Rule 11: Verifiable Consent for Processing of Personal Data of Person with Disability who has Lawful Guardian
11. Verifiable consent for processing of personal data of person with disability who has lawful guardian
(1) A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, or by a designated authority or by a local level committee, under the law applicable to guardianship.
(2) In this rule, the expression—
(a) “designated authority” shall mean an authority designated under section 15 of the Rights of Persons with Disabilities Act, 2016 (49 of 2016) to support persons with disabilities in exercise of their legal capacity;
(b) “law applicable to guardianship” shall mean,—
(i) in relation to an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who despite being provided adequate and appropriate support is unable to take legally binding decisions, the provisions of law contained in Rights of Persons with Disabilities Act, 2016 (49 of 2016) and the rules made thereunder; and
(ii) in relation to a person who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of such conditions and includes a person suffering from severe multiple disability, the provisions of law of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999) and the rules made thereunder;
(c) “local level committee” shall mean a local level committee constituted under section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999);
(d) “person with disability” shall mean and include—
(i) an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and
(ii) an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions.
Rule 11 establishes a specialised framework for obtaining verifiable consent when the personal data being processed belongs to a person with disability who is legally incapable of taking binding decisions. This rule acknowledges that certain individuals require the assistance of a lawful guardian, and therefore places strict requirements on Data Fiduciaries (DFs) to ensure that the person claiming to be the guardian is legally authorised to act on behalf of the individual. Rule 11 prevents misuse of authority, protects vulnerable individuals from exploitation, and ensures that only lawful guardians may consent on their behalf.
1. Purpose and Legal Intent of Rule 11
Rule 11 is designed to protect persons with disabilities who, despite receiving adequate support, are unable to take legally binding decisions. Such individuals rely on lawful guardians appointed under recognised statutes. The rule requires DFs to verify the legitimacy of the person acting as the guardian before processing the data of the person with disability.
The legal intent behind Rule 11 is grounded in:
- Preventing unauthorised individuals from acting as guardians.
- Ensuring that guardianship is validated through legally recognised institutions.
- Protecting the dignity, autonomy, and rights of persons with disabilities.
- Aligning data-processing safeguards with rights guaranteed under disability-welfare laws in India.
This rule raises the threshold of diligence required from DFs, because inaccurate or negligent acceptance of a false guardian’s consent could directly harm a vulnerable individual.
Unlike Rule 10 (children), Rule 11 does not allow a general “parental” or “relative” claim. Guardianship must be proven through legal appointment. Verifiable consent under Rule 11 requires evidence of lawful guardianship.
2. The Core Requirement: Verifiable Consent from a Lawful Guardian
Rule 11(1) mandates that a Data Fiduciary must exercise due diligence while obtaining verifiable consent from an individual claiming to be the lawful guardian of a person with disability. This due diligence is not optional; it is a pre-condition for any processing activity.
The DF must verify that the guardian:
- Has been appointed by a court of law,
or - Has been appointed by a designated authority,
or - Has been appointed by a local level committee constituted under the National Trust Act.
This means a DF cannot accept consent from a family member, caretaker, friend, or relative simply because they “look after” the person with disability. Only guardianship granted under the appropriate statute is acceptable.
The DF must also ensure that the verification process is documented, traceable, and capable of being produced during regulatory audits or legal proceedings.
3. Recognised Sources of Lawful Guardianship
Rule 11 provides an authoritative list of the three entities whose appointment of guardians carries legal force.
3.1 Guardians Appointed by a Court of Law
Courts may appoint guardians for individuals who lack legal decision-making capacity. The DF must verify official court orders, appointments, or guardianship certificates issued following judicial proceedings.
3.2 Guardians Appointed by a Designated Authority
A “designated authority” under Section 15 of the Rights of Persons with Disabilities Act, 2016 (RPwD Act) may appoint a guardian to support the person with disability. The DF must verify documents issued by such authorities, which may include state-notified bodies or disability commissioners.
3.3 Guardians Appointed by a Local Level Committee
Section 13 of the National Trust Act, 1999 empowers Local Level Committees (LLCs) to appoint legal guardians. These committees operate at the district level and issue guardianship orders for specific categories of disabilities, particularly cognitive and developmental disabilities.
The DF must not process any personal data until it has verified that the individual claiming to be the guardian appears in one of the above legally recognised categories. Self-appointed, assumed, or family-based guardianship is not sufficient.
4. Definitions Under Rule 11(2)
Rule 11(2) includes four definitions that determine how guardianship and disability must be interpreted for the purpose of this rule.
