Skip to content
checkDPDP

Industry guide · #2 most exposed · Critical risk

DPDP Act for Diagnostic Labs & Pathology Chains in India

National diagnostic labs, pathology chains, radiology networks, home-collection platforms and aggregator marketplaces (think OncQuest, Dr Lal PathLabs, Metropolis, Thyrocare, SRL, Agilus, Redcliffe) sit at the intersection of health data, financial data, Aadhaar-linked KYC and insurance claim flows. A single LIS / HIS / mobile-app misconfiguration here cascades into Section 8 (₹250 cr), Section 9 (₹200 cr for paediatric / POCSO records), MCI Regulations 2002, NDPS Act 1985 and ABDM all at once.

Penalty exposure cap

₹250 cr

Section 8(5) security failure caps at ₹250 cr; a paediatric data breach stacks Section 9 (₹200 cr) plus POCSO criminal liability. Add MCI / NDPS retention non-compliance and you are running a three-front response.

Realistic effort

180–440 hrs (10–22 weeks calendar)

India-resident DPO + Medical Records Officer + InfoSec + Legal + IT (LIS/HIS owner)

Annual budget

₹10–40 lakh / yr for tooling, DPO, independent audit & DPIA

Tooling + DPO retainer + audit

Sector regulators

MoH&FW · MCI / NMC · CDSCO · IRDAI (claims) · NHA / ABDM · CERT-In

Stack on top of DPDP — comply with both

Why this industry

How DPDP hits Diagnostic Labs & Pathology Chains differently

Diagnostic chains process the highest-volume + highest-sensitivity overlap in Indian healthcare — lab reports, imaging, prescriptions, billing, Aadhaar, insurance and corporate-wellness PII flow through the same LIS/HIS stack. Statutory retention obligations (MCI 3 years, NDPS 2 years, POCSO 23(2) restrictions) directly conflict with the DPDP Section 8(7) erasure obligation, and MeitY has signalled diagnostics as a leading SDF candidate.

What you must do

Specific DPDP obligations for this sector

Section 5 + Section 6

Granular consent per purpose — testing vs research vs marketing

One bundled "I agree" at registration does not cover research, anonymised studies or partner sharing. Each purpose needs its own captured consent under Section 6 with a withdraw path under Section 6(4).

Section 9 + POCSO

Verifiable parental consent for paediatric tests

Under-18 sample collection (paediatric oncology, school screenings) triggers verifiable parental consent. POCSO Section 23(2) adds a disclosure ban for offence victims — heightened protection beyond Section 9.

Section 8(7) + MCI Reg 1.3.2 + NDPS

Statutory retention override for MCI / NDPS records

MCI Regulations 2002 require 3-year minimum retention from last visit; NDPS Act 1985 needs 2 years for Schedule H/X prescriptions. DPDP erasure cannot override these — refusal must cite the specific regulation.

Section 16 + ABDM Policy

India residency for ABHA-linked records

Once you integrate with Ayushman Bharat Digital Mission, ABDM mandates India residency for health records — DPDP is silent, ABDM is not.

Rule 7(1)-(2)

72-hour breach notification (DPB) + 6-hour CERT-In

Phase-1 notification "without delay" to DPB, Phase-2 detailed report within 72 hours covering Rule 7(2)(a)-(e). Stacks on top of the CERT-In 6-hour window for any cyber incident.

Section 10 + Rule 13

DPO + independent annual audit (if designated SDF)

India-resident DPO reporting directly to the Board; independent annual audit; DPIA within 12 months of designation. National chains processing tens of millions of patients should plan as if designated.

Rule 8(3) + Seventh Schedule

1-year processing log retention via DPA

Diagnostic labs and every downstream processor (cloud, telecom, billing, courier) must retain processing and traffic logs for at least 12 months — flow down via the DPA.

What to ship

Minimum control set + realistic time to land each

Effort estimates assume an in-house engineer + an external CMP/DPO partner where indicated. Cumulative time gets you to a defensible posture; full SDF maturity adds 1–2 quarters on top.

  1. 1

    Purpose register mapping every LIS / HIS / mobile-app processing activity to Section 4 lawful basis

    2–3 weeks · Prerequisites checklist

  2. 2

    Itemised privacy notice covering testing + research + ABDM + marketing

    1 week · Notice template

  3. 3

    Granular consent UI for patient registration (OPD + home-collection + telemedicine)

    2–3 weeks engineering · Banner builder

  4. 4

    Age-gate + verifiable parental consent for paediatric samples

    2–4 weeks engineering + DigiLocker / payment handshake

  5. 5

    Retention schedule per record type (lab / imaging / billing / consent) with MCI + NDPS overrides

