Electronic storage of medical records has exposed individuals to the risk of identification at various stages of data collection and data processing. Two options are available to data-miners: to either anonymise information that poses a risk of identification or make such information available to physicians alone. The second option is no longer feasible in a world where the physician-patient relationship is complicated by the presence of other stakeholders, such as insurers and pharmaceutical manufacturers. Finding the proverbial middle path is the only solution to the ethical dilemma posed by the appropriation of patient information for marketing purposes. This paper presents an overview of various data protection regimes, followed by an analysis of the Indian position on data privacy. After the enactment of the 2011 regulations on the processing of personal information under the Information Technology Act, 2000, there is hope that corporations operating in India will comply with international best practices for the fair and lawful processing of personal data.