DPDP Rules carve out key exemptions for healthcare providers, schools and childcare services processing children’s data
Healthcare providers, schools and childcare services get operational relief under DPDP Rules, with exemptions tied strictly to child safety and medical necessity.
ADVERTISEMENT
The Centre has issued detailed rules under the Digital Personal Data Protection Act, 2023, outlining significant exemptions for entities handling children’s personal data, particularly healthcare providers, educational institutions and childcare services.
According to the Fourth Schedule of the DPDP Rules, 2025, provisions of Section 9(1) and 9(3), which govern parental consent and restrictions on processing children’s data, will not apply to specific classes of Data Fiduciaries, provided the processing is strictly limited to child safety and health requirements.
Healthcare Exemptions:
Clinical establishments, mental health institutions, healthcare professionals and allied health practitioners are allowed to process children’s personal data without adhering to the full consent framework, but only to the extent necessary for delivering medical care or supporting treatment plans. The exemption is tightly scoped to “protection of the child’s health” and does not permit any secondary use.
Education & Child Safety Exemptions:
Schools and educational institutions are permitted to process children’s data for academic activities, tracking and behavioural monitoring, as well as for ensuring the safety of enrolled students. Similarly, crèche and daycare operators, and even transport providers engaged by such institutions, are allowed to track and monitor children strictly for safety during school hours and commute.
"A Data Fiduciary who is engaged by an educational institution, crèche or child care centre for transport of children enrolled with such institution, crèche or centre. Processing is restricted to tracking the location of such children, in the interests of their safety, during the course of their travel to and from such institution, crèche or centre," it said.
These exemptions aim to prevent administrative bottlenecks in essential services while ensuring that processing remains limited, purpose-specific and safety-driven.
The broader DPDP Rules also outline stringent obligations for Consent Managers, standards for State data processing, and retention norms for large e-commerce, gaming and social media intermediaries.
However, the child-data carve-outs stand out as some of the most significant relaxations in the regulatory framework, intended to balance data protection with operational practicality across healthcare and education sectors.
