Skip to main content

Schedule VII: Purposes And Authorised Persons For Which Information May Be Called For Under Section 36 Of The Act

SEVENTH SCHEDULE [See rule 22(1)] — Purposes and Authorised Persons for Which Information May Be Called for Under Section 36 of the Act (click to expand)
S. No.PurposeAuthorised Person
1.Use by the State or any of its instrumentalities, of personal data of a Data Principal in the interest of sovereignty and integrity of India or security of the StateSuch officer of the State or of any of its instrumentalities notified under sub-section (2) of section 17 of the Act, as the Central Government or the head of such instrumentality, as the case may be, may designate in this behalf
2.Use by the State or any of its instrumentalities for the following purposes, namely:—(i) Performance of any function under any law for the time being in force in India; or(ii) Disclosure of any information for fulfilling any obligation under any law for the time being in force in IndiaPerson authorised under applicable law
3.Carrying out assessment for notifying any Data Fiduciary or class of Data Fiduciaries as Significant Data FiduciarySuch officer of the Central Government, in the Ministry of Electronics and Information Technology, as the Secretary in charge of the said Ministry may designate in this behalf

The Seventh Schedule outlines the specific purposes for which the Central Government, State Government, or their instrumentalities can require information from a Data Fiduciary or intermediary. It also defines who is authorised to seek such information — ensuring that government access to data is lawful, limited, and transparent under the Digital Personal Data Protection Act (DPDPA), 2023.

1. Use of Personal Data for Sovereignty, Integrity, or Security of the State

This clause authorises the Government of India and its instrumentalities (such as national security agencies, intelligence divisions, defence organisations, or cybercrime units) to process or obtain access to personal data only when it is necessary to protect the nation’s core interests — including sovereignty, territorial integrity, public order, or security of the State.

The objective of this provision is not to grant unrestricted or continuous surveillance powers, but rather to enable lawful, controlled, and accountable access to information when such access is essential for protecting national interests. Every action under this clause must meet the following key conditions:

  1. Purpose Limitation:
    The use of personal data must be restricted exclusively to the defined objectives — namely, safeguarding the sovereignty, integrity, and security of the State. Any processing or sharing of data for unrelated objectives such as marketing, analytics, or profiling is strictly prohibited.

  2. Authorised Personnel Only:
    Access to data under this provision is limited to officers who have been formally designated under Section 17(2) of the DPDPA.
    Such designation is made through an official notification by the Central Government or the head of the concerned instrumentality, ensuring that each request originates from an identified, accountable, and legally empowered officer.

  3. Accountability and Record-Keeping:
    The authorised officer must maintain detailed records specifying:

    • the reason for requesting access;
    • the category and scope of personal data accessed; and
    • the duration for which the data was retained or processed.
      These records form the basis for internal audits and legal scrutiny, ensuring that every action remains within the lawful boundaries of necessity and proportionality.

  4. Proportionality and Necessity:
    Even when national security is invoked, only the minimum amount of personal data required to achieve the stated objective may be accessed or processed.
    This approach mirrors global privacy frameworks such as GDPR Article 23 and the OECD Privacy Principles, which require governments to balance public safety with individual privacy.

  5. Legal Oversight:
    Requests made under this clause can later be reviewed through judicial, parliamentary, or independent oversight mechanisms to confirm that they were lawful, necessary, and proportionate.
    Such post-access accountability strengthens transparency and public trust while discouraging misuse of authority.

Example

If the Indian Computer Emergency Response Team (CERT-In) identifies a series of coordinated cyberattacks against national infrastructure, it may authorise a designated cybersecurity officer to request specific server logs or network traces from a cloud service provider.

The request would be limited to technical identifiers (e.g., IP addresses or timestamps) essential for threat analysis. The officer must ensure the data is transmitted securely, retained only for the investigation period, and subsequently deleted or archived per legal protocols.

This controlled, documented, and proportionate access model exemplifies how Rule 22 and the Seventh Schedule uphold national security while preserving the data-protection rights of individuals.

