Schedule VII: Purposes and Authorized Persons for Rule 22 (Power to Call for Information)
Schedule VII supplements Rule 22, which empowers the Data Protection Board of India to call for information from Data Fiduciaries and intermediaries.
This Schedule clarifies why such information can be demanded and who within the Board is authorized to make the request. It provides the guardrails that prevent arbitrary or excessive demands for data.
Purposes for Calling Information
Inquiry and Investigation
To examine whether a Data Fiduciary has violated provisions of the Act or Rules, especially in cases of breaches, failure to notify, or ignoring Data Principal rights.
If a social media platform is accused of failing to honor consent withdrawals, the Board may demand system records showing how withdrawal requests are logged and actioned.
Monitoring and Compliance Verification
To verify if an organization has implemented the reasonable security safeguards and governance structures required under the law.
A bank may be asked to provide evidence of its encryption protocols, audit logs, and role-based access controls to confirm compliance with Rule 6.
Handling Complaints and Grievances
To resolve disputes raised by Data Principals. The Board may need transaction histories, communication logs, or grievance-handling records.
If an insurance company refuses to correct a customer’s policy details, the Board can request the company’s complaint records to see how the request was handled.
Breach Assessment
To assess the nature, scope, and impact of a personal data breach reported under Rule 7.
If a crypto exchange reports a breach involving leaked KYC documents, the Board may ask for detailed logs showing how the breach was detected and what containment steps were taken.
Any Other Purpose Necessary for Enforcement
The Board may also call for information if it is required to discharge any of its statutory responsibilities under the Act.
Authorized Persons
Schedule VII also specifies who within the Board is empowered to make such requests — preventing misuse or unauthorized fishing expeditions.
- Typically, the authority rests with the Chairperson or designated Members of the Board.
- In some cases, senior officers of the Board authorized by the Chairperson may issue information requests, but such powers remain under oversight.
Information requests can only be made for lawful purposes and by authorized officials. This ensures powers are strong but not arbitrary.
Importance of Schedule VII
This Schedule ensures a balance:
- The Board has the powers it needs to act as an effective regulator, uncover violations, and ensure accountability.
- Organizations are protected from arbitrary or excessive demands, because both the purposes and the authorized persons are clearly defined.
Example Scenarios
If a pharmaceutical company mishandles sensitive clinical trial data, the Board may formally demand details of its data-sharing agreements with overseas research partners.
If a retail e-commerce platform is accused of spamming customers despite consent withdrawals, the Board may demand proof of how its consent management system integrates with its marketing software.
If a stock broking firm delays reporting a breach, the Board can demand forensic evidence, internal communication records, and technical logs to determine whether the delay was intentional.
Schedule VII ensures that the Board’s oversight powers are strong yet structured.
Organizations cannot evade scrutiny by withholding information, and at the same time, they are assured that such demands will be lawful, purposeful, and issued only by authorized officials.
This maintains both regulatory effectiveness and fairness.