Government ministries and departments are unlikely to be classified as significant data fiduciaries (SDFs) under the Digital Personal Data Protection (DPDP) Act, signalling a lighter compliance framework for public authorities even as stricter obligations are expected to apply to large private-sector platforms, officials aware of the discussions said.
The indication emerged during a meeting convened on Wednesday by the Secretary, ministry of electronics and IT (MeitY), S Krishnan, with representatives from multiple ministries and government agencies to review the implementation of the data protection framework. Participants included officials from the ministries of home affairs, mines, heavy industries, and AYUSH, along with the department of posts, department of pharmaceuticals, the Defence Research and Development Organisation, and the department for promotion of industry and internal trade.
According to sources, the government does not, at this stage, intend to notify its ministries or departments under the SDF category despite the scale of personal data handled by these entities. Instead, the designation is expected to be applied primarily to large private-sector entities such as social media platforms, e-commerce marketplaces and technology service providers that process significant volumes of personal data.
Two-Tier Compliance
Under the Act, entities classified as SDFs are subject to additional compliance requirements, including the appointment of data protection officers, periodic data audits and the implementation of enhanced safeguards. The law allows the Centre to notify such entities based on factors such as the volume and sensitivity of data processed, risks to individuals’ rights and the potential impact on sovereignty and integrity.
Officials, however, indicated that the option of classifying government entities as SDFs remains open and could be exercised in specific cases if required.
NIC Dilemma
Discussions also touched on the allocation of responsibility for data handling within the government ecosystem. Officials from the National Informatics Centre indicated that the organisation functions largely as a data processor, managing infrastructure on behalf of ministries rather than determining the purpose and means of processing. As a result, accountability under the law is expected to rest with the concerned ministry or department acting as the data fiduciary.
Officials were also briefed on provisions in the Act that provide operational flexibility to the State. These include the ability to process personal data without fresh consent where it has been voluntarily provided, or where existing records are used for delivering subsidies, benefits, licences or certificates. Exemptions are also available in specific contexts such as legal proceedings, regulatory functions and law enforcement.
At the same time, officials emphasised that government entities are not outside the scope of the law and will be required to comply with its provisions except where exemptions apply.