How to protect your genetic data under the DPDP Act 2023
India’s genetic diversity is a goldmine for researchers. Learn how to control who sees your DNA data using the Digital Personal Data Protection Act 2023.
India’s genetic diversity is a goldmine for researchers. Learn how to control who sees your DNA data using the Digital Personal Data Protection Act 2023.
You’ve seen the Reddit threads or the Instagram reels: "Indian genetic diversity is insane." We aren’t just one big block of people; we are a mosaic of 4,500+ distinct groups with unique DNA markers shaped by thousands of years of history. Maybe you’re curious about your own ancestry and decide to ship a saliva sample to a trendy startup for a ₹10,000 "lineage report." Or perhaps you’ve had a genome sequence done at a private hospital to check for hereditary health risks.
Here is the reality: your DNA is the most personal data you will ever own. In a world where "data is the new oil," your specific genetic markers—especially if you belong to a community with rare traits—are a high-value asset for Big Pharma and global tech firms. If a company sells your genetic profile to an insurance firm or a foreign research lab without your clear "Yes," they aren't just being creepy; they are likely violating Indian law. You have the right to own your code.
For a long time, India’s genetic data sat in a legal grey zone. That changed with the Digital Personal Data Protection (DPDP) Act, 2023. Under this Act, your genetic information is classified as "Personal Data," and you are the "Data Principal." The entity collecting it—be it a diagnostic lab, a research institute, or a health app—is the "Data Fiduciary."
According to Section 6 of the DPDP Act 2023, any processing of your genetic data must be based on "free, specific, informed, unconditional, and unambiguous" consent. This means a lab cannot hide the fact that they are selling your data to a third party inside a 50-page Terms and Conditions document that no one reads. They must provide you with a notice in plain language (and in any of the 22 languages specified in the Eighth Schedule to the Constitution, if you prefer) explaining exactly what data is being collected and why.
You aren't locked in forever. Section 6(4) gives you the right to withdraw your consent at any time. If you decide you no longer want a genetic testing company to hold your DNA profile, you can tell them to stop. The law requires that the process of withdrawing consent must be as easy as the process of giving it.
Under Section 12(3) of the DPDP Act, you can demand that a lab delete your genetic data once the purpose for which it was collected (e.g., giving you a health report) is fulfilled, unless keeping it is required by another law.
Beyond your personal privacy, India protects its collective genetic heritage. Section 3 of the Biological Diversity Act, 2002 prohibits any person who is not a citizen of India, or a foreign corporation, from obtaining any "biological resource" or "knowledge associated thereto" occurring in India for research or commercial utilization without prior approval from the National Biodiversity Authority (NBA). This is a safeguard against "biopiracy"—where foreign entities profit from Indian genetic diversity without sharing the benefits.
If you suspect a government hospital or public institution is mishandling samples, you can File an RTI online to ask about their data-sharing agreements with private firms under Section 6(1) of the RTI Act 2005.
Protecting your genetic data isn't just about being paranoid; it's about digital hygiene. Here is how you exercise your rights under the DPDP Act 2023.
List every place that might have your genetic data. This includes:
Under Section 11 of the DPDP Act, you have the "Right to Access Information." Send an email to the Data Protection Officer (DPO) of the lab. Every major lab is now required to have one.
What to ask: "Under Section 11 of the DPDP Act 2023, I request a summary of the personal genetic data currently being processed by your organization, the identities of all third parties with whom this data has been shared, and the specific purpose of such sharing."
Timeline: The Act is still in the process of notifying specific timelines for responses via the DPDP Rules, but a reasonable period is 30 days. If they don't respond, it's a red flag.
If you find out they are using your DNA to "improve their AI models" or "conduct population studies" that you didn't specifically agree to, exercise your right under Section 6(4).
What to do: Send a formal notice (email is fine) stating: "I hereby withdraw my consent for any processing of my genetic data beyond the primary diagnostic purpose for which it was collected. Please confirm that all secondary processing has ceased."
If you no longer use a service, don't just delete the app. Delete the data. Under Section 12(3), you can request the erasure of your data.
