DPDP Act Rules for Government Data Use and Public Services

Posted On - 21 November, 2025 • By - Jidesh Kumar

Introduction

India’s rapid digitalisation has placed government bodies at the core of some of the world’s largest public data systems – Aadhaar, UPI, DigiLocker, CoWIN, FASTag, ABHA, ONDC, and dozens of State-level platforms handling welfare delivery, taxation, mobility, and identity services. Recognising this reality, the Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 establish a precise legal framework governing government access to data, public service delivery, exemptions for State functions, and obligations of government entities as Data Fiduciaries.

Unlike many jurisdictions where government access remains opaque or governed primarily by sectoral laws, India announces a codified, transparent, statutory framework. Rule 5 and Rule 23 operationalise these provisions, detailing how government processing must occur, how public service delivery functions may override consent, and what safeguards apply to departments, statutory authorities, agencies, and government-appointed processors.

Government as a Data Fiduciary Under the DPDP Act

The DPDP Act applies equally to government bodies and private entities, except where specific exemptions are granted. Government agencies process vast amounts of data for functions such as:

  • taxation,
  • subsidies and welfare delivery,
  • identity verification,
  • public health systems,
  • law enforcement,
  • national security,
  • public order,
  • regulatory oversight.

To manage these activities, the Act creates a category of “legitimate uses” under Section 7 that apply to State functions. These legal bases are further operationalised under Rule 5 and Rule 23.

Rule 5: Public Service Delivery & Legitimate Uses for Government Processing

Rule 5 provides the most comprehensive operational guidance for State-led data processing.

The State may process personal data without consent when necessary for:

  • subsidies, benefits, certificates, licences, or permits,
  • claims administration,
  • beneficiary identification,
  • public service delivery,
  • public safety or public health measures,
  • employment of government servants,
  • disasters, emergencies, or epidemics,
  • performance of statutory functions,
  • service improvements and fraud detection.
  • This creates a lawful alternative to consent, based on necessity and public interest.

Even where consent is not required, Rule 5 mandates:

  • providing a privacy notice,
  • disclosing the purpose of processing,
  • informing individuals of their rights,
  • providing grievance redressal channels,
  • This ensures transparency despite exemptions.

3. Conditions for Data Sharing Between Government Bodies

Government departments may share personal data with other authorities only when necessary for:

  • public services,
  • statutory compliance,
  • welfare administration,
  • law enforcement or public order functions.
  • Such sharing must be documented, purpose-bound, and compliant with deletion and retention obligations.

Rule 23: Government Access, Government Directions & Regulatory Oversight

Rule 23 empowers the Central Government and the Data Protection Board (DPB) to demand information from Data Fiduciaries including private companies subject to defined constraints.

1. Government May Seek Information Required for Lawful Functions

The Government may request:

  • data or documents,
  • system logs,
  • compliance records,
  • processing details,
  • cross-border transfer information,
  • security architecture reports.

This is crucial for:

  • national security,
  • law enforcement,
  • investigations,
  • regulatory oversight,
  • digital public infrastructure operations.

2. However, Data Fiduciaries Are Not Required to Disclose Trade Secrets

Rule 23 makes a critical distinction – Government may not require Data Fiduciaries to disclose:

  • proprietary algorithms,
  • source code,
  • trade secrets,
  • competitive-sensitive data,
  • except where required by law or court order.

This becomes especially relevant for global technology companies operating in India.

3. DPB’s Investigative Powers

The Data Protection Board may require information during inquiries into:

  • breaches,
  • complaints,
  • systemic failures,
  • repeated non-compliance,
  • security weaknesses.

DPB oversight applies equally to government departments and private enterprises.

4. Balancing Sovereignty and Individual Privacy

The DPDP Act attempts to achieve equilibrium between

  • National and Public Interest
  • Efficient welfare delivery,
  • Safety and disaster response,
  • National security and law enforcement,
  • Administrative efficiency.

