Abstract

Data protection has occupied a major space in legal discussions. This emerging field of law does not only guarantee the fundamental right to privacy as held in K.S. Puttaswamy v. Union of India, but it also guarantees the evolution of this right. This evolution extends to the special treatment of health-related data of individuals. As such data is highly sensitive and is crucial to an individual’s identity, it must be dealt with specifically through an appropriate regulatory framework. This intersection of health law and privacy law prompted law makers to come up with specialised regulatory mechanisms for the protection of health data. But the Digital Personal Data Protection Act, 2023 (DPDP Act) concretized the law on data protection in India. It was unfortunate to note that the final draft of the law deviated from the previous Data Protection Bill which specifically provided for sensitive personal data. The absence of such specific provisions in the DPDP Act shows the law makers have omitted to consider the sensitivity of health data. Furthermore, the Act is replete with loopholes which may allow the government, health-related State instrumentalities and other corporations to circumvent the provisions of this Act. This will ultimately hamper the progress made in this domain and will give a leeway to health institutions and professionals to exercise a lower standard of care with respect to health data.

Keywords: Health Data, Privacy, Data Protection, DPDP Act, DPDP Rules

Introduction

In the digital age, the notion of privacy has evolved from being a fundamental right to being a valuable luxury. As the digital space remains replete with privacy concerns, the health sector faces significant risks especially with respect to patient’s personal health data. As per the Draft Digital Information Security in Healthcare Act (hereinafter ‘DISHA’), ‘digital health data’ refers to an electronic record of health-related information and it includes information relating to a person’s physical or mental health, health services provided, organ or substance donation, test or examination results, information collected in the course of providing health services and details of the clinical establishment.^[i]

As such data sets consist of the health status of individuals or may even be a combination of health status and other sensitive information such as financial details and personal identification cards, the healthcare sector as a whole must be legally as well as morally obliged to preserve such data and exercise a greater degree of care to prevent data breaches. A press release from the Ministry of Information and Broadcasting titled ‘Revolutionizing Healthcare: Digital Innovations in India’s Health Sector’ emphasized the role of digitization of the health sector which also includes health data.^[ii] But due to the vulnerabilities of digitization, such sensitive data is exposed to severe risks.^[iii]

In January 2024, a data breach was discovered in the popular Apollo hospitals which compromised personal identification documents, health data, payment credentials, etc.^[iv] Despite claims of robust security mechanisms, CoWIN portal’s data was leaked exposing the Aadhaar details, vaccination status etc. of lakhs of individuals.^[v] A few years back, the AIIMS server was attacked, revealing Chinese involvement, due to which sensitive data of around 40 million patients was leaked.^[vi] In a shocking incident in Gujarat, CCTV videos of female patients at Payal Maternity Hospital were being circulated and sold on Telegram.^[vii]

From the abovementioned incidents, it is evident that the breach of such data may pose several risks. For example, cyber attackers may take advantage of a patient’s disease, desperation or vulnerability. Similarly, marketing agencies or pharma companies may use such data for unwarranted targeted advertisement.^[viii] The breach of financial details and personal identity details may culminate in frauds.^[ix] Therefore, data protection in the context of the health sector is not merely a regulatory desirability but its stringent implementation through appropriate regulation is indispensable in order to safeguard citizens and improve the trustworthiness of the healthcare sector.

This article discusses the pre-Digital Personal Data Protection Act, 2023^[x] (hereinafter ‘DPDP Act’) regulatory framework for the protection of health data and then draws a parallel by analysing the changes introduced by the DPDP Act. International practices and laws have also been discussed in order to suggest a better mechanism for India.  

Pre-DPDP Act Regulatory Framework in India

India has witnessed a new climb in the healthcare industry, evolving continuously to meet the dynamic needs of its population. One such pressing need has been the effective delivery of health services to the ever-growing, vast population of the country. The crucial responsibility of managing and sharing data collected through these healthcare facilities inevitably arrives with this pressing need. In doing so, it becomes imperative to uphold and prioritize the privacy of individuals’ health data. The question of privacy with regard to an individual’s health data came up as early as in 1998 in the case of Mr. X v. Hospital Z.^[xi] In this case, a patient was found to be HIV positive and later, an allegedly unauthorised disclosure was made by the Hospital staff. The Court held that doctors must maintain secrecy about their patients. However, the court also pointed out the restriction of this right, proclaiming that “public interest” will override privacy. The Supreme Court has also iterated that disclosing medical records is an invasion of privacy.^[xii]

