Concerning the newly enacted Mental Health Act in 2018, it has been critiqued that patient’s confidentiality and associated accountability of medical practitioners for failure to maintain confidentiality are not included in sufficient detail.⁷⁷

Privacy laws are lacking; instead, there is a dependence on provisions within several other existing laws, or relevant sections in the country’s constitution such as Article 32 (protection of right to life and personal liberty), Article 39 (freedom of thought and conscience and of speech), and Article 43(b) (right to privacy for each citizen, of his correspondence and other means of communication).⁷⁸

In December 2020, the government passed the Digital Security Rules, which call for organizations to establish “help desks” so that they could comply with the Digital Security Act 2018.⁷⁸ As a consequence, employees can register complaints related   to personal data misuse via these help desks.

The Digital Security Act 2018 is inadequate to regulate a right as fundamental as data privacy, calling for new legislation.

Requirements in GDPR may be difficult or costly to implement for many small companies in Bangladesh⁷⁸; therefore, the proposed Personal Data Protection Bill in India serves as a reference,^78,79 as it offers flexibility to smaller organizations.

Limited legislation related to mental health.⁸⁰

The Information, Communications and Media Act of Bhutan 2018 includes data protection principles, which includes 7 of the 10 “second generation” principles of the 1995 European Union Data Protection Directive.⁸¹

Privacy Act 2018 restricts processing of “sensitive data” in control of a public entity.

Physical or mental health of a person are included as part of sensitive data, which can be processed “only during the diagnosis, treatment, and management of public health, and the delivery of health services to a person if such data has been made public by the concerned individual themselves.”⁸²

Privacy Act has impacted the legal usage of “personal information” as it stipulates how “personal information” in public entities can be used, along with liabilities for breach.⁸¹

No specific law relating to data protection.⁸³

In April 2020, the country’s Ministry of Information Technology and Telecommunication released a draft Personal Data Protection Bill for consultation before being presented to Parliament for debate.

The Bill defines “sensitive personal data” as that which includes biometric data; information on the subject's physical, psychological, or mental health conditions as well as medical records, among other details.

Sensitive personal data can be processed only with the explicit consent of the subject and only for defined purposes, such as: exercising any right or obligation conferred by law on the data controller in connection with the subject’s employment; protection of vital interests of the subject/another person; and where processing is undertaken for medical reasons/ by a health care professional.

The Personal Data Protection Bill is comprehensive⁸¹ covering both public and private sectors.

The bill requires lawful grounds for processing users’ data and includes obligations of controllers and rights of users based on GDPR provisions. Key rights of GDPR are present, such as users’ “right to be forgotten” and protections against automated processing of data.

The independence of the data protection authority, an independent public body authorized to supervise the application of the data protection law, provide expert advice on data protection issues, and handle complaints lodged against GDPR violations or relevant national laws, is not guaranteed.⁸¹

While mental health literacy has improved in Sri Lanka, the absence of consensus among stakeholders and legislative delays have hindered recent attempts to develop a new mental health act to replace the existing Mental Diseases Ordinance of 1956.⁸⁴