Rule 15: Exemption from Act for Research, Archiving or Statistical Purposes
Statutory Text — Rule 15: Exemption from Act for research, archiving or statistical purposes. (click to expand)
The provisions of the Act shall not apply to the processing of personal data necessary for research, archiving or statistical purposes if it is carried on in accordance with the standards specified in the Second Schedule.
Rule 15 introduces a limited exemption to the general obligations of the DPDPA for specific types of processing — namely research, archiving, and statistical analysis — provided such processing strictly adheres to the standards and safeguards defined in the Second Schedule. This ensures that data-driven innovation and legitimate research activities can continue without undermining individual privacy rights.
1. Scope of the Exemption
This rule applies to Data Fiduciaries and processors who handle personal data solely for non-commercial, public-interest, or knowledge-generation purposes such as academic research, scientific studies, historical preservation, or statistical modeling. The exemption is not absolute; it is conditional on compliance with the privacy-preserving standards outlined in the Second Schedule.
Typical examples of qualifying activities include:
- Conducting anonymised data analytics for public health or policy insights.
- Archiving historical documents or digital records for national preservation.
- Statistical computation by government bodies or authorised institutions for census, demographics, or economic trends.
Processing done for profit-oriented analytics, targeted advertising, or commercial exploitation does not fall under this exemption, even if labeled as “research.”
2. Linkage with the Second Schedule
The Second Schedule prescribes specific standards, controls, and safeguards that entities must observe when invoking this exemption. These typically include:
- Anonymisation or pseudonymisation of personal data before use.
- Purpose limitation, ensuring that research objectives are clearly defined and data is not reused for unrelated commercial goals.
- Data minimisation, restricting collection only to what is strictly necessary for the research.
- Security safeguards, including encryption, access control, and audit mechanisms.
- Transparency obligations, such as publishing the nature of the research or providing information to oversight authorities on request.
3. Conditions and Responsibilities
Even though exempt from certain compliance requirements (like consent management or notice obligations), Data Fiduciaries conducting research must still ensure that:
- No decision affecting a Data Principal is taken solely on the basis of such research data.
- Data used in research cannot be re-identified or linked back to individuals.
- Results are published or shared only in aggregated or anonymised form.
- The project undergoes appropriate ethical and legal review if required by institutional or government norms.
A university conducting a long-term study on digital behavior patterns may use anonymised survey responses from participants. Since the data cannot be traced back to individuals and the purpose aligns with public research, it qualifies for exemption under Rule 15.
4. Compliance Governance
Organisations relying on Rule 15 should document:
- The lawful research purpose and justification for exemption.
- Data anonymisation or pseudonymisation methods used.
- Access control and retention policies applicable to the research dataset.
- Review mechanism for verifying continued compliance with the Second Schedule.
Such documentation helps demonstrate accountability if questioned by the Data Protection Board or other authorities.
5. Policy Implications
Rule 15 reflects the DPDPA’s effort to strike a balance between privacy protection and knowledge advancement. It encourages innovation in science, education, and governance while ensuring personal data is handled responsibly. For organisations, this means developing clear internal policies distinguishing regulated data processing from exempted research activities.
Rule 15 provides a lawful pathway for research and statistical processing without breaching privacy norms. The exemption is conditional, not absolute — it applies only when data is processed with anonymisation, purpose limitation, and compliance with the Second Schedule standards.