Skip to main content

Q5 - Can government bodies also be Data Fiduciaries? If yes, do they follow the same rules as private companies?

Answer

Yes. Under the Digital Personal Data Protection Act, 2023 (DPDPA), government bodies and instrumentalities of the State can also act as Data Fiduciaries.

According to Section 2(s) and Section 7(b)–(d), the State and its instrumentalities are included within the definition of a “person.” This means that whenever a government department, ministry, or agency collects and processes personal data for lawful purposes — such as issuing licences, delivering subsidies, or providing welfare services — it functions as a Data Fiduciary.

Applicability of Rules to Government Bodies

In general, government Data Fiduciaries are expected to follow the same principles as private organizations — including the need for lawful processing, purpose limitation, data security, and grievance redressal. However, certain relaxations and exemptions are provided under Section 17(2) and (4) of the Act to account for public interest and national security functions.

Special Provisions and Exemptions

  1. Sovereignty and Security Exemption (Section 17(2)(a))

    • The Central Government may exempt specific government departments or instrumentalities from certain provisions of the Act.
    • This can be done for reasons such as national security, public order, friendly relations with foreign States, or preventing incitement to cognizable offences.

  2. Public Interest Processing (Section 7(b)–(h))

    • Government bodies may process personal data for activities such as delivering subsidies, benefits, licences, certificates, or responding to emergencies and disasters, even without explicit consent — provided the processing serves a lawful purpose.

  3. Limited Exemptions for Administrative Efficiency (Section 17(4))

    • When the State processes personal data for functions that do not involve decision-making affecting an individual, some procedural requirements (like correction and erasure timelines) may not apply.

  4. Accountability and Security Obligations (Section 8)

    • Despite these exemptions, all government Data Fiduciaries must implement reasonable security safeguards, prevent personal data breaches, and ensure fair processing in line with the principles of the Act.
Example

A government department collecting citizens’ personal data to issue driving licences acts as a Data Fiduciary. It must secure the collected data, restrict its use to lawful purposes, and provide grievance mechanisms for individuals. However, if the same department processes data related to national security investigations, that specific activity may be exempted under Section 17(2)(a).

Referenced Provisions:

  • Section 2(s) – Defines “person” to include the State.
  • Section 7(b)–(h) – Lists legitimate uses applicable to government functions.
  • Section 8 – Outlines general obligations of all Data Fiduciaries.
  • Section 17(2) & (4) – Provides exemptions for State and government processing in public interest and sovereign functions.