The privacy aspect in general has long been covered by Section 43A of the Information Technology Act, 2000 (hereinafter ‘IT Act’). Section 43A of the Act imposes a liability on the body corporates to protect an individual’s sensitive personal data.^[xiii] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, included medical records and history in the definition of ‘sensitive personal data’.^[xiv] The major drawback of this Act is that it deals with body corporate venturing in commercial or professional activities, however, the state-run hospitals or public hospitals may fall outside the ambit if they are not structured as body corporates.       

The effective regulation of health law necessitated the development of a comprehensive digital health ecosystem in India. With this purpose, the Government of India introduced the National Digital Health Mission, 2017 (hereinafter referred to as “NDHM”).^[xv] The mission aimed to create a digital web of health data across India to support universal health coverage. The mission was launched in 2020, providing a bridge between the practitioners and the patients, digitally giving them access to real-time health records.^[xvi] One of the main features of the policy is that it, similar to the GDPR, differentiates between data fiduciaries and processors. The only ground for processing sensitive health data has been reduced to the consent of the individual. Moreover, the policy establishes a mechanism of serving privacy notice to the data principals before i) any collection of data ii) any change in privacy policies or procedures and iii) collection or processing of any personal data of the data principal for any new purpose for which he has not given his express consent.^[xvii] The level of protection under the NDHM is arguably higher than the DPDP Act. This distinction is appropriate, as the latter specifically governs health sector data, where the sensitivity of medical records naturally demands enhanced safeguards^[xviii]. However, a key point of confusion arises due to the coexistence of these frameworks: each prescribes distinct standards of protection, leading to uncertainty over which would take precedence in the event of a conflict^[xix].

In 2018, the Ministry of Health and Family Welfare proposed DISHA. Though it was intended to provide an administration specialist both at the centre and state levels, it failed to materialise as the Government decided to let it be subsumed under the DPDP Act.^[xx] Under the Act, at the central level, a proposal was made to establish the National Electronic Health Authority (NEHA)^[xxi] as the apex body responsible for setting standards, issuing the guidelines, and overseeing the collection, management, and transfer of health data. Consequently, for macro-level scrutiny over the institutions in each state, the DISHA further provided for the setting up of the State Electronic Health Authority (SEHA)^[xxii], which would be tasked with ensuring that institutions comply with the requirements laid down under the Act.^[xxiii] 

Another draft bill that was proposed was the Personal Data Protection Bill 2019.^[xxiv] This was the first draft, which covered a cross-sectoral framework dealing with data protection. The difference between the DPDP Act and the 2019 proposed bill is that the latter includes within its definition of Sensitive personal data, “health data”^[xxv], which is absent in the current DPDP framework. The distinction between personal data and sensitive personal data, as outlined in the 2019 Draft Bill, was more closely aligned with the GDPR compared to the framework adopted in the enacted 2023 DPDP Act. Both the above stated bills were introduced for granting controlling rights to the data principal and protecting healthcare data; however, these legislations did not see the light of the day.

Situation Post-DPDP Act:

The DPDP Act was enacted in 2023 with a view to comprehensively provide for an indigenous data protection regime suited to the Indian legal landscape.^[xxvi] Though the Act has been hailed as a landmark step in the domain of data protection,^[xxvii] the Act fails to specifically deal with health data. The general provisions of the Act that are applicable to data fiduciaries will extend to data fiduciaries within the health sector. According to Section 2(i) of the Act, data fiduciary may be any person who determines the purpose and means of processing of personal data.^[xxviii] According to Section 2(s), the term ‘person’ includes an individual, Hindu Undivided Family, company, firm, association of persons or body of individuals, State and every artificial juristic person.^[xxix] Therefore, in the context of health data, independent doctors, private and public hospitals, clinics, health-based NGOs, state-run medical facilities like mohalla clinics and medical bodies will all come under the purview of the DPDP Act insofar as they determine the purpose and means of processing of personal health data.