Example

If a national cybersecurity agency detects a coordinated cyberattack, it can request limited access to user logs or IP data through a designated officer for verification and risk mitigation.

This clause authorises the State or its instrumentalities to access personal data when it is required for the performance of statutory duties or to fulfil obligations under existing laws. It recognises that certain government functions — such as maintaining public order, regulating sectors, granting licences, disbursing subsidies, or enforcing compliance — inherently involve handling citizens’ personal data. However, the access granted here is not open-ended; it is strictly confined to lawful, purpose-bound, and officially authorised scenarios.

Key Principles of Operation

  1. Lawful Basis of Access:
    Every instance of data access must be grounded in a specific legal authority — either under an Act of Parliament, a State law, or subordinate legislation such as rules or notifications.
    The DPDPA does not create new powers for data collection; it simply ensures that existing lawful functions continue in a manner consistent with privacy and accountability principles.

  2. Defined Public Purpose:
    Access to personal data is permissible only if it directly supports a legitimate governmental function — for instance, tax administration, social welfare disbursement, crime investigation, or regulatory oversight.
    Any activity that lacks a clearly identifiable legal or public purpose would fall outside this provision’s protection.

  3. Authorised Officials Only:
    Requests for data must come exclusively from officers empowered under the applicable law.
    This ensures institutional accountability and prevents misuse by unauthorised individuals or lower-level staff.
    The identity, designation, and authority of such officers must be verifiable through official notifications or departmental orders.

  4. Proportionality and Data Minimisation:
    Even when acting lawfully, government bodies are required to access only that portion of personal data necessary for the function being performed.
    This principle mirrors the proportionality standard under international data-protection frameworks and serves as a critical safeguard against excessive data collection.

  5. Purpose Limitation and Secure Use:
    Once personal data is obtained, it may be used only for the purpose for which it was collected.
    Data retention must be limited to what is operationally required or legally mandated. Appropriate technical and organisational measures (such as encryption, access logging, and internal audit) must be implemented to protect the data from unauthorised use or disclosure.

  6. Transparency and Traceability:
    Departments or agencies invoking this clause are expected to maintain documented justifications for data requests, including the purpose, scope, and authority of access.
    Such records may be subject to audit or review by internal compliance officers, the Data Protection Board, or judicial authorities, ensuring that the use of personal data remains transparent and defensible.

Example

If a State Government department responsible for issuing driver’s licences accesses citizen data from a national database to verify age, address, and identity, such access would be lawful under this clause — as it directly supports a statutory duty under the Motor Vehicles Act. However, using the same data for unrelated analytics or political profiling would violate the principle of purpose limitation and could attract penalties under the DPDPA.

Example

A government department administering welfare benefits may verify citizen eligibility using official data records, provided the request is made under a lawful policy framework and by an authorised officer.

Broader Compliance Objective

This clause reinforces the DPDPA’s vision of a rights-respecting digital government — one that continues essential public functions while upholding citizens’ privacy. By clearly defining the boundaries of lawful access, it builds a framework where data sovereignty and individual dignity coexist with efficient governance and regulatory enforcement.

3. Assessment for Significant Data Fiduciary (SDF) Classification

This allows the Ministry of Electronics and Information Technology (MeitY) to assess and designate organisations as Significant Data Fiduciaries based on factors like the scale and sensitivity of data processed. The Secretary of MeitY may appoint an authorised officer to conduct such assessments, ensuring fairness and regulatory oversight.

tip

Before classifying a company (for example, a large fintech or social media platform) as an SDF, the authorised officer may seek details on data volume, processing methods, and existing risk controls.

The Seventh Schedule establishes a legal safeguard ensuring that government access to personal data is purpose-driven, proportionate, and authorised. It upholds both national security needs and individual privacy rights, aligning with principles of accountability and minimal intrusion.

The Seventh Schedule ensures:

  • Government data requests are for legitimate, defined purposes.
  • Only designated officers can authorise such access.
  • All actions are transparent and subject to law.

This framework maintains the balance between public interest and data protection, strengthening trust in India’s digital governance ecosystem.