    1–2 weeks clinical + legal

  6. 6

    Vendor inventory + DPAs for every processor (cloud, courier, billing, KYC, ABDM gateway)

    3–4 weeks legal + ops

  7. 7

    Section 8 security baseline — AES-256 at rest, TLS 1.2+ in transit, RBAC, MFA, SIEM

    4–8 weeks engineering

  8. 8

    Two-phase breach playbook — DPB Phase-1 + 72-hour Phase-2 + CERT-In 6-hour + ABDM notification

    2 weeks · Breach template

  9. 9

    Independent DPIA + annual audit (if SDF likely)

    6–10 weeks empanelled auditor · SDF guide

  10. 10

    Gap analysis across the 10 DPDP categories (lawful basis, security, children, SDF, rights, cross-border, governance, vendor, breach, sector-specific)

    4–6 weeks · Gap analysis

What goes wrong

Real-world enforcement scenarios

Misconfigured S3 bucket exposes lab reports + Aadhaar copies of 5 lakh patients

Section 8(5) ₹250 cr cap + Section 9 if minors affected + CERT-In + ABDM + MCI / NMC scrutiny. Realistic exposure crosses ₹100 cr.

Patient asks for erasure of a 2-year-old test record

MCI Reg 1.3.2 mandates 3-year retention from last visit. Refusal must cite the regulation and explain the override in writing within 90 days.

Paediatric oncology test result emailed to wrong guardian

Section 9 + POCSO disclosure breach + Section 8(5). Notify DPB Phase-1 immediately, file Phase-2 within 72 hours, notify guardians, escalate to head of clinical operations.

NDPS Schedule X prescription record deleted after 18 months

NDPS Act non-compliance — separate offence from DPDP. Restore from backup, re-apply NDPS 2-year override, update retention configuration.

Close these first

The three highest-impact gaps for this sector

  1. 1

    No purpose register mapping every LIS/HIS process to Section 4 lawful basis

    Open the 62-item prerequisites checklist and complete the Data Inventory category first — it unlocks every other category.

    Open the fix →
  2. 2

    Statutory retention conflicts (MCI / NDPS) not documented

    Build the override register before any DPDP erasure SOP is written. Document the specific regulation per record category.

    Open the fix →
  3. 3

    Verifiable parental consent for paediatric samples is a checkbox

    Replace with DigiLocker / payment / OTP handshake — Section 9 is the second-highest penalty band after Section 8.

    Open the fix →
  4. 4

    Two-phase breach playbook not aligned with CERT-In 6-hour + ABDM windows

    Single incident commander, three notifications (DPB Phase-1, CERT-In, ABDM) — drill annually.

    Open the fix →

See your sector-specific score in 60 seconds

Calculate your Diagnostics / Pathology risk →Run a free site scan

Diagnostics / Pathology · FAQ

Sector-specific questions, answered

Do diagnostic labs need an India-resident DPO under DPDP?

Mandatory only if designated SDF, but any national chain processing more than a few million patients should plan as if designated. The DPO must be an individual (not outsourced to a firm) and must report directly to the Board under Rule 13.

How does MCI / NDPS retention override DPDP erasure?

MCI Regulations 2002 mandate a 3-year minimum retention of patient records from last visit; NDPS Act 1985 mandates 2 years for Schedule H/X prescriptions. DPDP Section 8(7) allows retention where another law mandates it — the refusal of an erasure request must cite the specific regulation in writing.

Is ABDM integration enough to satisfy DPDP consent?

No. ABDM has its own consent artefact for each share event, but DPDP Section 5 still requires the itemised notice (purposes, categories, rights, grievance officer) and Section 6 still requires withdrawal as easy as giving consent. Align both — do not collapse them.

What is the minimum Section 8 security baseline for a diagnostic lab?

AES-256 at rest, TLS 1.2+ in transit, RBAC + MFA for privileged access, SIEM-grade monitoring with anomaly alerts, 12-month processing log retention, annual VAPT, and a two-phase breach playbook covering DPB + CERT-In + ABDM. Most ISO 27001 / ISO 27799 certified labs are already 70 % of the way there.

How does POCSO interact with DPDP for paediatric records?

POCSO Section 23(2) prohibits disclosure of a child victim's identity — this is a criminal-law restriction that runs alongside DPDP Section 9. Even with valid parental consent under DPDP, POCSO disclosure restrictions still apply for offence-related records.

Compare across sectors

Other industries' DPDP exposure

BFSI & Fintech

Critical

Highest DPDP exposure of any Indian sector — payment data, KYC, credit profiles all in scope.

Healthtech & Pharma

Critical

Health data is the highest-sensitivity category — DPDP overlaps with ABDM and the Clinical Establishments rules.

Edtech

Critical

Children's data is the headline restriction — verifiable parental consent, no tracking, no targeted ads.