Research Ethics in the Digital Era: Consent, Privacy and Data Reuse in Healthcare

Introduction

Healthcare research in India has entered a phase where data moves faster than the paperwork meant to govern it. Electronic health records, hospital information systems, wearable health devices, and national digital health infrastructure now generate volumes of patient data that earlier generations of researchers could not have imagined. This data holds genuine promise. It can sharpen diagnostic algorithms, reveal disease patterns across populations, and help India respond more precisely to its unique burden of disease. But every byte of that data originates from a real patient who shared it for one purpose, often without fully anticipating how many other purposes it might later serve.

This is the central tension of research ethics in the digital era. Consent given for a single clinical encounter or a single study does not automatically extend to every future use of that information. Privacy protections designed for paper records do not translate cleanly into a world of cloud storage, data lakes, and machine learning pipelines. And the reuse of health data, while scientifically valuable, raises questions about autonomy, trust, and harm that cannot be answered by technology alone.

For doctors, medical researchers, hospital administrators, and healthcare associations across India, understanding where consent, privacy, and data reuse intersect is no longer an academic exercise. It is a practical necessity shaped by the Digital Personal Data Protection Act 2023, the ICMR National Ethical Guidelines, and the rapidly expanding Ayushman Bharat Digital Mission. This article examines what these frameworks actually require, where the genuine ethical grey areas remain, and how the Indian healthcare ecosystem can move forward responsibly.

Understanding the Basics: What Research Ethics Means in a Data Driven System

Research ethics traditionally rested on three pillars established by the Belmont Report and echoed in ICMR's own guidance: respect for persons, beneficence, and justice. In a digital research environment, these same pillars apply, but the mechanisms for honouring them have grown more complicated.

Respect for persons demands that individuals understand what they are agreeing to and retain the ability to withdraw that agreement. In a digital ecosystem where a single dataset might be deidentified, merged with other datasets, analysed by automated systems, and shared across institutions, that understanding is harder to guarantee. A patient signing a consent form in a Tier 2 city hospital is unlikely to anticipate that their anonymised data might eventually train a diagnostic algorithm used in a completely different state, years later.

Beneficence requires that research benefits outweigh its risks. Digital data reuse often promises significant benefit, larger sample sizes, better statistical power, and insights that single studies cannot produce. Yet the risks have also evolved. Re-identification of supposedly anonymous data has become technically easier as datasets multiply and overlap. A health condition disclosed once can resurface in unexpected combinations of data points.

Justice means that the benefits and burdens of research should be fairly distributed. India's diversity across states, languages, income groups, and digital literacy levels makes this particularly relevant. Populations with lower digital literacy, including many in rural and Tier 2 or Tier 3 regions, may be less equipped to understand consent documents for digital data reuse, even as their data becomes increasingly valuable to researchers and healthtech companies seeking representative datasets.

Three concepts sit at the heart of this evolving landscape, and they deserve clear definitions before going further.

• Informed consent is the documented, voluntary agreement a patient gives after understanding the purpose, risks, and scope of how their data or biological material will be used.
• Data privacy refers to the patient's right to control who accesses their personal health information and under what circumstances.
• Data reuse, sometimes called secondary use, describes any application of previously collected health data for a purpose beyond the one for which it was originally gathered.

The Regulatory Landscape Shaping Consent and Data Reuse in India

India's approach to health data ethics has moved considerably in recent years, and doctors and researchers need a working understanding of where things currently stand.

The Digital Personal Data Protection Act and Rules

The Digital Personal Data Protection Act, 2023 and the associated DPDP Rules 2025 apply to digital personal data processed within India, as well as data processed outside India when it relates to providing goods or services to individuals within the country. The Rules are being rolled out in phases, with emphasis on user consent, data security, data principal rights, and breach reporting, and full compliance is expected by May 2027.

This matters enormously for health research because patient health information falls squarely within the scope of digital personal data once it exists in electronic form. The legislative journey toward this Act can be traced through the World Health Assembly resolution of 2005, India's National Health Policy of 2017, the Srikrishna Committee report, and the urgent need for stronger data-sharing regulation following major incidents such as the 2022 cyberattack on a premier government hospital.

The Act introduces clear definitions for the Data Principal, the Data Fiduciary, the Data Processor, the Consent Manager, and the Data Protection Officer, which together establish patient rights alongside accountability obligations for those who handle health data. For a hospital, a diagnostic chain, a research institute, or a healthtech company, this means data fiduciary responsibilities are not optional add-ons. They are enforceable obligations with a regulatory body behind them.

Importantly, organisations processing personal data must establish a lawful basis for that processing, and valid consent is required for most processing activities under the Act. For health research specifically, this means that consent obtained for treatment purposes cannot be quietly repurposed for research or commercial analytics without a separate, clearly articulated basis.

