Beyond Consent: Ensuring Meaningful Protection of Genetic Data Under India’s Digital Personal Data Protection Act,2023

Abstract

India’s Digital Personal Data Protection Act (DPDPA) adopts a notice-and-consent-based framework for data protection; it treats all personal data, including genetic data, as a singular category without accounting for its unique characteristics. Unlike ordinary personal data, genetic data is inherently relational; it reveals information not just about an individual but also their biological relatives. Moreover, the risks associated with the processing of genetic data extend beyond identifiability, such as the potential for its misuse in law enforcement or to discriminate in matters of employment or insurance. Despite these concerns, the DPDPA fails to offer a nuanced regulatory approach, lacks a clear definition of genetic data, and does not impose heightened safeguards for its processing.

This article identifies the limitations of the DPDPA’s notice-and-consent-based model in regulating genetic data processing and argues for a shift toward a harm-based framework. It proposes key reforms, such as the classification of genetic data into categories based on sensitivity, an expanded definition of the data principal to include affected blood relatives, and risk-based processing guidelines that categorize genetic data processing into prohibited, high-risk, medium-risk, and low-risk processing. Additionally, this article advocates for stronger privacy by design and by default requirements, mandatory data protection impact assessments (DPIAs), and the introduction of rights such as data portability and right to restrict processing. Further, to ensure effective enforcement, it recommends strengthening grievance redressal mechanisms, introducing compensation for privacy harms, and imposing proportionate criminal liability for negligent handling of sensitive genetic data.

By addressing these gaps, this article underscores the need for a strong legal framework that moves beyond notice and consent to provide meaningful privacy protections for genetic data in India’s evolving digital landscape.

Keywords

Genetic data privacy notice and consent privacy harms privacy by design and by default data protection

Introduction

In 2018, publicly available genetic databases were used by U.S. law enforcement authorities to identify the Golden State Killer.¹ Investigators matched DNA from crime scenes with samples voluntarily submitted to genealogy websites. However, this raised significant privacy concerns, as many individuals were unaware that their genetic data, shared for ancestry research, could be accessed by law enforcement authorities for unintended purposes. This case highlights broader challenges in genetic data privacy and the need for clear legal and ethical safeguards.

Genetic data is widely used across various fields, including healthcare, forensic science, genealogy, and personalized medicine. For instance, in healthcare, it enables early diagnosis of genetic disorders, informs treatment plans, and supports the development of precision medicine tailored to an individual’s genetic makeup.² In forensic science, DNA analysis aids in criminal investigations by identifying suspects and exonerating the innocent.³ Genealogical services, such as ancestry tracing, allow individuals to explore their heritage and familial connections.⁴ Genetic data also plays a crucial role in pharmacogenomics, helping to determine how individuals respond to specific medications, thereby improving drug efficacy and reducing adverse effects.⁵ Similarly, it may be used for private eugenics that would allow parents to choose the genetic characteristics of their offspring and reduce the possibility of them inheriting diseases or negative traits like dwarfism.⁶

While the use of genetic data analytics seems promising, it also raises critical legal and ethical questions pertaining to use and ownership of genetic data, and individual rights such as privacy, dignity, and equality. The misuse of genetic information can lead to discrimination, stigmatization, and the unfair allocation or denial of opportunities, including health insurance, employment prospects, and other social benefits.⁷ Likewise, while private eugenics may be helpful in preventing genetic abnormalities in the offspring, it may also be misused to perpetuate gender disparity or traits like fair skin color that may be perceived to be valuable by society.⁸

In light of these complexities, legal frameworks must balance the benefits of processing genetic data with strong privacy protections. Several jurisdictions like the European Union (EU) recognize the sensitivity of genetic data and allow its processing only in specific circumstances with heightened safeguards.⁹ However, most data protection frameworks like the European Union’s General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection Act, 2023 (DPDPA) rely on the notice and consent-based model of privacy that overlook the relational nature of genetic data and the unique risks associated with its processing.¹⁰

This article examines India’s data protection framework under the DPDPA in this context, arguing for a more nuanced harm based and relational approach to genetic data privacy. A clearer understanding of the risks associated with the processing of genetic data will enable stronger privacy protections while allowing responsible use for societal benefit.

