
  • When personal data is required to act on a life saving procedure or an emergency etc
  • When collecting and processing of personal data is needed for scientific research etc

The PDP act is beneficial because currently there is no consent requirement, and guidelines on how to process and handle health data in Sri Lanka. 

Limitations of the PDP act 

PDP can reduce access and portability of healthcare data

The PDP act can be used in instances, where institutions and EMR providers may be able to withhold the data from their patients under the cover of the PDP act.

At the same time organizations can use the PDP for their corporate advantages by limiting interoperability and portability of health data.

No notification to the public about data breaches

Even though organizations are bound to report to personal data authority, they or the authority is not bound to disclose these breaches to the public or affected individuals. 

This makes it difficult for the patients to know if their data has been breached by hackers and to prepare for an event of a fallout from this breached data.

The binding rights are partially complete 

Even though the current bill has the above mentioned binding rights, the current bill lacks several important binding rights that are important for patients in managing their health data. 

These limitations include the rights to,

  • Portability
  • Explanation
  • Represent vulnerable individuals such as elderly and disabled by a third party

As these are important rights especially for health data, it would be better if amendments are included to improve the current act.  

The personal data protection authority is not a fully independent organization

The personal data protection organization is not a fully independent organization, and it is under a minister who has authority over it.

According to legal experts, the minister and the DPA carry too much rulemaking power over personal data, and this power should be limited or the DPA should be made an independent organization.  


  1. Sri Lanka parliament passes data protection act amid privacy concerns –
  3. Deletion of computer database of NMRA could be an act of drug mafia: AG – Latest News –
  4. Sri Lanka Data Protection Bill – Policy Brief_February 2022 –