4.1 Definition of “Designated Authority”
A designated authority refers to an authority established under Section 15 of the Rights of Persons with Disabilities Act, 2016. Its function is to support persons with disabilities in exercising their legal capacity. These authorities:
- Provide support for decision-making,
- Assist in legal representation,
- Appoint guardians when required.
Such appointments carry legal force and must be recognised by the DF during verification.
4.2 Definition of “Law Applicable to Guardianship”
Rule 11 differentiates between two statutory pathways depending on the nature of the disability:
(i) For long-term physical, mental, intellectual, or sensory impairments
The applicable law is the Rights of Persons with Disabilities Act, 2016, which governs cases where an individual:
- Has a long-term impairment,
- Faces barriers that prevent full participation in society,
- Despite adequate support, is unable to take legally binding decisions.
The RPwD Act emphasises inclusion, support-based decision making, and proportional guardianship.
(ii) For autism, cerebral palsy, mental retardation, or severe multiple disabilities
The governing law is the National Trust Act, 1999, which covers:
- Individuals with developmental or cognitive disabilities,
- Persons with severe multiple disabilities,
- Cases involving combinations of two or more listed conditions.
The National Trust Act explicitly authorises Local Level Committees to appoint guardians.
A DF must understand which statute applies based on the nature of the disability, because the verification documents, issuing authorities, and guardianship structure differ significantly between the RPwD Act and the National Trust Act.
4.3 Definition of “Local Level Committee”
A Local Level Committee (LLC) is constituted under Section 13 of the National Trust Act, 1999. LLCs perform the following functions:
- Evaluate applications for guardianship,
- Assess the needs of individuals with developmental disabilities,
- Issue guardianship orders for legally incapacitated persons,
- Monitor the guardian’s conduct and compliance.
A DF must validate guardianship certificates or orders issued by LLCs when such documents are presented as proof.
4.4 Definition of “Person with Disability”
Rule 11(2)(d) defines a “person with disability” specifically for the purpose of guardianship and consent. The definition covers two categories:
(i) Individuals with long-term physical, mental, intellectual, or sensory impairments
These individuals face functional barriers that prevent full participation, and despite appropriate support, they are unable to make legally binding decisions.
(ii) Individuals with autism, cerebral palsy, mental retardation, or severe multiple disability
These individuals may have developmental or cognitive conditions that prevent them from taking legally binding decisions, even with adequate support.
This definition focuses on the ability to take decisions—not merely on the presence of a disability.
A DF must verify that the individual meets this definition before applying Rule 11. Not all persons with disabilities require a lawful guardian; only those who lack legal decision-making capacity fall under this rule.
5. Practical Implementation Requirements for Data Fiduciaries
To comply with Rule 11, DFs must implement sophisticated verification mechanisms, as the risk of harm from unauthorised consent is extremely high.
Verification Process Design
The DF must design a structured workflow that:
- Requests guardianship documents at the point of consent,
- Validates whether the document originates from a court, designated authority, or LLC,
- Checks authenticity, including dates, seals, QR codes, or digital signatures if applicable,
- Stores verification records in secure, auditable formats.
No Processing Before Verification
The DF must not rely on declarations like “I am the guardian” or “I care for this person.” Only legally appointed guardians are acceptable, and verification must occur before any processing of the disability-related personal data begins.
Record-Keeping and Audit Readiness
DFs must maintain:
- Copies of guardianship certificates or verified digital tokens,
- Metadata showing how the DF validated the document,
- Proof that the consent was collected from a legally authorised guardian,
- Timestamps and verification logs.
Sensitivity of Disability Information
Data related to disability is highly sensitive because it pertains to medical, cognitive, or functional impairments. Mistakes in processing may affect dignity, autonomy, and legal rights.
Processing disability-related personal data without verifying lawful guardianship is a serious violation. Such processing may be treated as unlawful from its inception and expose the DF to significant penalties and regulatory action.
6. Compliance Objective of Rule 11
Rule 11 ensures that:
- Only legally authorised guardians can make decisions regarding the personal data of individuals who cannot legally decide for themselves.
- Data Fiduciaries cannot rely on informal caregivers or unverified claims of guardianship.
- Disability-related data is handled with heightened responsibility and documented verification.
- India’s disability-rights protections are aligned with data-protection principles under the DPDPA.
Through strict verification requirements and statutory definitions, Rule 11 creates a strong protective layer around some of the most vulnerable members of society and ensures that their autonomy and privacy are safeguarded.