Definitions and Scope

Before addressing the arguments of this article, it is important to clarify the term genetic data as used in this discussion. For the purposes of this article, genetic data refers to information derived from biological samples that identify an individual’s inherited or acquired genetic traits, including insights into their health and physiology. Genetic data are both unique, as they can identify an individual, and inalienable, as they cannot be fully transferred or fabricated.¹¹ They are different from other personal data as they affect not just the proband from whom they are derived but also their biological relatives and remain relevant long after the death of the proband.¹²

Genetic data include genomic sequence, phenotype information, inheritance patterns, and nongenetic data linked to genome expression.¹³ The genomic sequence is central to heredity and phenotype determination.¹⁴ Phenotype information allows genetic inferences; for instance, a single variation in a gene may affect multiple traits through pleiotropy.¹⁵ Inheritance patterns reveal genetic predispositions.¹⁶ Further, nongenetic data linked to genome expression, such as the environmental conditions, also influence phenotypic outcomes.¹⁷

This article considers genetic data as a category of biometric data, based on legal definitions and judicial interpretations.¹⁸ Biometric data include personal data processed through specialized techniques to identify individuals based on physical, physiological, or behavioral traits.¹⁹

It must, however, be clarified that not all genetic data are identifying, and also the different types of genetic data impact privacy in different ways. Hence, the GDPR classifies genetic data into three categories; first the genetic data that requires special protection, because it is identifying and is sensitive due to association with health or physiology⁹; second, the genetic data that is identifying but is like any other ordinary personal data; and third is the nonpersonal genetic data.²⁰

On the other hand, DPDPA and the Draft Digital Personal Data Protection Rules, 2025 (DPDPR) apply only to the genetic data that is identifying. This is because they define “personal data” as “any data about an individual who is identifiable by or in relation to such data.”²¹

Understanding Genetic Data Privacy

Due to the predictive nature of genetic data, early discussions on genetic data privacy emphasized upon the ownership rights of the proband.²² Fears regarding their misuse led to “genetic exceptionalism,”²³ emphasizing the need for strict privacy protections. The “right not to know” one’s genetic predispositions further reinforced ownership and autonomy-based models of genetic data protection.²⁴ Consequently, laws in the United States prioritized individual autonomy, allowing only limited exceptions, such as processing for paternity tests.²⁵ Likewise, the EU allowed limited research exceptions under the EC Data Protection Directive 95/46/EC.²⁶

Gradually, large-scale genomic sequencing weakened the ideas of individual ownership and autonomy. The 1996 Bermuda Principles promoted open data sharing,²⁷ and UNESCO’s 1997 Universal Declaration on the Human Genome and Human Rights symbolically recognized that the genome belongs to humanity.²⁸ Nevertheless, individual autonomy remained at the core of genetic data protection due to concerns about reidentification from genetic data.²⁹

Most frameworks like the GDPR have, hence, adopted a notice-and-consent model, emphasizing upon transparency, data minimization, and purpose limitation.³⁰ Similarly, though ethical guidelines like the Helsinki Declaration aim to prevent harms like discrimination, they rely upon informed consent and confidentiality.²⁹ However, this model is inadequate for protecting genetic data as it pertains to more than one individual and is indefinitely relevant. Further, advancements in technology allow genetic data to be combined with other information, creating highly detailed profiles.³¹ Therefore, an individual cannot fully comprehend the implications of their consent for processing their genetic data. Hence, obtaining informed consent for the processing of genetic data is nearly impossible.

In light of these limitations, some frameworks like the HUGO Ethics Committee’s Statement on Pharmacogenomics, 2007³² and the International Declaration on Human Genetic Data, 2003³³ have adopted a relational model for protecting genetic data. Further, the Genetic Information Non-Discrimination Act, 2008 in the United States has adopted a harm-based approach to prevent discrimination.³⁴ Other laws too must adopt a relational and harm-based model for protecting genetic data. They should categorize genetic data by risk, enforce privacy-by-design rules, and hold data processors accountable.

