Schedule IV: PART A - Classes of Data Fiduciaries in Respect of Whom Provisions of Sub-sections (1) and (3) of Section 9 Shall Not Apply
FOURTH SCHEDULE [See rule 11] PART A — Classes of Data Fiduciaries in Respect of Whom Provisions of Sub-sections (1) and (3) of Section 9 Shall Not Apply (click to expand)
| S. No. | Class of Data Fiduciaries | Conditions |
|---|---|---|
| 1. | A Data Fiduciary who is a clinical establishment, mental health establishment, or healthcare professional | Processing is restricted to provision of health services to the child by such establishment or professional, to the extent necessary for the protection of her health. |
| 2. | A Data Fiduciary who is an allied healthcare professional | Processing is restricted to supporting implementation of any healthcare treatment and referral plan recommended by such professional for the child, to the extent necessary for the protection of her health. |
| 3. | A Data Fiduciary who is an educational institution | Processing is restricted to tracking and behavioural monitoring— (a) for the educational activities of such institution; or (b) in the interests of safety of children enrolled with such institution. |
| 4. | A Data Fiduciary who is an individual in whose care infants and children in a crèche or child day-care centre are entrusted | Processing is restricted to tracking and behavioural monitoring in the interests of safety of children entrusted in the care of such institution, crèche, or centre. |
| 5. | A Data Fiduciary who is engaged by an educational institution, crèche, or child-care centre for transport of children enrolled with such institution, crèche, or centre | Processing is restricted to tracking the location of such children, in the interests of their safety, during the course of their travel to and from such institution, crèche, or centre. |
The Fourth Schedule identifies specific categories of organisations and professionals who process children’s personal data for limited, protective purposes, and therefore receive conditional exemption from certain provisions of Section 9 of the Digital Personal Data Protection Act (DPDPA).
This exemption recognises that certain activities — such as medical care, education, or child safety — require the use of minors’ data under strict professional responsibility and safeguards. The focus remains on necessity, proportionality, and protection.
1. Clinical, Mental-Health, and Healthcare Professionals
Entities in the medical and mental-health domains may process a child’s personal data only to the extent necessary for providing healthcare services and ensuring well-being. This includes hospitals, paediatric clinics, therapists, counsellors, and registered healthcare practitioners.
The exemption enables timely medical treatment and emergency response without procedural delays in obtaining explicit parental consent for every act of data processing.
If a paediatric hospital needs to record a child’s medical history, vaccination status, or diagnostic results during treatment, it may process this information for clinical purposes. However, it cannot reuse the data for research or commercial analytics unless fresh consent is obtained.
2. Allied Healthcare Professionals
This category covers physiotherapists, occupational therapists, dieticians, or rehabilitation specialists who support primary medical practitioners. They may process personal data related to a child’s health solely for implementing or referring to treatment plans and only as much as is essential for safeguarding health.
The rule ensures smooth coordination among healthcare providers while maintaining confidentiality.
Allied professionals should limit shared information to treatment-relevant details — for example, sharing dietary instructions or physiotherapy schedules — and avoid retaining full medical histories unless required.
3. Educational Institutions
Schools, colleges, and other educational bodies may process children’s data for tracking or behavioural monitoring strictly within two contexts:
- For academic and administrative purposes directly linked to education, or
- For maintaining the safety and security of enrolled students.
This provision enables educational institutions to use attendance systems, learning-analytics platforms, and security tools responsibly while avoiding misuse of children’s personal information.
A school may monitor attendance through smart ID cards or digital attendance software, and track students during school trips for safety. It may not, however, share this data with advertisers or third-party tutoring apps.
4. Child-Care and Day-Care Providers
Individuals or institutions that operate crèches or day-care centres may process personal data of infants and young children for safety and welfare monitoring. The exemption allows them to record attendance, dietary needs, or emergency contacts to ensure proper care during the day.
Data handling must still respect privacy principles and should not extend to non-essential profiling or disclosure.
A child-care provider may log a child’s daily arrival, pick-up times, and health observations, but cannot share this information publicly or with unauthorised persons.
5. Transport Service Providers for Educational or Child-Care Institutions
Transport services, such as school bus operators or authorised logistics partners, may collect and process location data of children exclusively for ensuring safe travel between home and the institution. This exemption enables real-time tracking and parental notifications while maintaining confidentiality and purpose limitation.
Once travel is completed, location data should not be retained beyond what is necessary for safety verification or incident response.
A school transport operator may use GPS to inform parents when a bus reaches the school or a designated stop. However, retaining that movement data for months or sharing it with unrelated third parties would violate the proportionality principle.
6. Significance of the Exemption
These exemptions balance two equally important objectives —
- Protecting children’s safety, health, and education, and
- Preventing over-collection or misuse of minors’ personal data.
All exempted entities must still follow the broader obligations of the DPDPA, such as ensuring data security, restricting access to authorised personnel, and maintaining audit trails.
7. Compliance Recommendations
To remain compliant under this Schedule, organisations and individuals should:
- Maintain clear records of purpose and necessity for each instance of data processing.
- Adopt strong data security and access controls, especially where digital systems are used.
- Train staff on ethical handling of children’s information.
- Regularly review retention periods and delete data once its purpose is fulfilled.
- Provide transparency notices to parents or guardians, explaining how and why children’s data is used.
The Fourth Schedule (Part A) establishes a framework of controlled exemptions for institutions and professionals entrusted with the care, education, and health of children.
It allows essential processing of minors’ data under conditions of necessity and safety, while upholding accountability, transparency, and respect for privacy.
These measures reinforce the DPDPA’s principle that data protection must coexist with the protection of life, health, and security - especially for the country’s youngest citizens.