What to bring: Your original customer ID or sample barcode. The Script: "As per Section 12(3) of the DPDP Act 2023, I request the permanent erasure of my genetic profile and the destruction of any physical biological samples (saliva/blood) stored by your facility. Please provide a certificate of destruction/erasure within 30 days."
If the lab refuses to delete your data or ignores your request, you can file a complaint with the Data Protection Board of India.
Expected Timeline: The Board is designed to be a digital-first adjudicator. Under Section 33, they have the power to levy massive penalties (up to ₹250 crore) on companies that fail to protect data or ignore Data Principal rights.
If your genetic data has been leaked online or hacked, this is also a criminal matter. You should immediately report it to the Cyber Crime reporting portal and consider if you need to How to file an FIR under Section 66 of the IT Act and relevant sections of the BNSS if identity theft is involved.
If you are a student or researcher and you see a private company collecting DNA samples from a specific tribal or endogamous community in your area, check if they have NBA clearance. You can email the NBA (at [email protected]) to verify if a specific project has been granted access to Indian biological resources under the Biological Diversity Act 2002. This is a major way to protect the "insane diversity" of your local community from exploitation.
To see more ways to protect your digital and physical rights, Browse all civic-action guides.
Even with a strong law like the DPDP Act 2023, the system isn't a "set it and forget it" machine. Here is where you will likely hit a wall and how to climb over it.
Labs often claim that once they strip your name from your DNA sequence, it is "anonymised" and no longer falls under the DPDP Act. They use this to sell your "de-identified" markers to pharma companies without asking you.
The Workaround: Genetic data is notoriously hard to truly anonymise because your DNA is your identity. Under Section 2(t) of the DPDP Act, if there is any way to re-identify you (by cross-referencing other databases), it is still Personal Data. If they refuse to delete it, ask them for a written guarantee that the data cannot be re-linked to you. If they can’t provide that, file a grievance with their Data Protection Officer (DPO).
Every "Significant Data Fiduciary" (large labs or tech firms) is required to appoint a Data Protection Officer. However, smaller diagnostic centres or "wellness" startups might not even have a contact email for privacy issues.
The Workaround: Check their website's footer for "Privacy Policy" or "Terms of Service." If there is no DPO listed, they are in violation of Section 10 of the DPDP Act. Send your request to their general support email and CC the Ministry of Electronics and Information Technology (MeitY) at [email protected] to create a paper trail.
If you gave your sample in 2021 (before the Act), a lab might tell you the DPDP Act doesn't apply to them.
The Workaround: This is incorrect. While the Act isn't fully retroactive for past actions, it applies to any current processing or storage of data. If they still have your data on their servers today, they must comply with your request for erasure under Section 12(3).
The Data Protection Board (the body that hears complaints) is still setting up its digital infrastructure. You might find the official complaint portal "under maintenance" or buggy.
The Workaround: Don't wait for the portal. Send a formal Registered Post AD (Acknowledgement Due) letter to the company’s head office. In the eyes of Indian courts, a physical receipt of a letter is much harder for a company to "ignore" than an email that "went to spam."
Subject: Exercise of Rights under Section 11 and 12 of the DPDP Act, 2023 – [Your Name/Customer ID]
Body: To the Data Protection Officer, [Company Name],
I am writing as a Data Principal regarding the genetic data collected from me on [Date] under the ID [Customer ID/Sample ID].
Under Section 11 of the Digital Personal Data Protection Act, 2023, I request a summary of the personal data currently being processed by you, the identities of all other Data Fiduciaries/Processors with whom my genetic data has been shared, and the specific purposes for such sharing.
Furthermore, under Section 12(3) of the Act, I hereby request the erasure of my genetic data and any derived profiles, as the purpose for which it was collected (the initial report) has been fulfilled.
Please confirm the completion of this request within 30 days. If you claim an exemption under the Act, please specify the exact Section.
Regards, [Your Name] [Your Phone Number]
Target: Public Information Officer (PIO) of the Hospital/Institute. Fee: ₹10 (via rtionline.gov.in).
