Processing of Personal Data of Persons with Disabilities under the DPDP Act, 2023: Role of Lawful Guardians

Executive Summary

The Digital Personal Data Protection Act, 2023 (DPDP Act) recognises that certain individuals, due to disability or incapacity, may not be able to provide valid consent on their own. In such cases, the Act requires that lawful guardians provide consent on behalf of the data principal. This safeguard is intended to protect vulnerable populations while ensuring their participation in India’s digital economy.

The requirement introduces complex challenges: verifying guardianship, preventing misuse, and ensuring accessibility in consent and notice mechanisms. Fiduciaries must balance legal compliance with ethical responsibility, especially in sensitive sectors such as healthcare, education, fintech, and government welfare services.

Introduction: Privacy for Vulnerable Populations

Privacy is a universal right, but not everyone can exercise it equally. Persons with severe disabilities may face barriers in understanding notices, giving consent, or exercising rights under the DPDP Act. To address this gap, the Act mandates that lawful guardians act as proxies for such individuals, thereby embedding a supported decision-making model into India’s privacy regime.

This framework reinforces India’s obligations under the Rights of Persons with Disabilities Act, 2016 (RPwD Act) and aligns with the UN Convention on the Rights of Persons with Disabilities, which India has ratified.

Statutory Framework under the DPDP Act

• Consent must ordinarily be given by the data principal.
• Where the data principal is a child or a person with disability unable to provide consent, it must be obtained from their lawful guardian.
• Fiduciaries must ensure that consent provided through guardians meets all validity requirements (free, informed, specific, unambiguous, unconditional).
• This provision elevates the guardian’s role into the privacy governance process, making fiduciaries accountable for verifying and respecting such consent.

Role of Lawful Guardians

Who Qualifies as a Lawful Guardian?

• Parents of minors.
• Court-appointed guardians under the Guardians and Wards Act, 1890.
• Guardians recognised under the RPwD Act, 2016.
• Persons legally authorised by power of attorney in specific cases.

Guardian’s Responsibilities

• Acting in the best interest of the person with disability.
• Ensuring consent is exercised transparently.
• Preventing misuse or overreach of fiduciary demands.

Practical Compliance Issues

1. Verifying Guardianship

• Fiduciaries must confirm whether the individual providing consent is legally recognised as a guardian.
• Acceptable evidence may include guardianship certificates, court orders, or government-issued documents.

2. Preventing Misuse

• Systems must be designed to ensure guardians do not misuse data principal rights for personal benefit.
• Fiduciaries should maintain audit trails of consent actions taken by guardians.

3. Accessibility of Notices and Consent Forms

• Even where guardians provide consent, notices must be designed to be accessible to the data principal, using plain-language text or audio and video formats, or assistive technology compatibility, or multiple Indian languages.

4. Balancing Autonomy and Protection

• Fiduciaries should adopt a supported consent model where possible, ensuring the person with disability participates to the extent feasible rather than relying exclusively on guardians.

Sectoral Implications

Healthcare and Health-Tech

• Hospitals must obtain guardian consent before processing data of patients unable to understand notices.
• Telemedicine platforms must verify lawful guardianship in remote consultations.
• Clinical research requires robust guardian consent protocols.

Education and Ed-Tech

• Schools and ed-tech platforms serving children with disabilities must incorporate guardian consent in onboarding.
• Accessible formats (Braille, text-to-speech) must be integrated into notice frameworks.

Fintech and Banking

• Guardians may need to provide consent for disabled individuals opening accounts or availing financial services.
• Verification of guardianship is critical to prevent fraud.

Government Services

• Welfare schemes for persons with disabilities often involve large-scale data processing.
• Agencies must ensure lawful guardians, not intermediaries, provide valid consent.

Illustrative Examples

• Healthcare: A hospital conducting surgery on a patient with cognitive disability must obtain consent from the court-appointed guardian, ensuring records of such consent are securely stored.
• Education: An ed-tech platform enrolling a 15-year-old child with severe learning disabilities must verify parental consent, and also provide audio-based notices to the child.
• Banking: A disabled adult applying for a pension scheme requires guardian consent for processing account details, verified against government-issued guardianship certificates.
• Government Services: A state welfare agency digitising disability benefit records must ensure that guardian-provided consent is logged and audit-ready.

Global Comparisons

• GDPR (EU): Requires parental consent for children under 13–16 but does not explicitly address guardianship for persons with disabilities. Member States handle this under local laws.
• LGPD (Brazil): Provides for parental/guardian consent for children but less clarity for adults with disabilities.
• PDPA (Singapore): Allows guardianship-based consent in limited cases.
• COPPA (U.S.): Focuses on children’s consent, not adults with disabilities.
• India’s approach is unique in explicitly mandating lawful guardian consent for persons with disabilities, embedding accessibility into its privacy regime.

Accessibility Requirements

Compliance cannot stop at legal guardianship, it must also ensure accessibility for the disabled data principal. Fiduciaries should:

• Provide notices in Braille, large print, and plain language.
• Offer audio and video disclosures.
• Ensure compatibility with screen readers and assistive technologies.
• Provide helplines in multiple languages for queries.

This ensures that individuals with disabilities are not excluded from understanding how their data is processed, even if guardians exercise formal consent.

Compliance Strategies for Fiduciaries

1. Guardian Verification Protocols

• Establish clear documentation standards for verifying guardianship.
• Maintain records of verification for audit purposes.

2. Accessible Notice Design

• Implement multi-format notices (visual, audio, simplified text).
• Ensure compatibility with assistive technologies.

3. Supported Consent Models

• Engage both guardian and data principal wherever feasible.
• Document the participation of the data principal to demonstrate inclusivity.

4. Audit and Oversight

• Conduct periodic audits of guardian-consent processes.
• Monitor for misuse or exploitation risks.

5. Staff Training

• Train frontline staff (healthcare, education, banking) on handling consent through guardians.

Risks of Non-Compliance

1. Regulatory Penalties: Fines up to ₹250 crore for mishandling consent.
2. Legal Challenges: Guardianship disputes could lead to litigation.
3. Reputational Harm: Mishandling data of vulnerable populations attracts severe criticism.
4. Operational Risks: Inadequate verification may result in fraudulent or invalid consent.

Conclusion & Key Takeaways

The DPDP Act embeds a strong framework for protecting persons with disabilities by mandating that lawful guardians provide consent when individuals cannot do so themselves.

Key takeaways for fiduciaries:

• Guardian consent must be verifiable, documented, and auditable.
• Notices must be accessible in multiple formats to ensure inclusivity.
• Supported consent models should be encouraged to respect autonomy.
• Sector-specific safeguards are essential in healthcare, education, fintech, and government services.

For Indian businesses, processing data of persons with disabilities is not just a compliance exercise but an ethical responsibility. Fiduciaries that integrate accessibility and inclusivity into their privacy frameworks will not only comply with the DPDP Act but also build lasting trust with vulnerable communities.

Co – Authored by – Aurelia Menezes