DPDPA and Genetic Data Privacy

As aforementioned, genetic data is unique as it relates to both the proband and their relatives. Sensitive attributes like race may be inferred from it, raising concerns about discrimination. However, despite its unique nature, the DPDPA and DPDPR treat identifying genetic data as ordinary personal data, and do not extend protection to deidentified genetic data or nongenetic data linked to genomic expression.³⁵ As per Section 3(c)(ii) of the DPDPA, the provisions of the DPDPA do not apply to publicly available personal data, leaving genetic information from public sources vulnerable to misuse.

Like the GDPR, the DPDPA follows an individualistic approach to privacy. Accordingly, the DPDPA grants rights to the “data principal,” defined under Section 2(j) as “the individual to whom the personal data relates.” This definition leads to a legal ambiguities in respect of genetic data since it does not address whether biologically related individuals have equivalent rights as the proband with respect to their genetic data. Therefore, it is unclear that who should be regarded as the “data principal” or whose consent must be taken under Section 4 for processing of genetic data. Further, under Section 2(p), the DPDPA defines “loss” only in material terms, such as loss of property or financial opportunity. As a result, harms like loss of autonomy or discriminatory treatment are not acknowledged under the DPDPA or DPDPR.

Furthermore, the rights granted under the DPDPA guarantee limited autonomy to the data principal and are narrower than other data protection laws like GDPR. For instance, the right to access under Section 11 allows individuals to obtain information on data collection and processing but does not mandate disclosure of data sharing with third parties. Similarly, the right to correction and erasure under Section 12 does not require data fiduciaries to inform third parties of these changes, reducing the effectiveness of these measures. A major limitation is that these rights apply only when data is processed based on consent.³⁶ If genetic data is processed under broad legitimate uses like research or public interest, individuals cannot exercise these rights. In contrast, the GDPR allows individuals to object to such processing under Article 21, and request restriction on processing under Article 18, in certain cases, like disputes over data accuracy. The absence of similar protections in the DPDPA significantly limits individuals’ ability to control the processing of their genetic data. Further, the DPDPA does not grant the right to data portability, limiting individuals’ ability to transfer their genetic data between service providers, researchers, or healthcare institutions.³⁷ It also lacks safeguards against decisions based solely on automated processing. This omission is a huge cause of concern owing to the growing use of algorithms in genetic research, healthcare, and insurance.³⁸ Without such protections, individuals may easily be subjected to discriminatory treatment.

The DPDPA imposes additional obligations on significant data fiduciaries (SDFs), as they handle sensitive personal data. However, neither the DPDPA nor the DPDPR defines sensitive personal data. The Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, classify biometric and medical records as sensitive under Section 3. Hence, it is likely that these additional obligations would apply to data fiduciaries that process genetic data. As per Section 10 of the DPDPA, the SDFs must conduct independent audits, periodic data protection impact assessments (DPIAs), and appoint a data protection officer (DPO) based in India. DPIAs assess data processing purposes, risks, and mitigation measures. The DPO would ensure compliance with provisions and effective redressal of grievances. While the DPDPA contains these safeguards, it offers minimal guidance regarding their implementation. For example, the DPDPA or the DPDPR do not specify when DPIAs must be conducted or who should be involved. There is also no requirement to consult affected individuals, raising concerns about transparency and procedural safeguards.

Unlike Article 25 of the GDPR, the DPDPA does not mandate “privacy by design and by default.” Privacy by design and by default means that data fiduciaries must build protections into their systems from the start, rather than treating privacy as an afterthought.³⁹ It moves beyond the limitations of the notice-and-consent model by focusing on reducing risks before they arise. This approach rests on seven key principles. First, organizations must anticipate privacy risks and put safeguards in place. Second, they must ensure the highest level of privacy by default by limiting data collection, defining clear purposes, setting strict retention policies, and preventing unauthorized access. Third, privacy must be part of their core policies and decision-making. Fourth, security should be both effective and practical, ensuring protection without making systems unusable. Fifth, privacy protections must last throughout the entire data lifecycle, from collection to deletion. Sixth, organizations must be transparent and accountable, clearly communicating their data practices and allowing oversight. Finally, data processing must prioritize the rights of individuals, not just compliance with the law. For genetic data, the absence of this requirement in the DPDPA leaves a major gap. Without these safeguards, the risk of misuse, unauthorized access, and lasting harm to the proband and their biological relatives become much higher.