Section 5 makes it mandatory for data fiduciaries to give a notice to the data principals pertaining to the purpose of processing, manner of exercise of rights and manner of complaint.^[xxx] Moreover, the data can only be processed if the consent given by the data principal is free, specific, informed, unconditional and unambiguous.^[xxxi] Further, consent requests must be in plain and clear language.^[xxxii] This means that all health-related data will have to be processed in accordance with the provisions of this Act including the notice and consent requirements.

Data fiduciaries are now legally enjoined to implement technical and organisational measures to protect data.^[xxxiii] Further, they are obliged to take reasonable security safeguards to prevent personal data breach.^[xxxiv] Data fiduciaries are obliged to erase personal data if the data principal withdraws consent or if the purpose for which data was processed has been fulfilled.^[xxxv] For example, if a hospital collects data for a time-bound benefit scheme, it must collect the data by specifying the purpose such as ‘verification of eligibility’. Further, when the scheme is over and the data collected for that purpose becomes redundant, the hospital will be obliged to delete the personal data unless its retention is required by any other law in force in India.

Though prima facie these measures may seem to be a positive step towards strengthening the protection of health data, the Act does not specifically provide for the protection of health data. Due to this legislative oversight, health data will be treated like any other data which reduces the value of health data as sensitive personal data. The Data Protection Bill of 2021 provided a separate definition for sensitive personal data which included health data^[xxxvi] but no such provision has been made in this Act. Furthermore, the Act enlists additional obligations of significant data fiduciaries such as data protection impact assessment, appointment of data auditor, etc.^[xxxvii] but the central government has the sole discretion to decide who will be a significant data fiduciary.^[xxxviii] Moreover, the draft rules are completely silent on this issue. This situation raises concerns as to transparency of such a procedure and the possibility of a crony capitalist policy in this regard.

Despite the limited safeguards provided by the DPDP Act, the government has unbridled powers to regulate the applicability of this Act including the powers to exempt data fiduciaries from the provisions of the Act. Section 7 of the Act deals with the processing of data for ‘legitimate uses’.^[xxxix] According to clause (c) of the section, data may be processed for the performance of any function by the State or its instrumentalities under any law. The data can also be processed in the interest of sovereignty and integrity of the country or security of the State.^[xl] Furthermore, clause (d) allows the processing of data for the fulfilment of any obligation under any law to disclose information to the State or its instrumentalities.^[xli] In the context of health-related data, Section 7(f) empowers the data fiduciaries process data for responding to a medical emergency.^[xlii] It also allows the data fiduciaries to process data to provide medical treatment or health services to individuals in case of epidemic, outbreak of disease or any other threat to public health.^[xliii] Therefore, these provisions, being extremely open-ended, can be tailored to the needs of the government or industry stakeholders to exploit health data of individuals.

Section 17(2) goes a step further and states that the provisions of this Act will not be applicable if the data is processed by any instrumentality of the State as notified by the Central Government. Such processing should be in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign states, maintenance of public order or prevention of offence.^[xliv] Once again, this is a very generic provision and can be easily misused by the State or its instrumentalities. Furthermore, the Act exempts startups from certain provisions of the Act.^[xlv] This will give immunity to startups which deal with health data. Moreover, the Act also empowers the central government to exempt any data fiduciary or classes of data fiduciary from any provision of the Act for a specified period.^[xlvi] This provision can be highly misused in order to give political preferences.

In January 2025, the Ministry of Electronics and Information Technology released the proposed draft of the DPDP Rules. Rule 11 read with the Fourth Schedule, exempts data fiduciaries from complying with sub-sections (1) and (3) of Section 9 of the DPDP Act.^[xlvii] Section 9(1) obliges a data fiduciary to obtain verifiable parental consent before processing the data of a child.^[xlviii] Section 9(3) prohibits data fiduciaries to undertake tracking or behavioural monitoring of children or targeted advertisement.^[xlix] According to the Fourth Schedule of the DPDP Rules, clinical establishments, mental health establishments, healthcare professionals and allied healthcare professionals are exempt from the above mentioned provisions.^[l] Though the extent of processing is limited to healthcare services and treatment, it is absurd to note that in a crucial matter like health, parental consent can be done away with and targeted advertisement is allowed and on the other hand, compliance is necessary with this provision to even play an online game.

