Schedule II: Standards for Processing of Personal Data by the State and its Instrumentalities
SECOND SCHEDULE [See rules 5(2) and 15] Standards for Processing of Personal Data by the State and its Instrumentalities (click to expand)
Implementation of appropriate technical and organisational measures to ensure effective observance of the following, in accordance with applicable law, for the processing of personal data, namely:—
(a) Processing is carried out in a lawful manner;
(b) Processing is done for the uses specified in clause (b) of section 7 of the Act or for the purposes specified in clause (b) of sub-section (2) of section 17 of the Act, as the case may be;
(c) Processing is limited to such personal data as is necessary for such uses or achieving such purposes, as the case may be;
(d) Processing is done while making reasonable efforts to ensure the accuracy of personal data;
(e) Personal data is retained till required for such uses or achieving such purposes, as the case may be, or for compliance with any law for the time being in force;
(f) Reasonable security safeguards to prevent personal data breach to protect personal data in the possession or under control of the Data Fiduciary, including in respect of any processing undertaken by it or on its behalf by a Data Processor;
(g) Where processing is to be done under clause (b) of section 7 of the Act, the same is undertaken while giving the Data Principal an intimation in respect of the same and—
(i) giving the business contact information of a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of her personal data;
(ii) specifying the particular communication link for accessing the website or app, or both, of such Data Fiduciary, and a description of other means, if any, using which such Data Principal may exercise her rights under the Act; and
(iii) is carried on in a manner consistent with such other standards as may be applicable to the processing of such personal data under policy issued by the Central Government or any law for the time being in force; and
(h) Accountability of the person who alone or in conjunction with other persons determines the purpose and means of processing of personal data, for effective observance of these standards.
The Second Schedule sets out mandatory data protection standards for government bodies, public agencies, and other State entities that handle citizens’ personal data. These standards ensure that all data processing — even when done by the State — follows the same privacy and security expectations as private entities under the DPDPA.
(a) Processing must be lawful
All personal data collection or use by government agencies must be legally justified — either through an Act, an official notification, or a legitimate public function recognised under Section 7(b) of the DPDPA.
If the Passport Office collects biometric data, it must do so under the Passports Act and only for verifying identity. Using that data for unrelated purposes (like background checks for jobs) would be unlawful.
(b) Processing must match defined public purposes
Data collected must be used only for:
- State functions under Section 7(b) — e.g., welfare delivery, licensing, taxation, law enforcement; or
- Public research/statistical uses under Section 17(2)(b) — e.g., population studies, infrastructure planning.
Using the same data for commercial or political profiling would breach this rule.
Always link each dataset to a clear, written purpose and retain documentation showing the lawful basis for processing.
(c) Data minimisation
Only the minimum personal data required to fulfil the purpose should be processed. Unnecessary data fields increase risk without improving outcomes.
A government scholarship portal should collect academic marks and income proof — but not religious affiliation, voter ID, or family medical history, unless legally justified.
(d) Ensuring accuracy
Departments must make reasonable efforts to verify accuracy before using data for decisions. Incorrect information can cause denial of benefits, fines, or wrongful actions.
This can include cross-verification with Aadhaar, DigiLocker, or user self-verification steps before final processing.
(e) Limited data retention
Data should be kept only as long as necessary for the purpose or as required by law. Once the reason for holding data ends, it must be securely deleted or anonymised.
A Disaster Relief Department may collect household details for flood compensation. Once payments are completed and audited, those personal records should be securely deleted unless another law requires retention.
(f) Security safeguards
The State or its contractors must protect data against breaches, unauthorised access, or misuse. Security measures include encryption, firewalls, access logging, and staff training. The same standards apply if a private vendor (Data Processor) handles the data on the government’s behalf.
If a State government outsources its e-citizen portal to a private IT firm, that firm must implement secure access controls, data encryption, and breach response mechanisms under a legal contract.
(g) Intimation to the Data Principal (citizen)
When processing occurs under Section 7(b), the individual must be informed — at least through a notice or announcement — that their data is being processed, along with:
- Contact details of a responsible officer (for questions or redressal).
- Web/app links where individuals can exercise their data rights (like access or correction).
- Reference to applicable policy or law justifying the processing.
This promotes transparency, even for State functions.
Before conducting a digital census, the government must publicly notify citizens, share contact details of nodal officers, and explain where citizens can view or correct their recorded information.
(h) Accountability of decision-makers
The person or authority who determines how and why data is processed — often called the Data Fiduciary — is accountable for ensuring compliance with these standards. This includes oversight of processors, contractors, and staff who handle personal data.
Accountability ensures traceability — if a breach or misuse occurs, the responsible officer or agency must answer for it, not just blame third parties.
The Second Schedule enforces lawfulness, transparency, security, and accountability in how the government processes personal data. It ensures that public bodies — while serving legitimate state functions — remain bound by privacy standards, limited data use, and the obligation to protect citizens’ trust.