Q2 - How does the law apply to NGOs, schools, and hospitals that are not-for-profit but still collect personal data?
The Digital Personal Data Protection Act, 2023 (DPDPA) applies equally to all organizations — whether for-profit or not-for-profit — as long as they collect, store, or process personal data in digital form.
This means that NGOs, schools, hospitals, and charitable trusts are all considered Data Fiduciaries under the Act whenever they handle data about individuals (Data Principals). Their non-commercial status does not exempt them from compliance.
1. Applicability in Simple Terms
Section 3(a) —
The Act applies to the processing of digital personal data within India, collected online or digitized offline, regardless of whether the entity is for profit or not.
So even if a school or NGO does not sell products or services, it still processes personal data such as:
- Student or patient names, addresses, Aadhaar numbers
- Health or educational records
- Donor or volunteer contact information
- CCTV footage or biometric attendance data
Hence, DPDPA obligations apply just as they do to businesses.
2. Common Scenarios
| Type of Organization | Personal Data Collected | Purpose | DPDPA Applicability |
|---|---|---|---|
| School or College | Student names, attendance, marks, guardian details | Education management, safety, exams | Covered – must ensure lawful processing and notices |
| Hospital or Clinic | Patient records, prescriptions, diagnostic data | Treatment and insurance claims | Covered – sensitive health data, must apply strong safeguards |
| NGO or Charity | Beneficiary details, IDs, bank info for welfare distribution | Running welfare or aid programs | Covered – even if not commercial, data security still mandatory |
3. Consent and Lawful Processing
These entities must:
- Obtain free and informed consent when collecting personal data (e.g., during admissions, registrations, or medical check-ins).
- Clearly explain the purpose of collection (e.g., educational records, patient treatment, or aid distribution).
- Process data only for legitimate purposes and not beyond stated needs.
Even if consent is implied for the core service (like education or healthcare), secondary use — e.g., sharing data with sponsors, vendors, or advertisers — still requires explicit consent.
A private school collects student data for enrollment, grading, and parent communication — this is lawful and necessary.
But if the same school shares parent contact details with an external vendor to market tutoring apps, that would violate DPDPA’s purpose limitation and consent requirements.
4. Special Responsibilities for Sensitive Data
Hospitals and NGOs handling health or disability data must apply heightened safeguards under Section 8(5), including:
- Secure storage and encryption of records
- Strict access control
- Breach reporting to the Data Protection Board of India and affected individuals
Because such data carries higher risk of harm, negligence in handling it can result in penalties up to ₹250 crore under Section 33.
5. Government & Regulatory Exemptions
Certain government-funded entities (like public hospitals or state schools) may receive limited exemptions under Section 17, but these apply only when performing functions under law — not for all data uses.
For example:
- A government hospital maintaining health records for national programs may be exempt from certain consent provisions.
- But if it uses that data for research or third-party sharing, full DPDPA rules apply again.
An NGO collects beneficiary data (names, Aadhaar, and bank details) to distribute financial aid. If the data is later shared with another organization for analytics without explicit consent, it breaches DPDPA principles — even though the NGO is not-for-profit.
6. Compliance Simplified for Nonprofits
To comply effectively, NGOs, schools, and hospitals should:
- Publish a privacy notice explaining what data is collected and why.
- Limit data use strictly to the purpose for which it was collected.
- Maintain reasonable security safeguards (password protection, encryption, access logs).
- Report breaches to the Data Protection Board and affected individuals promptly.
- Erase or anonymize personal data once no longer required.
7. Key Takeaway
- DPDPA applies to all entities processing personal data, regardless of profit status.
- NGOs, schools, and hospitals must act as Data Fiduciaries and follow the same standards of transparency, security, and accountability.
- Being not-for-profit does not exempt them from penalties for mishandling data.
- The only limited relaxations may come through future Government rules or notifications, not by default.
Referenced Provisions:
- Section 3(a) – Applicability to all digital personal data processed in India.
- Section 7 – Lawful basis for processing (consent and legitimate use).
- Section 8(5) – Security safeguards and breach reporting.
- Section 17 – Limited government exemptions.
- Section 33 – Penalties for non-compliance (up to ₹250 crore).