Thus, it can be said that the DPDP Act has provided for certain general provisions but the existing loopholes can be exploited to undertake processing of health data by private data fiduciaries or by the government which may eventually jeopardise the interests of the data principals to whom that data belongs.^[li] This increases the chance of non-consensual processing and in the case of certain security-based exemptions, it will be impossible to hold such data fiduciaries liable for data breach caused due to their negligence. As a result, sensitive health data will be treated at par with other non-sensitive data which may prove to be disastrous in the long run.

The Way Forward

As India is witnessing a transition from a traditional paper-based medical records to a more digital and interoperable healthcare data system, it is important that efforts should be underway in order to prioritize the right to privacy of individuals.^[lii] The current regulation especially with the passage of the DPDP Act has toned down the robustness of the healthcare protection framework.^[liii] The provision in the DPDP enabling the state to allow research over the data of individuals holds immense potential for societal development. However, it is equally important to ensure that such research is conducted ethically, with due respect to the privacy and dignity of individuals. Therefore, the State must acknowledge that reforms or adjustments to the healthcare framework are necessary to improve the efficiency and implementation of its provisions.^[liv] The following recommendations must be considered to bridge the exiting gaps:

1. The ambiguity surrounding the NDHM and the DPDP Act must be resolved. The government should formally notify and implement the NDHM’s aspects of the health data privacy framework, as it serves as a sector-specific framework that addresses the unique requirements of the healthcare sector more directly than the broader DPDP Act. Upon the inclusion of NDHM within the Ayushman Bharat Digital Mission, the policy, though, retained the interoperability of health institutions, exchange of data and acquisition of data, but lost its integral aspect “Health Data Protection”.^[lv] Despite several other policies released by the National Health Authority, none of them have been set in place for health data security.^[lvi]
2. To ensure effective implementation and oversight, the National Electronic Health Authority (NEHA) and State Electronic Health Authorities (SEHA) should be established at the central and state levels, respectively as was previously suggested by DISHA. These bodies would play a critical role in managing and regulating the use of personal health data by healthcare institutions. Thus, the revival of DISHA is very essential for effective healthcare governance.
3. India should ensure that its data protection frameworks are designed to facilitate the use of secondary health data for statistical and research purposes. Drawing from assessments conducted across Member States in the WHO European Region, a common issue identified was that overly restrictive or misaligned data protection laws often hinder the production of reliable health statistics.^[lvii] To avoid similar challenges, India should adopt a balanced approach that protects individual privacy while enabling the ethical and secure use of health data for research and public health planning.^[lviii] In this regard, the development of detailed guidelines, similar to those introduced by WHO as part of its Health Information Systems (HIS) strengthening toolkit, can prove to be instrumental.^[lix]
4. India can take a lesson from the USA’s health sectoral legislation — The Health Insurance Portability and Accountability Act 1996 (“HIPAA”)^[lx] and the Health Information Technology for Economic and Clinical Health Act 2009 (‘HITECH’).^[lxi] These separate pieces have been instrumental in securing health data and efficient data collection and transfer.^[lxii]
5. The term health data or information needs an extensive explanation to curb any unnecessary debate around the inclusion of information as health data. The definition in the Federal Law of the UAE on Health Data is one such legislation that gives a detailed and conspicuous definition of what health data would comprise within its ambit.^[lxiii] Article 1 of the Act defines the term “Health Information” as, “The health data which had been processed and became with a meaning, whether visual, audio or legible, and characterised by the health feature, whether related to the health or insurance establishments or authorities or to the beneficiary from the health services”.^[lxiv]
6. Recently in 2023, Washington passed a new law on the protection of health data known as the My Health, My Data Act (MHMDA).^[lxv] Under the MHMDA, consumers have the right to seek information from healthcare entities to obtain the list of third parties to whom the entity will be sharing their data. This can be brought into the regulatory framework of India, as this would set the wheels in motion to make the commercial use of the health data more restrictive and would make the law related to health more patient-oriented.^[lxvi]
7. With the emergence of blockchain and the benefits it offers, it is being applied in many sectors, including healthcare.^[lxvii] The decentralised ledger has numerous rewards, such as it can preserve and exchange data of the patient through different healthcare facilities and identify severe mistakes and even dangerous ones in the medical field.^[lxviii] More importantly, it can improve performance, security, and transparency in the sharing of medical data in the healthcare systems, causing the health data breaches to plummet significantly.^[lxix]

Conclusion

Even though much has been said about India’s advancement in the data protection domain due to the introduction of the DPDP Act, the fact remains that the Act fails to differentiate between ‘personal data’ and ‘sensitive personal data’ which also includes health data. A risk-based approach in this regard would also classify the breach of health data as more severe than the breach of other personal data such as contact details.

