Digital Personal Data Protection Act, 2023

OVERVIEW AND LEGISLATIVE CONTEXT

1. Lawfulness, fairness and transparency – essentially, the data collected should be done so in a manner that has legal backing (like with the consent of the owner of the data ("data principal")), when the processing of such data is not detrimental to the interest of the data principal and while ensuring that the data principal knows what data is being collected, and what exactly it is being used for.

2. Purpose Limitation – this means that the data collected must be used only for the purpose it has been collected for. Often, this is read with the principle of "informed consent" – i.e., validity of the consent only extends to the amount of information that has been given to the data principal on the basis of which consent to collect/process data has been granted.

3. Data Minimisation – this principle is read alongside the principal of "fairness." Put simply, it means that the amount of data collected for the fulfilment of a specific purpose should be limited to the minimum amount of data necessary for such purpose. For instance, a courier service would require the details of sender and receiver, as well as the address, and perhaps the account details for payment. It need not collect information such as past medical history, or any data unrelated to the service being provided.

4. Accuracy – whereas not applicable universally, ensuring that whatever data is processed is accurate has been recognized as a best practice under the GDPR. Take for instance a medical professional – if the data collected and processed is inaccurate, the diagnosis (or prognosis itself) may be inaccurate, leading to potential health issues in the patient/data principal.

5. Storage Limitation – in very simple terms, this means two things: (1) that the data stored should be limited strictly to the data necessarily required for the purposes of processing, and; (2) once the data has been processed, and there is no further use of it with respect to the purpose for which it has been collected, the data should be erased. This is often read with the principles of data minimisation and purpose limitation.

6. Integrity and Confidentiality – integrity means ensuring that personal data remains accurate and protected from unauthorized alterations – i.e., safeguarding your systems against tampering or hacking. Confidentiality means ensuring that only authorized individuals or entities have access to and process personal data.

7. Accountability – summarily, this principle relates to taking responsibility for personal data processing. Under the Digital Personal Data Protection Act, 2023 (DPDPA), this means that the Data Fiduciary (and where applicable, the Data Processor) must be accountable for processing personal data in compliance with the provisions of the Act. Taking responsibility under the DPDPA is not just about following the law—it also requires being able to demonstrate that such compliance is actively being maintained.