The Digital Personal Data Protection Act 2023: Implications for Mental Healthcare Practice in India

The DPDPA

The DPDPA contains 44 sections in 9 chapters. It outlines frameworks for acquiring, storing, retrieving, using, and otherwise handling digital personal data of citizens in India; these frameworks are intended to protect the personal rights of those from whom the data were acquired. Because much of healthcare information is now acquired, stored, retrieved, and used in digital form, the provisions of the DPDPA have important implications for HCPs in the country.

Data principals and data fiduciaries are technical terms repeatedly used in the DPDPA. The data principals are the persons from (or about) whom the data are acquired. The data fiduciaries are the persons or organizations that acquire, process, and store the data; that is, the trustees of the data. In healthcare, medical professionals or their institutional employers, as applicable, are the data fiduciaries.

Implications of the Act for M-HCPs

The DPDPA applies to all data fiduciaries, from individuals to small service providers to large standalone and networked organizations, and includes all services, from healthcare to e-commerce to banking and other financial services. Ignorance of the law is no excuse, and it is necessary for all HCPs to be aware of how the DPDPA impacts their practice.

In this connection, although the DPDPA does not single out mental healthcare, its provisions have special implications for M-HCPs. M-HCPs handle data that are intimate, sensitive, and often stigmatizing. This is because mental healthcare necessarily considers stressors, relationships, assessments, diagnosis, treatment history, disabilities, sexuality and gender identity, and other matters. Many patients seek mental health care in secrecy, fearing stigma, judgment, or discrimination at work or home.^8,9 Research indicates that mental health conditions can lead to employment discrimination, insurance denial, family rejection (especially for women and LGBTQ+ individuals), and social ostracism. ⁹ These legitimate patient concerns about confidentiality underscore why privacy protection in mental healthcare is not merely a regulatory requirement but essential for maintaining trust and therapeutic effectiveness. ⁸ Consequently, the legal obligations introduced by the DPDPA require special attention in mental healthcare and will necessarily impact clinical practice in mental health disciplines.

In the rest of this article, because M-HCPs extensively liaise with other HCPs, including those in neurological, radiological, psychosocial, pharmaceutical, laboratory, and other disciplines, we will favor the broad term HCP to address the obligations of M-HCPs under the Act.

Obligations Under the ACT

The DPDPA and its rules impose obligations on HCPs. There are several important areas, requiring compliance, about which HCPs should be aware: consenting patients, securing data, enabling patient rights, responding to data breaches, liaising with third-party vendors, transferring data to other countries, and others. Each of these is briefly explained; the relevant chapters (Ch.) and sections (S.) are cited in parentheses.

Consent

HCPs need to obtain clear, specific, informed consent before processing data [Ch. II, S. 6(1)]. Easy-to-understand information, referred to as “notice” in the Act, requires to be provided (Rule 3), and this must be done in a language preferred by the patient [Ch. II, S. 5(3)]. The information should specify the data that will be acquired by the HCP, the purpose for which it will be processed, the way patients can exercise their rights, and the manner in which patients can make complaints to the Data Protection Board of India [Ch. II, S. 5(1,2)]. Patients who want to withdraw consent should be able to do so easily [Ch. II, S. 6(4)]. If challenged, HCPs should be able to prove that valid consent had been obtained [Ch. II, S. 6(10)].

International experience suggests that meaningful consent requires more than signature collection; it demands genuine understanding and voluntary agreement. ¹⁰ Mental health providers can implement layered consent approaches by separating clinical and data-sharing decisions. Consent should be freely given and not tied to treatment access. It should be specific, mentioning what’s collected, for what purpose, and by whom. Consent must be revocable with clear withdrawal mechanisms, and should be periodically revisited at intervals during treatment.^10,11 Standardized symbols or universal healthcare pictograms can improve comprehension across diverse literacy levels, though cross-cultural testing is essential given India’s linguistic diversity. ¹⁰

Children and persons with disabilities need special consideration. Their data must be acquired and processed only after obtaining verifiable consent from a parent or legal guardian, as appropriate [Ch. II, S. 9(1); Rule 10]. This builds upon existing frameworks under the Rights of Persons with Disabilities Act, 2016, ¹² but introduces additional data-specific consent requirements. Whereas specific rules apply [Ch. II, S. 9(2), S. 9(3)], there are limited exemptions for healthcare [Ch. II, S. 9(4); Rule 11 & Fourth Schedule].

