The Digital Personal Data Protection Act, 2023 (the DPDP Act) is India’s first comprehensive legislation governing personal data protection. It establishes a legal framework for the collection, storage, and processing of personal data while ensuring transparency, accountability, and security. The DPDP Act applies to all entities processing personal data, including government bodies, private organizations, and research institutions and NGOs, which frequently handle sensitive information.
To operationalize the DPDP Act, the Ministry of Electronics and Information Technology (MeitY) introduced the Digital Personal Data Protection (DPDP) Rules, 2023. These rules define obligations for Data Fiduciaries and rights for Data Principals to ensure privacy protection. Since research institutions and NGOs process personal data for policy analysis, healthcare programs, and social impact initiatives, adherence to these rules is crucial.
In this edition, we examine how the DPDP Act and the Rules apply to research-based institutions and organizations collecting health data.
The DPDP Rules regulate how Data Fiduciaries collect, store, and process personal data. Key principles include:
Lawful Processing: Personal data must be processed in compliance with applicable laws and for clearly defined purposes.
Purpose Limitation: Data should only be used for the specified purpose and not repurposed without explicit authorization.
Data Minimization: Organizations should collect only the minimum amount of data required to fulfill their objectives.
Data Security: Strong safeguards must be implemented to prevent unauthorized access, modification, or misuse.
Rights of Data Principals: Individuals have the right to access, correct, and request deletion of their personal data.
Rule 15, read with the Second Schedule, introduces exemptions for research, archiving, and statistical analysis. These provisions are relevant for NGOs and research institutions that manage data for social research, education, and healthcare.
Key conditions under Rule 15 include:
Lawful Processing: Personal data must be processed in compliance with laws and for permitted purposes.
Purpose-Specific Processing:
Data processing must align with Section 7(b) of the DPDP Act, requiring consent-based purposes.
Processing must meet criteria under Section 17(2)(b), allowing exemptions for research, public interest, or statistical analysis.
Data Minimization: Only strictly necessary data should be processed.
Accuracy of Data: Reasonable efforts must be made to ensure accuracy, particularly for research impacting policy.
Retention and Deletion: Data should only be retained as long as necessary and securely deleted thereafter.
Security Measures: Organizations must implement:
Encryption of sensitive data.
Access controls to prevent unauthorized access.
Security measures for third-party Data Processors.
Accountability: Research institutions and NGOs must ensure compliance throughout the data lifecycle.
Health data, while not explicitly categorized as Sensitive Personal Data, demands high levels of protection. Part B of the Fourth Schedule defines relevant terms, including healthcare professionals, clinical establishments, and health services. NGOs working in the health sector may not function as direct healthcare providers but often engage in health-related initiatives, making them Data Fiduciaries under the DPDP Rules.
Rule 15 provides specific exemptions for processing health data under defined conditions:
Public Health Initiatives: Processing is allowed without explicit consent for activities like vaccination drives or disease prevention campaigns.
Medical Research: Anonymized health data can be used for research, provided privacy safeguards are maintained.
Emergencies: Health data can be processed during crises such as pandemics or natural disasters.
Anonymization is critical to ensure that individuals are not identifiable when health data is used for research or statistical analysis.
Organizations handling health data must adhere to key obligations:
Data Security: Implement encryption, access controls, and regular audits to prevent breaches.
Consent Management: When consent is required, it must be informed, specific, and revocable.
Transparency: NGOs must inform individuals about the purpose of data collection and their rights under the DPDP Act.
Retention Policies: Data should only be retained as long as necessary and securely deleted afterward.
Accountability: NGOs must appoint a Data Protection Officer (DPO) to oversee compliance and audits.
The DPDP Rules, particularly Rule 15, provide a balanced framework for NGOs and research institutions. These provisions enable them to conduct crucial health and social sector initiatives while safeguarding individual privacy. Compliance is both a legal and ethical imperative. By implementing robust security measures, ensuring transparency, and upholding privacy safeguards, organizations can build trust, ensure accountability, and continue making meaningful contributions to public health and welfare.
The draft Digital Personal Data Protection (DPDP) Rules 2025 are open for public feedback until February 18. As covered in this three-part series, these rules will shape data handling in India for individuals, businesses, and organizations alike. The Ministry of Electronics and Information Technology (MeitY) is actively seeking public input.
Let us know your thoughts on the new Data Protection Rules! Your insights can help shape the future of data privacy in India.
