DPDPA applies exclusively to digital personal data. Understanding what constitutes personal data, when data becomes identifiable, and the digital limitation is fundamental to determining compliance obligations. This article examines the definitional framework and its practical implications.
The Identifiability Test
Section 2(t) defines personal data as data about an individual who is identifiable by or in relation to such data. Identifiability includes direct identification through name or ID number, and indirect identification through combination with other available information. The test is objective: could anyone reasonably identify the individual, not whether the controller intends identification.
Key Points
- Direct identification
- Indirect identification through combination
- Objective identifiability test
- Available information consideration
Digital Limitation
DPDPA applies only to digital personal data, explicitly excluding paper records and offline data. Section 2(n) defines digital personal data as personal data in digital form. This includes data collected digitally and data digitised from physical records. Pure paper-based processing remains outside DPDPA scope, though IT Act provisions may apply.
Examples and Boundaries
Clear personal data examples: name, email, phone number, Aadhaar, PAN, IP address, device ID, location data, biometric data, and photographs. Boundary cases requiring analysis: anonymised data sets, pseudonymised data with re-identification risk, and aggregated statistics. Context determines whether data qualifies as personal.
Key Points
- Names and identifiers
- Contact information
- Biometric and location data
- Pseudonymised data may qualify
Anonymisation Considerations
Truly anonymised data where re-identification is impossible falls outside personal data scope. However, pseudonymisation maintaining re-identification capability does not remove DPDPA applicability. Organisations must assess re-identification risk considering available technology, cost of re-identification, and data combination possibilities.
Key Takeaways
Audit data assets for personal data identification
Apply identifiability test comprehensively
Document digital vs non-digital data classification
Assess anonymisation effectiveness rigorously
Update classification as technology evolves