Rule 5 of DPDP Rules

5.Processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities.


(1) The State and any of its instrumentalities may process the personal data of a Data Principal under clause (b) of section 7 of the Act to provide or to issue to her any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds.
(2) Processing under this rule shall be done following the standards specified in Second Schedule.
(3) In this rule and Second Schedule, the reference to any subsidy, benefit, service, certificate, licence or permit that is provided or issued—
(a) under law shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit in exercise of any power of or the performance of any function by the State or any of its instrumentalities under any law for the time being in force;
(b) under policy shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit under any policy or instruction issued by the Central Government or a State Government in exercise of its executive power; and
(c) using public funds shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit by incurring expenditure on the same from, or with accrual of receipts to,—
(i) in case of the Central Government or a State Government, the Consolidated Fund of India or the Consolidated Fund of the State or the public account of India or the public account of the State; or
(ii) in case of any local or other authority within the territory of India or under the control of the Government of India or of any State, the fund or funds of such authority.

Rule 6 →
DPDPA
Table of contents


Report error

Legal Interpretation: Processing Personal Data for Subsidies, Benefits, and Services

The provision governing the processing of personal data for delivering subsidies, benefits, services, certificates, licenses, or permits by the State and its instrumentalities plays a crucial role in ensuring efficient public service delivery while safeguarding individual rights under the Digital Personal Data Protection Act. Let’s delve into the details and their implications.

1. Processing for Public Welfare

Under this rule, the State and its instrumentalities are empowered to process the personal data of a Data Principal to provide essential services and entitlements. These include subsidies, benefits, certificates, licenses, and permits. The processing is authorized under Section 7(b) of the Act and applies to services:

  • Mandated by law.
  • Implemented as part of government policies.
  • Funded using public funds.

This provision reflects the balance between individual privacy rights and the government’s responsibility to efficiently deliver public welfare programs. It recognizes that some degree of personal data processing is unavoidable when the State fulfills its statutory and policy-driven obligations.

2. Compliance with Standards in the Second Schedule

The Act mandates that all data processing under this rule must adhere to the standards specified in the Second Schedule. While the exact standards are not detailed here, they likely emphasize:

  • Transparency: Ensuring individuals are informed about how their data is collected, processed, and used.
  • Proportionality: Limiting data collection and processing to what is strictly necessary for the specific purpose.
  • Security: Implementing robust safeguards to protect the data from breaches or unauthorized access.

By embedding these principles, the rule aligns public data processing with the broader ethos of data protection, ensuring it is conducted responsibly.

3. Interpreting "Under Law," "Under Policy," and "Using Public Funds"

To ensure clarity, the rule provides specific definitions for key terms, ensuring uniformity in their application:

  • Under Law: Any subsidy, benefit, service, certificate, license, or permit issued under a law in force refers to those actions undertaken by the State or its instrumentalities in the exercise of legal authority or statutory obligations. For example, processing personal data to issue a driving license under the Motor Vehicles Act would fall under this category.
  • Under Policy: This refers to entitlements provided under executive policies or instructions issued by the Central Government or State Governments. For instance, personal data processing to allocate benefits under a rural employment scheme designed by a State government policy would qualify here.
  • Using Public Funds: This category emphasizes that data processing for issuing subsidies, benefits, or services funded through public finances—such as the Consolidated Fund of India or respective State Funds—is included. It also applies to funds managed by local authorities. For example, a municipality providing property tax rebates funded through its revenues could process personal data under this provision.

4. Accountability and Safeguards

While the rule authorizes the processing of personal data for public services, it does not provide carte blanche to the State. Instead, it embeds accountability measures:

  • Purpose Limitation: Personal data can only be processed for the specific subsidy, benefit, or service outlined in the law or policy.
  • Transparency: Data Principals must be aware of how their data is being used and for what purposes.
  • Auditable Compliance: Standards in the Second Schedule likely include provisions for audits and reporting to ensure adherence to privacy norms.

These safeguards ensure that public interest objectives do not override individual privacy rights, reflecting a balanced approach.

5. Broader Implications for Data Protection

This provision reinforces the idea that the State has a dual role: a facilitator of public services and a custodian of personal data. While fulfilling its welfare responsibilities, the government is held to high standards of transparency, proportionality, and security. By embedding these principles into law, the rule aims to:

  • Build trust between citizens and the State.
  • Prevent overreach in the name of public service.
  • Align with international best practices, such as the principles outlined in the General Data Protection Regulation (GDPR).

Conclusion

The rules governing the processing of personal data for subsidies, benefits, and services reflect the delicate balancing act between public welfare and individual privacy. By ensuring compliance with clear standards, defining the scope of permissible actions, and embedding accountability mechanisms, the framework empowers the State to serve its citizens effectively while respecting their privacy rights. This thoughtful integration of public policy and data protection law sets a robust precedent for responsible governance in the digital age.

© 2024 Advocate (Dr.) Prashant Mali