Further, under the Section 17, the DPDPA provides broad exemptions for research and crime prevention but does not clearly define key terms. It allows research-related data processing if conducted lawfully, with reasonable security safeguards, and in compliance with ethical standards. However, it does not specify what constitutes a lawful research purpose. Similarly, while the law permits data processing for crime prevention and investigation, it lacks guidance on what qualifies as proportionate processing. These omissions create significant risks, as genetic data can impact privacy, dignity, and equality of many individuals. Without stronger protections, they would remain vulnerable to harm.

Suggestions and Recommendations

As discussed above, the DPDPA treats genetic data like any other personal data, ignoring its unique risks. It fails to recognize its impact on biological relatives or its lasting relevance. A clear legal definition is needed to reflect its relational nature and ensure broader privacy protections. Genetic data should be categorized based on its sensitivity and identifiability. Identifiable genetic data must be classified as sensitive personal data and should be subjected to stricter safeguards. Deidentified genetic data, which does not per se identify an individual, and nongenetic data linked to genomic expression, may be treated as ordinary personal data.

It is equally important to refine the definition of a data principal in this context. The DPDPA currently defines a data principal as “the individual to whom the personal data relates,” but this approach is unsuitable for genetic data due to shared nature. Hence, the definition should explicitly include both the proband and their biological relatives.

Rather than relying solely on a notice-and-consent model, the law should take a harm-based approach to privacy. This would shift responsibility from data principals to data fiduciaries, requiring them to assess and mitigate risks. Unlike a consent-based model, a harm-based approach acknowledges that genetic data affects not just one person but their biological relatives as well. It also accounts for both material harms, like financial loss, and nonmaterial harms, like discrimination and loss of autonomy. Another advantage of this approach is that it ensures that grounds for processing are clearly defined, preventing vague and broad exemptions like “research purposes” from being misused.

To implement this approach, genetic data should first be categorized based on its sensitivity and its connection to other personal data, such as health information. Then, processing activities should be classified into four risk levels: prohibited, high risk, medium risk, and low risk. This classification should rely on clear evidence of risks to privacy and other rights, considering the sensitivity of the data involved. Processing that poses extreme risks, such as genetic profiling for employment purposes, should be outrightly prohibited, as it can enable discrimination. High-risk activities, like large-scale genetic research, or government use of genetic data, should be subject to strict oversight. This includes independent audits, DPIAs, and additional security measures, such as maintaining detailed records of processing. Medium-risk activities, such as genetic analysis for pharmacogenomics, should involve regulated access with safeguards like encryption and strict purpose limitations. Low-risk activities, such as basic genetic testing for paternity, may require fewer restrictions. In such cases, notice and consent may suffice, provided that the data is deleted immediately after serving its purpose.

Accordingly, the obligations of SDFs must be clearly outlined. Particularly, DPIAs must be tailored to the risk level of the processing activity. Further, a DPIA must be mandatory before processing begins, with periodic reviews, especially for high-risk activities. Additionally, affected individuals must be consulted to ensure their rights and concerns are fully considered. Similarly, for medium-risk processing, DPIAs must involve consultation with relevant oversight bodies, such as ethics committees. This would enhance accountability and strengthen privacy protections for genetic data.

The DPDPA and DPDPR should incorporate the principles of privacy by design and by default to embed data protection at every stage of processing. Privacy safeguards must align with risk levels, ensuring the highest protection for high-risk processing. These principles would also enhance transparency, enabling data principals to exercise rights like access to their data. Additionally, they would standardize accuracy, completeness, relevance, and timely deletion of data, strengthening overall accountability and privacy protections. Further, failure to ensure the highest levels of privacy for high-risk processing should carry serious consequences. In cases of gross negligence or reckless processing, criminal liability may be imposed to prevent privacy harms.

Finally, the DPDPA must extend the rights of the data principal beyond consent-based processing. Individuals should have explicit rights to data portability and the ability to restrict processing, ensuring greater control over their genetic information regardless of the legal basis for processing. The law must also strengthen grievance redressal mechanisms. In addition to the fines imposed on data fiduciaries, a compensation mechanism should be introduced to provide direct remedies to affected individuals. This would enhance accountability and ensure that individuals have meaningful recourse in cases of privacy violations.