Individual Rights

  • Transparency,
  • Correction and erasure (subject to legal holds),
  • Grievance redressal,
  • Fair processing.

Operational Necessity

  • Allowing the State to function without burdensome consent requirements while ensuring accountability.

The architecture mirrors global democracies where governments use alternative legal bases beyond consent—similar to GDPR’s “public task” and “legal obligation” bases.

Implications for Government Contractors and Public Infrastructure Vendors

A large portion of public service delivery is today executed through:

  • technology service providers (TSPs),
  • system integrators,
  • cloud vendors,
  • cybersecurity partners,
  • KYC providers,
  • fintech companies,
  • healthtech platforms,
  • regtech firms,
  • e-governance solution providers.

Under DPDP:

1. They are treated as Data Processors bound to government instructions.

2. They must adopt mandatory safeguards under Rule 6.

3. They must notify breaches to the government authority and DPB under Rule 7.

4. They must delete data upon instructions, subject to statutory retention laws.

5. They face liability exposure if contractual safeguards are weak.

This gives rise to a new era of “public sector data compliance.”

Accountability Mechanisms for State Processing

Even when the State processes personal data without consent, certain obligations remain mandatory:

  • implementing reasonable security safeguards (Rule 6),
  • retaining logs for one year (Rule 8),
  • providing privacy notices (Rule 3),
  • ensuring grievance redressal (Rule 14),
  • deleting data when purpose is fulfilled.

The government must comply with most duties of ordinary Data Fiduciaries, except where explicitly exempted.

Comparing India’s Framework With Global Practices

GDPR

Government bodies have specific legal bases for processing. Strong oversight by supervisory authorities.

China (PIPL)

Government data access is broad and less transparent.

US (Sectoral)

Government access varies across health, finance, and telecom laws.

India (DPDP)

Broad but purpose-bound legitimate uses. DPB oversight combined with central executive authority. Explicit prohibition on forced disclosure of trade secrets. India’s model is a hybrid, combining democratic safeguards, welfare efficiency, and statutory clarity.

Risks & Challenges for Public and Private Entities

For Government Departments

  • ensuring lawful basis documentation,
  • maintaining deletion and retention records,
  • protecting large-scale datasets,
  • preventing breaches (especially in welfare systems).

For Private Contractors

  • negotiating DPDP-compliant contracts,
  • dealing with conflicting global obligations,
  • handling multi-agency requests,
  • managing cross-border restrictions.

For Multinationals

  • responding to government data accesses while preserving global privacy commitments,
  • protecting proprietary algorithms,
  • ensuring cross-border flows meet Rule 15 requirements.

Governance Recommendations

  1. Establish “Public Data Compliance Units”: For entities serving government agencies.
  2. Implement Strong Contractual Controls: Covering security, breach timelines, deletion, and data segregation.
  3. Build Restriction-Ready Architectures: For cross-border flows subject to future government notifications.
  4. Maintain Detailed Processing Records: For DPB audits and government requests.
  5. Create Government Access Protocols: To validate and respond to data requests lawfully and transparently.
  6. For Government Bodies: Modernise Internal Systems, improve security, streamline deletion workflows, maintain audit trails, and reduce manual data handling.

Conclusion

Rule 5 and Rule 23 of the DPDP Rules, together with Section 7 and Section 36 of the Act, create a coherent framework for government-led data processing, public service delivery, and lawful government access. India’s approach attempts to balance efficiency, digital innovation, national interest, and individual rights within a statutory and transparent architecture.

For government agencies, the DPDP regime requires disciplined governance, modernised systems, and accountability in processing. For private and multinational companies, especially those powering India’s public digital ecosystem, these rules introduce a new category of compliance, one that blends contractual control, technical safeguards, rapid breach reporting, and structured responses to government requests.

The future of public data governance in India will depend on how effectively this balance is maintained. Companies that anticipate these obligations, strengthen architecture, and build trust-centric processes will be best positioned to operate responsibly in India’s expanding digital state.

Contributed by – Aurelia Menezes