Data Security

Reasonable safeguards need to be implemented to ensure data security [Ch. II, S. 8(5)]. Rule 6 mandates specific measures. Action points to protect digital records include using encryption, using strong passwords, setting access controls, securing systems by keeping software updated and using antivirus programs, monitoring access by logging who accesses records and storing the logs for at least a year, backing up data securely, and training staff in security measures.

Modern healthcare technology offers approaches that can protect patient privacy while maintaining clinical utility. Pseudonymization represents one practical method, storing patients’ identifiable information (e.g., name, phone number) separately from clinical data, with unique codes or tokens (e.g., Patient ID1234) replacing names in all operational records.^13,14 This enables therapeutic continuity without disclosing identity to third parties. Additional technical safeguards include role-based access controls (RBAC), ensuring that healthcare staff can access only the information necessary for their specific roles, end-to-end encryption protecting data both during storage and transmission, and comprehensive audit trails enabling accountability. ¹³

Enabling Rights

Patient rights need to be enabled. This involves honoring the right to receive a summary of the acquired data, information about the identities of persons who receive and handle the data, and descriptions of data that are shared with others [Ch. III, S. 11]. This also includes the right to correct or erase data (unless required for treatment or legal purposes; [Ch. III, S. 12]) and address grievances [Ch. III, S. 13]. Rule 13 outlines the relevant procedures and Rule 9 provides instructions regarding the publication of contact information for data-related questions.

The DPDPA allows withdrawal at any time under Section 5(f), but the consequences (e.g., inability to access digital aids) must be clearly stated beforeh and under the transparency principle. ⁵ Clinical scenarios may include patients initially sharing a comprehensive history, then withdrawing consent for record sharing with insurance or hospital systems, or patients undergoing religious conversion or gender transition who later choose to restrict disclosure to maintain social safety. Patients should ideally have granular control over different categories of health information, allowing them to consent to immediate treatment while maintaining privacy over details not directly relevant to current care needs.

Data Breach

Specific procedures need to be followed in the event of a data breach. If patient data privacy is compromised, affected patients and the Data Protection Board need to be informed immediately [Ch. II, S. 8(6)] and relevant details should be provided (Rule 7); content and timeline instructions are specified in Rule 7. HCPs, therefore, need to have advanced plans for what to do if there is a breach. Records of the breach and of actions taken need to be preserved.

Third-party Involvement

Security procedures need to be followed when liaising with third-party vendors. These vendors include collaborating laboratories, providers of electronic health record software, and others. Cross-organizational healthcare data sharing presents well-documented challenges^15,16 that are now compounded by DPDPA compliance requirements. The HCP is required to obtain signed data protection agreements with all vendors who handle patient data [Ch. II, S. 8(2); Rule 6(1)(f)]; these vendors should have good security practices; contracts must require vendors to protect the data (Rule 6(1)(f)). The burden of responsibility lies with the HCP [Ch. II, S. 8(1)].

Transfer of Data Out of India

Transfer of data out of India is restricted. The government prohibits the transfer of data to other countries, as may be notified [Ch. IV, S. 16], and transfers are subject to specified requirements regarding foreign access (Rule 14). HCPs should therefore be aware of vendor location, if the vendors will have access to the data; a non-obvious example is cloud storage of data outside India.

Significant Data Fiduciaries (SDFs)

Practices handling very large volumes of sensitive data or meeting other criteria may be notified as SDFs [Ch. II, S. 10]. SDFs have extra responsibilities, including appointing a Data Protection Officer and an independent auditor, and conducting regular Data Protection Impact Assessments [Ch. II, S. 10(2)]; Rule 12).

Exemptions

The Act includes exemptions where certain provisions (of the Act) may not apply. As examples, data may need to be released, on demand, such as when processing legal or insurance claims, when responding to judicial or regulatory requests, in crime prevention/investigation contexts, or for specified research/archiving/statistical purposes under prescribed standards [Ch. IV, S. 17; Rule 15].

Challenges in Implementation

The DPDPA was framed to enhance data privacy and security. Citizens are expected to follow the law, and the letter of the law must be respected; the spirit of the law is a matter for courts to decide. In this context, HCPs who follow the letter of the law will find that implementing the provisions of the DPDPA will tax resources and hinder workflow. However, given the legitimate patient interests in privacy protection and the documented harms that can result from privacy breaches, the challenge lies in implementing these protections efficiently rather than questioning their necessity. Challenges in the implementation of the Act are examined from a clinical perspective.