Footnotes

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Ethical Approval and Informed Consent

Not applicable.

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

References

Wickenheiser

RA.

Forensic genealogy, bioethics and the Golden State Killer case. Forensic Sci Int Synerg 2019; 1: 114–125. DOI: 10.1016/j.fsisyn.2019.07.003

Nameghi

Exploring the recent advancements and future prospects of personalized medicine in type 2 diabetes. Endocr Metab Sci 2024; 16: 100193. https://www.sciencedirect.com/science/article/pii/S2666396124000372

Bukyya

, Tejasvi

MLA

, Avinash

, . DNA Profiling in forensic science: A review. Glob Med Genet 2021; 8(4): 135–143. DOI: 10.1055/s-0041-1728689

Jorde

and Bamshad

MJ.

Genetic ancestry testing: What is it and why is it important?

JAMA 2020; 323(11): 1089–1090. DOI: 10.1001/jama.2020.0517

P A

, M

, Jose

, . Pharmacogenomics: The right drug to the right person. J Clin Med Res 2009; 1(4): 191–194. DOI: 10.4021/jocmr2009.08.1255. Epub 2009 Oct 16.

Raposo

VL.

From public eugenics to private eugenics: What does the future hold?

JBRA Assist Reprod 2022; 26(4): 666–674. DOI: 10.5935/1518-0557.20220032

Seaver Aurie

, Khushf

, King

NMP

, . Points to consider to avoid unfair discrimination and the misuse of genetic information: A statement of the American College of Medical Genetics and Genomics (ACMG). Genet Med 2022; 24(3): 512–520. https://www.sciencedirect.com/science/article/pii/S109836002105379X.

Raposo

VL.

From public eugenics to private eugenics: What does the future hold?

JBRA Assist Reprod 2022; 26(4): 666.

Regulation (EU) 2016/679 of the European Parliament and of the Council of Apr. 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), Article 9. https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

10.

Horton

and Lucassen

Consent and autonomy in the genomics era. Curr Genet Med Rep 2019; 7: 85–91. DOI: 10.1007/s40142-019-00164-9

11.

Costello

Genetic data and the right to privacy: Towards a relational theory of privacy?

Hum Rights Law Rev 2022; 22(1): 1. DOI: 10.1093/hrlr/ngab031

12.

Gordon

and Koenig

BA.

“If relatives inherited the gene, they should inherit the data.” Bringing the family into the room where bioethics happens. New Genet Soc 2022; 41(1): 23–46. DOI: 10.1080/14636778.2021.2007065. Epub 2021 Dec 13.

13.

Hallinan

Protecting genetic privacy in biobanking through data protection . 1st ed. Oxford: Oxford University Press, 2021.

14.

Brown

TA.

Genomes . 2nd ed. Oxford: Wiley-Liss, 2002, Chapter 7, Understanding a Genome Sequence. https://www.ncbi.nlm.nih.gov/books/NBK21136/.

15.

Geiler-Samerotte

, Li

, Lazaris

, . Extent and context dependence of pleiotropy revealed by high-throughput single-cell phenotyping. PLoS Biol 2020; 18(8): e3000836. DOI: 10.1371/journal.pbio.3000836

16.

Genetic Alliance. The New York-Mid-Atlantic Consortium for Genetic and Newborn Screening Services. Understanding Genetics: A New York, Mid-Atlantic Guide for Patients and Health Professionals . Washington (DC): Genetic Alliance, 2009 Jul 8. APPENDIX E, INHERITANCE PATTERNS. https://www.ncbi.nlm.nih.gov/books/NBK115561/.

17.

Adrian-Kalchhauser

, Sultan

, Shama

LNS

, . Understanding “Non-genetic” inheritance: Insights from molecular-evolutionary crosstalk. Trends Ecol Evol 2020; 35(12): 1078–1089. https://www.sciencedirect.com/science/article/pii/S0169534720302263.

18.

Laurie

Genetic privacy: A challenge to Medico – Legal norms . 1st ed. Cambridge: Cambridge University Press, 2002.

19.

