Q3 - Does DPDPA cover non-digital data (e.g., paper records)?
No — the Digital Personal Data Protection Act, 2023 (DPDPA) does not cover purely non-digital or paper-based records. It applies only to digital personal data, or to data that has been digitized (converted from physical to electronic form).
In other words, the Act governs data in electronic form, or data that was collected offline but later stored or processed digitally. Traditional paper records that never enter a digital system are outside the scope of DPDPA.
1. Legal Definition
Section 3(a) —
The Act applies to the processing of digital personal data within India,
and to personal data collected offline but subsequently digitized.
So:
- Digital personal data = any personal data that exists or is processed in digital form.
- Offline data that remains on paper = not covered.
- Offline data that is later digitized (e.g., scanned or entered into a system) = covered.
2. Examples of What Is and Isn’t Covered
| Type of Data | Covered by DPDPA? | Explanation |
|---|---|---|
| A hospital’s handwritten patient form kept only in a physical file | ❌ No | It is never digitized, so outside DPDPA’s scope. |
| The same form scanned and uploaded into the hospital’s patient management software | ✅ Yes | It becomes “digital personal data.” |
| A school’s student register maintained only on paper | ❌ No | Non-digital data not covered. |
| A school entering student details from that register into its ERP or Excel sheet | ✅ Yes | Once digitized, the data falls under DPDPA. |
| CCTV footage stored on a digital recorder | ✅ Yes | It is digital data, so the Act applies. |
3. Why the Act Excludes Purely Offline Data
The DPDPA is designed specifically for the digital ecosystem — websites, apps, databases, and cloud systems — where risks of misuse, breaches, and profiling are higher.
Offline (paper-based) records are instead governed by:
- Sectoral regulations (e.g., hospital record rules, educational guidelines), or
- Other general laws like the Information Technology Act, 2000, if later digitized.
This separation prevents overregulation of small entities that maintain only paper-based systems.
An NGO maintaining handwritten lists of beneficiaries for internal recordkeeping does not fall under DPDPA. But if the same lists are entered into a digital database for reporting or analytics, the data becomes subject to DPDPA compliance.
4. Caution for Organizations with Mixed Data Systems
Many organizations maintain both paper and digital records.
In such hybrid setups:
- The digital portions are regulated under DPDPA.
- The paper-only portions are not — but converting or uploading them later automatically brings them under DPDPA.
- Hence, organizations should apply similar privacy standards across both, even if the law doesn’t mandate it, to avoid inconsistencies or compliance gaps.
5. Key Takeaway
- DPDPA applies only to digital personal data, or data later digitized.
- Purely offline or paper-based records remain outside its legal scope.
- Once physical data is entered, scanned, or stored digitally, all DPDPA provisions — consent, security, breach reporting — fully apply.
Referenced Provisions:
- Section 3(a) – Applicability to digital data and digitized offline data.
- Section 2(b) – Definition of personal data (digital context).
- Section 33(1) – Penalties for breach or misuse of digital personal data.