Financial and Legal Burden

HCPs who conscientiously implement the DPDPA will face a financial burden. They will need to adopt software that adheres to DPDPA specifications; this is likely to require a technical upgrade, such as for encryption services (Rule 6). Staff will need to be trained. Legal assistance may be necessary to prepare bespoke consent forms and data processing agreements. An additional burden, in this context, is that the HCP, as the data fiduciary, is fully responsible for compliance with the Act even when subordinate staff record and process data, and even when third-party services are used, such as for electronic health records, prescription and billing, laboratory services, and cloud storage of data.

While these implementation costs are significant, privacy protection represents a fundamental healthcare obligation that cannot be compromised due to financial considerations. ¹⁷ Best practices involve integrated digital consent modules, institutional templates, and linkage with hospital information systems (HIS) so that patient workflows are not disrupted. The Ministry of Health and Family Welfare may play a coordinating role in standardizing compliance tools across institutions.^17,18

Solo practitioners and small establishments would find it harder to absorb the costs than large institutions; the burden may be passed on to patients. The almost unthinkable alternative is to do without these facilities and offer barebones services based on paperwork alone. These challenges will be particularly felt in rural healthcare settings where digitalization barriers already exist. ¹⁹

Consenting

HCPs who conscientiously implement the DPDPA will struggle with clinical workflow. The consenting process will consume precious time in a busy clinic or OPD and will result in diversion of resources from clinical care to administrative work. Consenting will be particularly difficult when “verifiable” parental/guardian consent needs to be obtained, or when adults with fluctuating capacity are being assessed. These problems will be even greater when patients present in a crisis or during teleconsultations. Existing telepsychiatry and telemedicine guidelines, ²⁰ will require significant updates to incorporate DPDPA consent requirements.

M-HCPs, in particular, will face a double consent burden. M-HCPs already navigate consent for treatment under frameworks such as the Mental Healthcare Act, 2017. The DPDPA adds a separate, distinct layer of consent specifically for data processing. This requirement for two sets of detailed consent discussions at the beginning of a therapeutic relationship will be burdensome to patients as well as M-HCPs. In the initial therapy session, introducing lengthy, legalistic DPDPA consent forms (Rule 3) alongside discussions about clinical consent will increase administrative time and could (especially for anxious or mistrustful patients) feel bureaucratic, potentially hindering the early formation of a strong therapeutic alliance crucial for effective treatment.

The law assumes that patients will carefully read and understand detailed privacy notices (Rule 3) before giving informed consent [Ch. II, S. 6]. This assumption can be problematic when patients are poorly educated, old, too ill to care, or merely not “tech-savvy.” Furthermore, in practice, many individuals may sign forms without fully absorbing the information (“notice fatigue”). This raises questions about whether the significant effort required from practitioners to create these detailed notices and to consent patients merely pays lip service to patient rights or truly translates into enhanced patient understanding and autonomy in the real world. Readers are reminded that almost nobody reads agreements, terms and conditions, and other notices when visiting websites or installing software; default behavior is to automatically click “Accept.”

Data Erasure

The patient’s right to request data erasure will conflict with the clinical importance of maintaining continuity in health records for safe and effective treatment, especially for chronic or recurrent conditions. As examples, medical records include documentation of special risks, ranging from drug allergies to vulnerability to suicide attempts. Medical records also document what treatment worked and in what doses, and what did not. Without medical records, every consultation is a new consultation.

Navigating Legal Ambiguity

The Act and Rules use terms such as “reasonable” security safeguards [Ch. II, S. 8(5)], “significant” breach, or processing “likely to cause harm” to a child [Ch. II, S. 9(2)] without providing clear, objective thresholds or sector-specific definitions for mental healthcare. This ambiguity is problematic. How do HCPs in clinical practice determine if their security measures are sufficiently “reasonable” to avoid significant penalties? What constitutes “verifiable” consent in different clinical scenarios? Lack of clear benchmarks makes compliance challenging and potentially exposes well-intentioned practitioners to legal risks.

Enforcement, Penalties, and Accountability Asymmetry

The DPDPA imposes substantial penalties for breaches [Ch. VIII, S. 33; Schedule]. Although mitigation efforts are considered [Ch. VIII, S. 33(2)], the maximum penalties could disproportionately harm smaller practices. There is also an asymmetry: the private sector, including private practitioners, can be heavily penalized, while government entities processing personal data can operate under broad exemptions [Ch. IV, S. 17(2)] where the core provisions of the Act, including penalties for breaches, may not apply. Thus, there are different standards of accountability for similar events.