National Research Council (US) Whither Biometrics Committee; Pato JN, Millett LI editors. Biometric Recognition: Challenges and Opportunities . Washington (DC): National Academies Press (US), 2010. 1, Introduction and Fundamental Concepts. https://www.ncbi.nlm.nih.gov/books/NBK219892/.

20.

Rahnasto

Genetic data are not always personal-disaggregating the identifiability and sensitivity of genetic data. J Law Biosci 2023; 10(2): lsad029. DOI: 10.1093/jlb/lsad029

21.

The Digital Personal Data Protection Act, 2023, Section 2(t). https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

22.

Wiesenthal

and Wiener

NI.

Privacy and the human genome project. Ethics Behav 1996; 6(3): 189–202. DOI: 10.1207/s15327019eb0603_2.

23.

Gostin

and Hodge

JG.

Genetic privacy and the law: An end to genetics exceptionalism. Jurimetrics 1999 Fall: 21–58.

24.

Institute of Medicine (US) Committee on Assessing Genetic Risks; Andrews LB, Fullarton JE, Holtzman NA, et al. editors. Assessing Genetic Risks: Implications for Health and Social Policy . Washington (DC): National Academies Press (US), 1994. 8, Social, Legal, and Ethical Implications of Genetic Testing. https://www.ncbi.nlm.nih.gov/books/NBK236044/.

25.

Clayton

, Evans

, Hazel

, . The law of genetic privacy: Applications, implications, and limitations. J Law Biosci 2019; 6(1): 1–36. DOI: 10.1093/jlb/lsz007.

26.

Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Eur Econ Comm 1995. https://eur-lex.europa.eu/eli/dir/1995/46/oj/eng

27.

Maxson Jones

, Ankeny

and Cook-Deegan

The Bermuda triangle: The pragmatics, policies, and principles for data sharing in the history of the human genome project. J Hist Biol 2018; 51(4): 693–805. DOI: 10.1007/s10739-018-9538-7

28.

Kabata

and Thaldar

The human genome as the common heritage of humanity. Front Genet 2023; 14: 1282515. DOI: 10.3389/fgene.2023.1282515

29.

Knoppers

and Beauvais

MJS.

Three decades of genetic privacy: A metaphoric journey. Hum Mol Genet 2021; 30(R2): R156–R160. DOI: 10.1093/hmg/ddab164

30.

Carmi

, Zohar

and Riva

GM.

The European General Data Protection Regulation (GDPR) in mHealth: Theoretical and practical aspects for practitioners’ use. Med Sci Law 2022; 63(1): 61–68. DOI: 10.1177/00258024221118411

31.

Knoppers

and Beauvais

MJS.

Three decades of genetic privacy: A metaphoric journey. Hum Mol Genet 2021; 30(R2): R156–R160. DOI: 10.1093/hmg/ddab164

32.

Knoppers

, Thorogood

and Chadwick

The human genome organisation: Towards next-generation ethics. Genome Med 2013; 5(4): 38. DOI: 10.1186/gm442

33.

Costello

Genetic data and the right to privacy: Towards a relational theory of privacy?

Hum Rights Law Rev 2022; 22(1): 1. DOI: 10.1093/hrlr/ngab031

34.

Chapman

, Mehta

, Parent

, . Genetic discrimination: Emerging ethical challenges in the context of advancing technology. J Law Biosci 2019; 7(1): lsz016. DOI: 10.1093/jlb/lsz016

35.

The Digital Personal Data Protection Act, 2023, Section 2(t).

36.

The Digital Personal Data Protection Act, 2023, Section 11 and Section 12.

37.

Kuebler-Wachendorff

, Luzsa

and Kranz

The Right to Data Portability: Conception, status quo, and future directions. Inf Spektr 2021; 44: 264–272. https://rdcu.be/efsRC

38.

Khosravi

, Zare

, Mojtabaeian

, . Artificial intelligence and decision-making in healthcare: A thematic analysis of a systematic review of reviews. Health Serv Res Manag Epidemiol 2024; 11: 23333928241234863. DOI: 10.1177/23333928241234863.

39.

Carboni

, Russo

, Moroni

, . Privacy by design in systems for assisted living, personalised care, and wellbeing: A stakeholder analysis. Front Digit Health 2023; 4: 934609. DOI: 10.3389/fdgth.2022.934609