Text: Regarding the genomic research/diagnostic samples collected by [Department Name] between 2024 and 2026:
You: "I want to speak to your Data Protection Officer regarding my DNA sample." Executive: "Sir/Ma'am, we don't have that. You can just delete the app." You: "Deleting the app doesn't delete my genetic sequence from your cloud. Under Section 12 of the DPDP Act 2023, I have a legal right to erasure. If you don't have a DPO, please give me the email of your Legal Head. I need a confirmation that my biological data has been wiped, not just my account."
No. As per the IRDAI (Insurance Regulatory and Development Authority of India) guidelines and the DPDP Act, insurers cannot force you to undergo genetic testing to buy a policy. However, if you have already done a test and the results show a pre-existing condition, you may be required to disclose it under the principle of "utmost good faith."
If they are collecting data from you while you are in India to offer you services here, the DPDP Act applies to them regardless of where their head office is (Section 3(b)). If they refuse to comply, you can report them to the Indian Data Protection Board, which has the power to block their services in India.
Under Schedule 1 of the DPDP Act 2023, a Data Fiduciary can be fined up to ₹250 crore for failing to take reasonable security safeguards to prevent a data breach. This is why labs are now legally terrified of "leaks."
Under the DPDP Act, you don't get "paid" for your privacy, but under the Biological Diversity Act, 2002, if your genetic material is used for commercial research, there is a "Fair and Equitable Benefit Sharing" (FEBS) requirement. This usually goes to the National Biodiversity Fund, but you can challenge the lack of transparency via the National Biodiversity Authority (NBA).
Section 7 of the DPDP Act allows the government to process data for "certain legitimate uses," such as national security or during a medical emergency (like a pandemic). However, for routine research, even government labs are expected to follow the informed consent protocols laid down by the Indian Council of Medical Research (ICMR).
Under Section 12(3), you can ask for a "Certificate of Erasure." While most companies will just send an email, a formal confirmation is your legal shield if your data ever shows up in a future leak or a public database.
No. As per the **IRDAI (Insurance Regulatory and Development Authority of India)** guidelines and the DPDP Act, insurers cannot force you to undergo genetic testing to buy a policy. However, if you have *already* done a test and the results show a pre-existing condition, you may be required to disclose it under the principle of "utmost good faith."
If they are collecting data from you while you are in India to offer you services here, the DPDP Act applies to them regardless of where their head office is (Section 3(b)). If they refuse to comply, you can report them to the Indian Data Protection Board, which has the power to block their services in India.
Under Schedule 1 of the DPDP Act 2023, a Data Fiduciary can be fined up to **₹250 crore** for failing to take reasonable security safeguards to prevent a data breach. This is why labs are now legally terrified of "leaks."
Under the DPDP Act, you don't get "paid" for your privacy, but under the **Biological Diversity Act, 2002**, if your genetic material is used for commercial research, there is a "Fair and Equitable Benefit Sharing" (FEBS) requirement. This usually goes to the National Biodiversity Fund, but you can challenge the lack of transparency via the National Biodiversity Authority (NBA).
Section 7 of the DPDP Act allows the government to process data for "certain legitimate uses," such as national security or during a medical emergency (like a pandemic). However, for routine research, even government labs are expected to follow the informed consent protocols laid down by the **Indian Council of Medical Research (ICMR)**.
RTI templates, FIR scripts, real escalation ladders — the same kind of thing you just read. Sundays only. No spam.
We don't share your email. Unsubscribe any time.
Stop refreshing clunky government websites. Learn how to use official Telegram channels and bots like the Gauhati High Court's for real-time legal updates and cause lists.
Skip the travel and attend your court hearing online. Learn how to use the video conferencing facilities provided by Indian courts and the Gauhati High Court's tutorials.
Struggling with poor mobile data in court? Learn how to register your device for high-speed Wi-Fi at the Gauhati High Court using the official GHC advocate portal.
Ever wondered if you can enter the Gauhati High Court? Learn how to attend the 77th Republic Day ceremony and use judicial transparency tools to track Assam's legal system.