The Government needs to bridge these gaps by codifying a separate law for the protection of health data in order to lay down higher standards of safeguards and industry-specific regulatory and infrastructural mechanisms suited to the Indian context. Furthermore, even State authorities must be bound by the dictates of such a law without unreasonable exemptions.

Inspiration may be drawn from international legal jurisdictions that have led the way in protecting health data through separate legislations. Technical safeguards such blockchain systems may be employed for the protection of highly sensitive data. These measures can go a long way in protecting the interests of the citizens of this country.

Endnotes

[i] Government of India, “Digital Information Security in Healthcare Act, – Draft for Public Consultation” (Ministry of Home and Family Welfare, 2017).

[ii] Government of India, “Revolutionizing Healthcare: Digital Innovations in India’s Health Sector – Press Release” (Ministry of Electronics and Information Technology, 2024).

[iii] Rina Chandran, “India’s Health Data Faces Rising Risk of Breaches, Cyberattacks”, The Wire, July 27, 2023, available at <https://thewire.in/tech/indias-health-data-faces-rising-risk-of-breaches-cyberattacks> (last visited on April 22, 2025).

[iv] Hera Rizwan, “Hackers May Have Stolen Patient Data From India’s Largest Hospital Chain”, MSN, available at <https://www.msn.com/en-in/money/news/hackers-may-have-stolen-patient-data-from-india-s-largest-hospital-chain/ar-AA1CragT> (last visited on April 22, 2025).

[v] Supra note 3.

[vi] “From AIIMS Delhi to ICMR, data breaches haunt crores of India”, Economic Times, November 13, 2023, available at <https://health.economictimes.indiatimes.com/news/health-it/from-aiims-delhi-to-icmr-data-breaches-haunt-crores-of-indians/105173060> (last visited on April 22, 2025)

[vii] “Videos of women patients at Gujarat maternity hospital leaked, sold on Telegram”, India Today, February 18, 2025, available at <https://www.indiatoday.in/india/story/gujarat-rajkot-maternity-hospital-private-videos-women-patients-sold-online-youtube-telegram-2682044-2025-02-18> (last visited on April 22, 2025).

[viii] Scott Ikeda, “Study Finds Medical Apps Are Sharing Health Data With Third Party Trackers, Funneling Info To Targeted Facebook Ads”, CPO Magazine, August 25, 2022, available at <https://www.cpomagazine.com/data-privacy/study-finds-medical-apps-are-sharing-health-data-with-third-party-trackers-funneling-info-to-targeted-facebook-ads/> (last visited on April 22, 2025).

[ix] Adil Hussain Seh, Mohammad Zarour, et al., “Healthcare Data Breaches: Insight and Implications” 8(2) Healthcare (2020).

[x] The Digital Personal Data Protection Act, 2023 (Act 22 of 2023).

[xi] (1998) 8 SCC 296.

[xii] K.S Puttaswamy and Anr. v. Union of India, AIR 2017 SC 4161

[xiii] The Information Technology Act, 2000 (Act 21 of 2000), s. 43A.

[xiv] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, r. 3.

[xv] Government of India, “National Digital Health Mission: Health Data Management Policy” (Ministry of Health and Family Welfare).

[xvi] Id., cl. 10.1. 

[xvii] Ibid.

[xviii] Ashutosh Tripathi and Tushar Behl, “Protecting the health data of Consumers: Need for an Iron-Clad Law in India” 8 IJCLP 6 (2020).

[xix] Ibid.

[xx] Ibid.

[xxi] Supra note, s. 28.

[xxii] Supra note, s. 28.

[xxiii] Supra note, s. 28.

[xxiv] The Personal Data Protection Bill, 2019 (Bill 373 of 2019).

[xxv] Id., cl. 2(36).

[xxvi] Priyanka, “Digital Personal Data Protection Act (DPDPA), 2023”, IP Leaders, May 21, 2024, available at <https://blog.ipleaders.in/digital-personal-data-protection-act-dpdpa-2023/> (last visited on April 22, 2025).