The Compliance Reality Hospitals Are Facing

The shift is not without friction. Hospitals face substantial demands in IT infrastructure investment, records digitisation, and staff training, which raises both capital and operational costs. At the same time, the framework offers real benefits, including stronger patient empowerment and improved interoperability between health systems. For institutions outside the largest metro hubs, this transition period calls for deliberate planning rather than reactive compliance.

ICMR's Ethical Guidelines and the Role of Ethics Committees

While the DPDP Act governs data as a legal category, the ICMR National Ethical Guidelines for Biomedical and Health Research Involving Human Participants, first issued decades ago and most recently revised in 2017, govern the research conduct itself. These guidelines require every study involving human participants, and by extension their data, to pass through review by a registered Institutional Ethics Committee before it proceeds.

Ethics Committees evaluate informed consent documentation, assess risk to participants, and weigh whether the scientific value of a study justifies any burden placed on participants. When data reuse is proposed, ethics committees are expected to ask whether the original consent reasonably covers this new purpose, and if not, whether fresh consent or a documented waiver is appropriate.

This is precisely where many institutions struggle. Older datasets, sometimes collected over a decade ago, were never built with secondary use or AI training in mind. Reconciling legacy consent language with current ethical expectations remains a persistent challenge for Indian research institutions.

Ayushman Bharat Digital Mission and Consent Infrastructure

Under the Ayushman Bharat Digital Mission, health data exchange between intended stakeholders is permitted only after the patient's consent. This is operationalised through the consent manager, a digital system designed to give patients visibility and control over who can access their linked health records.

The Unified Health Interface under ABDM enables discovery, booking, delivery, and payment of health services across multiple platforms, with patient consent positioned as the central principle. As of January 2026, more than 84.79 crore ABHA IDs have been created, with over 82.69 crore health records linked, reflecting substantial citizen adoption nationwide.

This scale is precisely why consent architecture matters. A framework that works smoothly for tens of millions of linked records, while still respecting individual autonomy for each one, requires far more rigour than a paper-based system ever did. Digital health applications integrating with ABDM must pass through sandbox validation and security audits before going live, helping ensure compliance with ABDM's Health Data Management Policy.

Why Broad Consent and Data Reuse Create Genuine Ethical Tension

Traditional research consent was built around a single, well-defined study. A patient agreed to participate in a specific trial for a specific condition over a specific period. Digital era research often does not fit that mould.

Large hospital networks, research consortia, and biobanks increasingly rely on what is called broad consent, where a patient agrees upfront to allow their data or samples to be used in a range of future studies that cannot be fully specified at the time of consent. This approach has clear practical advantages. It avoids the impracticality of recontacting thousands of participants every time a new research question emerges from existing data.

However, broad consent shifts a meaningful portion of ethical responsibility away from the individual moment of agreement and onto ongoing institutional governance. If broad consent is granted, the burden falls on ethics committees, data governance boards, and institutions to ensure that future uses remain within the spirit of what the patient originally understood and agreed to. Without strong oversight, broad consent can drift into something closer to open-ended permission, which undermines the very autonomy that informed consent is meant to protect.

There is also a meaningful difference between data reuse for clinical research and data reuse for commercial product development. A patient who consents to their anonymised records being used to study disease patterns may feel quite differently about that same data being used to train a proprietary diagnostic algorithm sold to multiple hospital chains. Indian regulatory and ethical frameworks are still developing clearer distinctions here, and this remains an area where institutions should err toward transparency rather than assume implied permission.

Anonymisation Is Necessary But Not Sufficient

A common assumption in healthcare data reuse is that anonymisation solves the privacy problem entirely. Strip out the name, the contact number, and the address, and the data is safe to reuse however needed. This assumption deserves more scrutiny than it typically receives.

Modern data science has repeatedly demonstrated that combining several supposedly anonymous datasets, such as age, pin code, diagnosis date, and treatment pattern, can re-identify individuals with surprising accuracy. India's population density and the increasing digitisation of health records across multiple linked systems through ABDM make this risk worth taking seriously rather than dismissing as theoretical.

This does not mean anonymisation is pointless. It remains a necessary safeguard. But it should be treated as one layer of protection among several, alongside strict access controls, purpose limitation, data minimisation, and ongoing ethics committee oversight, rather than as a single solution that resolves all privacy concerns on its own.

Consent and Data Reuse in the Age of Artificial Intelligence

Healthcare AI development depends on large, diverse datasets, and Indian patient data is increasingly valuable precisely because of the country's population scale and disease diversity. This creates a distinct ethical question that did not exist in earlier eras of medical research: what does meaningful consent look like when a patient cannot fully predict how an algorithm trained on their data might eventually be used, licensed, or commercialised?

Recent academic literature on this question converges on a few consistent themes. Patients generally want to know if their data will be used for AI development, want some say over commercial versus academic use, and want assurance that deidentification is genuinely robust rather than nominal. Health data platforms and AI developers operating in India should treat these preferences as a starting point for consent design, not as obstacles to minimise through vague language.

