Schedule IV: PART B - Purposes for Which Provisions of Sub-sections (1) and (3) of Section 9 Shall Not Apply
FOURTH SCHEDULE [See rule 11] PART B — Purposes for Which Provisions of Sub-sections (1) and (3) of Section 9 Shall Not Apply (click to expand)
| S. No. | Purposes | Conditions |
|---|---|---|
| 1. | For the exercise of any power, performance of any function or discharge of any duties in the interests of a child, under any law for the time being in force in India. | Processing is restricted to the extent necessary for such exercise, performance, or discharge. |
| 2. | For the providing or issuing of any subsidy, benefit, service, certificate, licence, or permit, by whatever name called, under law or policy or using public funds, in the interests of a child, under clause (b) of section 7 of the Act. | Processing is restricted to the extent necessary for such provision or issuance. |
| 3. | For the creation of a user account for communicating by email. | Processing is restricted to the extent necessary for creating such user account, the use of which is limited to communication by email. |
| 4. | For ensuring that information likely to cause any detrimental effect on the well-being of a child is not accessible to her. | Processing is restricted to the extent necessary to ensure that such information is not accessible to the child. |
| 5. | For confirmation by the Data Fiduciary that the Data Principal is not a child and observance of due diligence under rule 10. | Processing is restricted to the extent necessary for such confirmation or observance. |
Note: In this Schedule—
(a) “allied healthcare professional” shall have the same meaning as assigned under the National Commission for Allied and Healthcare Professions Act, 2021 (14 of 2021);
(b) “clinical establishment” includes all establishments and places—
(i) falling within the meaning of clause (c) of section 2 of the Clinical Establishments (Registration and Regulation) Act, 2010 (23 of 2010); and
(ii) managed by any force constituted under the Army Act, 1950, Air Force Act, 1950, or Navy Act, 1957;
(c) “educational institution” includes institutions providing academic or vocational education;
(d) “healthcare professional” shall have the meaning assigned under the National Commission for Allied and Healthcare Professions Act, 2021;
(e) “health services” shall have the meaning assigned under clause (j) of section 2 of the same Act; and
(f) “mental health establishment” shall have the meaning assigned under the Mental Healthcare Act, 2017 (10 of 2017).
This section specifies circumstances where certain restrictions under Section 9(1) and Section 9(3) of the DPDPA — which generally limit processing of children’s personal data — do not apply, provided that processing remains strictly necessary, proportionate, and protective in nature. The intent is to ensure essential services, legal duties, and child safety measures continue smoothly while upholding privacy safeguards.
1. Legal and Governmental Functions
When authorities or institutions act under a law to protect a child’s welfare, such as social services, child protection units, or juvenile boards, they may process data without requiring consent, but only to the extent necessary for lawful discharge of duties.
This ensures that government and authorised bodies can respond to cases involving child abuse, neglect, or medical emergencies promptly and lawfully.
A child welfare officer may collect and share personal details of a minor during a rescue operation or legal inquiry under the Juvenile Justice Act. The exemption allows such necessary data handling while ensuring it does not extend to unrelated purposes like profiling or public disclosure.
2. Delivery of Subsidies, Benefits, and Public Services
Government agencies and institutions may process a child’s data when issuing subsidies, scholarships, healthcare coverage, digital certificates, or public benefits. The exemption applies only where such processing is essential for providing these services or verifying eligibility.
This clause aligns with Section 7(b) of the DPDPA, which recognises processing “in the interests of the Data Principal” when public funds or legal entitlements are involved.
A state education department may collect children’s personal data to disburse mid-day meal benefits or provide free digital learning devices under a welfare scheme. This processing is lawful under this Schedule.
3. Creation of Child Email Accounts
Certain educational or communication services may create user accounts for children that allow only email-based interactions — often for academic or official communication. Such processing must be strictly confined to account creation and maintenance; the email system cannot be used for behavioural tracking, advertising, or profiling.
Schools or learning platforms offering institutional email IDs (e.g., studentname@school.edu) for correspondence with teachers and administrators may do so under this exemption, provided no commercial use of the account occurs.
4. Protecting Children from Harmful or Inappropriate Content
Data Fiduciaries can process necessary information to filter, restrict, or block access to online content that may harm a child’s psychological or emotional well-being. This exemption allows digital service providers, app developers, and educational portals to apply content moderation or parental controls responsibly.
The processing must remain limited to safeguarding functions and should not involve collecting unrelated data about browsing behaviour or preferences.
A video streaming platform may use age-based filters to prevent children from accessing adult or violent content. The platform can process limited age-related data to apply restrictions, but cannot use it for targeted advertisements.
5. Age Verification and Compliance with Rule 10
Before collecting or processing data, a Data Fiduciary must verify whether a user is a child (below 18 years) and perform due diligence as specified in Rule 10. This may involve requesting minimal personal details or using third-party verification systems. The exemption permits such data use strictly for confirming age and compliance obligations.
Once verification is complete, unnecessary information should be securely deleted.
For example, an online gaming company may request a user’s date of birth or ID proof to confirm age eligibility. After verification, it must retain only essential metadata confirming compliance and discard sensitive identifiers.
6. Legal and Ethical Boundary of the Exemption
Although the above purposes are exempted from Section 9(1) and (3), all entities remain accountable under the Act for:
- Ensuring data minimisation — collecting only what is necessary;
- Maintaining reasonable security safeguards;
- Avoiding any secondary use of children’s data; and
- Providing clear notices where practicable.
The exemptions are functional, not absolute — they exist to enable lawful and welfare-driven actions, not to dilute privacy obligations.
7. Key Takeaways for Compliance
To implement these provisions responsibly, Data Fiduciaries should:
- Clearly document the purpose and lawful basis for every child-data processing activity.
- Conduct risk and impact assessments when systems handle sensitive child data.
- Limit access to authorised personnel and ensure all data exchanges are secure.
- Establish retention limits consistent with necessity and proportionality.
- Maintain an audit trail for accountability during oversight or inspection.
The Fourth Schedule (Part B) creates a structured framework for limited, welfare-oriented processing of children’s data by lawful entities. It ensures that data handling necessary for healthcare, education, welfare, or safety is not hindered by procedural barriers, while preserving India’s commitment to children’s digital dignity and privacy. By tying each exemption to necessity and proportionality, this Schedule maintains the spirit of the DPDPA — enabling responsible innovation and governance while keeping child safety at the core.