[xxvii] “India Advances in Data Protection with the Digital Personal Data Protection Act, 2023”, K&S Partners, August 22, 2023, available at <https://kandspartners.com/137594> (last visited on April 22, 2025).

[xxviii] Supra note 10, s. 2(i).

[xxix] Supra note 10, s. 2(s).

[xxx] Supra note 10, s. 5.

[xxxi] Supra note 10, s. 6(1).

[xxxii] Supra note 10, s. 6(3).

[xxxiii] Supra note 10, s. 8(4).

[xxxiv] Supra note 10, s. 8(5).

[xxxv] Supra note 10, s. 8(5).

[xxxvi] “The Data Protection Bill”, Trilegal, December 24, 2021, available at <https://trilegal.com/wp-content/uploads/2021/12/The-Data-Protection-Bill-2021.pdf> (last visited on April 24, 2025).

[xxxvii] Supra note 10, s. 10.

[xxxviii] Ibid.

[xxxix] Supra note 10, s. 7.

[xl] Supra note 10, s. 7(c).

[xli] Supra note 10, s. 7(d).

[xlii] Supra note 10, s. 7(f).

[xliii] Supra note 10, s. 7(g).

[xliv] Supra note 10, s. 17(2).

[xlv] Supra note 10, s. 17(3).

[xlvi] Supra note 10, s. 17(5).

[xlvii] The Draft Digital Personal Data Protection Rules, Rule 11.

[xlviii] Supra note 10, s. 9(1).

[xlix] Supra note 10, s. 9(3).

[l] Supra note 48 at Fourth Schedule.

[li] Paarth Nathani, “Protecting healthcare privacy: Analysis of data protection developments in

India” 9(2) Indian Journal of Medical Ethics 5 (2023).

[lii] Sourishee Ghosh, “India’s Digital Health Mission: Navigating the Legal, Social and Ethical Landscape”, Himdu College Gazette, December 25, 2024, available at <https://www.hinducollegegazette.com/abouthinducollegegazette> (last visited on April 24, 2025). 

[liii] Shivangi Rai and Shefali Malhotra, “India is piloting ambitious digital health initiatives while neglecting data safeguards”, Scroll, October 31, 2023, available at <https://scroll.in/article/1057716/india-is-piloting-ambitious-digital-health-initiatives-while-neglecting-data-safeguards> (last visited on April 24, 2025).

[liv] “Healthcare Data Privacy in India”, Indian Law Offices, August 29, 2023, available at <https://www.indialawoffices.com/legal-articles/healthcare-data-privacy-india> (last visited on April 24, 2025).

[lv] Dipika Jain, “Regulation of Digital Healthcare in India: Ethical and Legal Challenges” 11(6) Healthcare 911 (2023).

[lvi] Anirudh Burman, “Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth”, Carnegie India, March 2020, available at <https://carnegieproductionassets.s3.amazonaws.com/static/files/Burman_Data_Privacy.pdf> (last visited on April 23, 2025).  

[lvii] World Health Organisation, “The protection of personal data in health information systems- principles and processes for public health” 9 (2021).

[lviii] Ibid.

[lix] Ibid.

[lx] Health Insurance Portability and Accountability Act, 1996.

[lxi] Health Information Technology for Economic and Clinical Health Act, 2009

[lxii] Ibid.

[lxiii] Federal Law No. (2) of 2019.

[lxiv] Id., art. 1.

[lxv] The My Health My Data Act, 2023.

[lxvi] Anas Baig, “Healthcare Privacy Laws & Regulations Around the World”, Securiti, December 25, 2023, available at <https://securiti.ai/healthcare-privacy-laws/> (last visited on April 24, 2025).

[lxvii] Abid Haleem, Mohd Javaid. et al., “Blockchain Technology applications in healthcare: An overview” 135 IJIN 2 (2020)

[lxviii] Brant Carson and Claude Nadeau, “What is Blockchain”, MC Kinsey & Co., December 5, 2022, available at <https://www.mckinsey.com/featured-insights/mckinsey-explainers/what-is-blockchain> (last visited on April 24, 2025).

[lxix] “Introduction to Blockchain Technology”, Geeks for Geeks, August 29, 2023, available at <https://www.geeksforgeeks.org/blockchain-technology-introduction/> (last visited on April 24, 2025).