For doctors and healthcare institutions engaging with healthtech and AI partners, a few questions are worth asking before agreeing to any data sharing arrangement. Is the purpose of data use specified clearly enough that a patient could understand it. Is there a withdrawal mechanism that is genuinely operational rather than symbolic. Has an ethics committee reviewed the arrangement, not just the legal department. These questions protect institutional reputation as much as they protect patients.

Building Ethical Data Governance: What Indian Healthcare Institutions Can Do

Strengthening research ethics in a digital environment does not require waiting for perfect regulatory clarity. Several practical steps are available to institutions right now.

• Establish or strengthen Institutional Ethics Committees with members who understand both clinical research and digital data governance, not just one or the other.
• Review legacy consent forms and identify datasets where reuse for new purposes, including AI development, may exceed what original consent covers.
• Build clear, layered consent language that separates treatment related consent from research related consent from data reuse consent, rather than bundling all three into one blanket form.
• Create an internal data inventory that tracks what health data exists, who can access it, and under what consent basis it was originally collected.
• Train clinical and administrative staff on DPDP Act obligations, since data fiduciary responsibilities extend beyond the IT department into everyday clinical workflows.
• Engage patients in plain language about how ABDM consent manager tools work, since digital literacy gaps remain real across many parts of the country.

None of these steps eliminate the underlying tension between scientific progress and individual autonomy. They do, however, create the kind of institutional accountability that allows both to coexist with integrity.

The Doctor's Role in Protecting Research Integrity

Physicians occupy a unique position in this entire conversation. They are often the first point of contact when a patient is asked to consent to data use, whether for a clinical trial, a registry, or a digital health platform. The trust patients place in their doctor frequently extends, by association, to whatever consent document the doctor presents.

This places a quiet but significant responsibility on clinicians to genuinely understand what they are asking patients to agree to, rather than treating consent forms as administrative formality. Doctors who can explain, in their own words, why a dataset might be reused for future research, what protections exist, and what rights the patient retains, do far more to uphold research ethics than any clause buried in fine print.

Healthcare associations and professional bodies also have a meaningful role here. By creating shared resources and structured discussion around digital consent practices, associations can help doctors across hospitals of every size stay aligned with evolving ethical and regulatory expectations. Platforms built specifically to amplify doctor voices and strengthen association engagement, such as HealthVoice, can support exactly this kind of knowledge sharing, giving the medical community a credible space to discuss practical consent challenges and collectively raise the standard of ethical data governance across India's healthcare ecosystem.

Conclusion

Research ethics in the digital era is not a single problem with a single fix. It is an ongoing negotiation between the genuine value of data-driven medical progress and the equally genuine right of patients to understand, control, and meaningfully consent to how their most personal information is used. India's regulatory landscape, anchored by the DPDP Act 2023, the ICMR ethical guidelines, and the consent infrastructure built into ABDM, has made significant progress toward formalising this balance. But frameworks alone do not create ethical practice. That depends on ethics committees that ask hard questions, institutions that build transparent governance, and doctors who treat consent as a relationship of trust rather than a procedural checkbox.

As India's digital health ecosystem continues to scale, the institutions and professionals who take consent, privacy, and responsible data reuse seriously today will be the ones who sustain public trust tomorrow, and that trust is, ultimately, what makes large-scale health research possible at all.

Frequently Asked Questions

Q1: What is the difference between primary consent and broad consent in health research?

Primary consent applies to a specific study that a patient knowingly joins. Broad consent allows researchers to reuse the same data or biological samples across a wider range of future studies that may not be fully defined at the time of consent. Broad consent is generally considered acceptable only when strong ethics committee oversight and clear withdrawal mechanisms remain in place.

Q2: Does the DPDP Act 2023 apply to health research data in India?

Yes. The DPDP Act and the DPDP Rules 2025 apply to digital personal data processed within India and to data processed outside India when it involves providing goods or services to individuals in the country. Health research data collected or stored digitally, including data linked through ABDM, falls within this scope, with compliance being phased in through May 2027.

Q3: Can hospitals share patient data with AI companies without separate consent?

Generally, no. Using patient data to train or validate an AI model is typically treated as a new processing purpose distinct from treatment, which usually requires either specific fresh consent or a clearly documented, ethics-committee-approved justification, combined with rigorous deidentification practices.

Q4: What role does the ABDM consent manager play in research data reuse?

The ABDM framework permits health data exchange between stakeholders only after the patient gives consent, and the consent manager is the digital system that lets patients see and approve specific data access requests, creating a traceable consent record that supports both clinical care and ethically governed research use.

Q5: Who oversees research ethics for health data reuse in India?

Institutional Ethics Committees, operating under the ICMR National Ethical Guidelines framework, review and approve research protocols involving human data, including proposals to reuse existing datasets. The Data Protection Board of India separately handles enforcement and grievance redressal under the DPDP Act for digital personal data matters.