Suggestions

We provide a few examples to illustrate the quandaries that clinicians may face. At the risk of seeming presumptuous, we offer suggestions for the implementation of the DPDPA. The suggestions acknowledge the importance of data protection while addressing the practical realities of healthcare delivery in different settings.

Clinical Quandaries

If a patient visits a healthcare facility and refuses consent for the data to be digitally acquired, stored, and processed, can the consultation continue? If it does, and if no records are maintained, every repeat visit will need to be treated as a fresh consultation, continuity of care will be compromised, and the healthcare facility will have no records to defend itself against malpractice litigation should the situation arise. While respecting patient autonomy in data decisions, streamlined consent processes that clearly distinguish between essential clinical data and optional data sharing could help balance patient rights with clinical necessities.

The same concerns apply if patients, having initially consented, at a future time request deletion of records. Particular consideration should be given to requests for erasure of medico-legally important information. For example, deletion of records documenting drug allergies or suicide risk could compromise patient safety in future encounters. A balanced approach might involve detailed discussions with patients about the potential consequences of data erasure while respecting their ultimate right to control their information, except where retention is essential for immediate safety or legal requirements.

Rather than assuming implied consent for digital records, healthcare facilities should develop efficient consent processes that genuinely inform patients while avoiding unnecessary bureaucracy. This could include layered consent options where patients can make granular choices about different types of data use.

Implementation Frameworks

Clinics and hospitals are not the same as (for example) banking and financial institutions, and so data protection in healthcare and data protection in other environments cannot be bracketed together. It is therefore reasonable for the DPDPA provisions, from requirements to penalties, to vary between healthcare environments and other environments, and, within healthcare environments, between private clinics and small medical facilities on the one hand and large facilities and hospital chains on the other. The approach should build upon existing work on mental health app regulations ²¹ to create comprehensive digital mental health data governance frameworks.

As suggestions, separate frameworks for consenting, data security, enabling rights, data breach, third-party involvement, and so on can be considered for different healthcare environments. These frameworks should keep in mind the administrative need, resources available, and ground realities of practicability. Experience from telemedicine implementation has shown that simpler approaches to health record maintenance can improve acceptability among healthcare providers while maintaining care quality. ²² The difference between what is ideal and what is feasible should be recognized and respected. Reasonable time windows for compliance should be provided.

Regulatory interpretation should reflect these contextual differences while maintaining core data protection principles. The heavy penalty provisions [Ch. VIII, S. 33] could shatter small health practices if applied without consideration of context. We recommend education and remediation over punitive measures. Regulatory assessments should consider practice context, resource limitations, good-faith compliance efforts, and potential impacts on care access when evaluating potential violations. Establishing a healthcare advisory mechanism at the Data Protection Board would facilitate ongoing dialogue regarding implementation challenges and avenues for improvement. Such engagement would support evidence-based regulation, balancing privacy protection with ground realities.

The Data Protection Board, in consultation with professional bodies in healthcare, should develop sector-specific guidance for common clinical scenarios. This guidance should provide concrete interpretations of key provisions, including operational definitions of “reasonable” security measures across different practice contexts, decision frameworks for managing consent with patients experiencing fluctuating capacity, protocols for balancing data protection requirements with therapeutic necessities, and procedural guidelines for emergency interventions where immediate clinical needs temporarily supersede formal data processing requirements. Special situations should be considered, such as the location of service providers and servers for cloud storage of data.

Implementation Support

HCPs will need to be made aware of the provisions of the Act and of methods for its implementation. Governmental agencies and medical societies can conduct awareness and training workshops and create resources that provide technical assistance.

Developing templates for consent forms, privacy notices, and data processing agreements, and developing educational materials in different languages would reduce implementation burdens for practitioners and improve compliance with the provisions of the Act. These materials would need to be tailormade for different patient subpopulations, for example, based on age, disability, capacity, literacy, and technological awareness, as well as for different healthcare contexts, for example, based on emergency needs, clinic size, and face-to-face versus teleconsultation models.

A special suggestion is that the government can itself provide authorized portals that registered HCPs can access for electronic medical records that are DPDPA compliant. This would substantially reduce the implementation burden as well as help create a “one nation, one medical database” that would have immense value for healthcare research. Implementation mechanisms should not inadvertently create barriers to care.