Draft Data Protection Rules Focus on Safeguarding Children's and Disabled Persons' Data
The draft Digital Personal Data Protection Rules-2025 (DPDPR-2025) introduce new guidelines to ensure the protection of personal data belonging to children and persons with disabilities. These rules emphasize the importance of obtaining verifiable consent from parents or legal guardians before processing such sensitive information.
Under the rules, a “Data Fiduciary” is required to implement measures to confirm that the individual providing consent for a child’s data processing is indeed the child’s parent or legal guardian. The rules also stress that this individual must be properly identified.
To verify that the parent or guardian is an adult, the Data Fiduciary must use reliable identity details or a virtual token linked to such details. This ensures that only responsible adults, as defined by law, can provide consent for handling the data.
Exemptions for Specific Activities
The draft rules outline certain exemptions for processing children’s personal data. These exemptions, detailed in Section 9 of the Act, apply to specific types of Data Fiduciaries, such as healthcare professionals, educational institutions, and childcare providers. These entities are allowed to process children’s data for specific purposes, such as offering health services, conducting educational activities, monitoring safety, and tracking transportation.
Importantly, any data processing under these exemptions must be strictly necessary for the child’s well-being and safety. The law provides clear guidelines to ensure that such processing remains within a defined and limited scope.
Defined Purposes and Conditions
The Act divides exemptions into two parts: Part A and Part B of the schedule. Part B specifies the purposes for which data processing exemptions apply. These include fulfilling legal duties, providing subsidies or benefits to children, creating user accounts for communication, or ensuring children do not access harmful information.
For these purposes, the processing of data is restricted to what is absolutely necessary to carry out the function, service, or duty. The Act places a strong emphasis on protecting the child’s best interests in all cases.
Balancing Safety and Privacy
The provisions also recognize that certain activities, such as verifying the age of a data subject, fall under these exemptions as long as the processing is limited to what is necessary. By doing so, the rules aim to balance the safeguarding of children’s personal data with the need to carry out essential activities related to their health, education, and safety.
In summary, the draft rules aim to protect vulnerable groups while ensuring that critical services for children and persons with disabilities can continue to function within a secure and well-defined framework.
