DPDPA Rule 23: Government Requests for Information from Data Fiduciaries and Intermediaries

DPDPA Rule 23: Government Requests for Information from Data Fiduciaries and Intermediaries

Handling a notice under DPDP Act Rule 23 requires strict confidentiality. Discover how to respond to government data requests and ensure full compliance.

Sahil Pugalia

Written by

Sahil Pugalia

Date

Read time

6 min

A government data request is not a customer support ticket. You cannot put it in the backlog, you cannot ask for a deadline extension on a whim, and under DPDP Act Rule 23, you often cannot even tell anyone you received it.

Rule 23 sets out exactly how the Central Government can require information from a Data Fiduciary or an intermediary for purposes under the Digital Personal Data Protection Act. It also creates a strict confidentiality regime for sensitive matters involving the sovereignty, integrity, or security of the State.

The rule itself is short. The operational impact is massive. If you receive a notice, figuring out how to respond to government data requests on the fly is a guaranteed way to fail. You need a clear, defensible, and rapid response process already in place.

What Rule 23 Authorizes

In plain terms, this is a statutory power to call for information. It is not an invitation, and compliance is not optional.

However, the scope of this power is not open-ended.

  • The Central Government may require any Data Fiduciary or intermediary to furnish information strictly for the purposes of the Act that are listed in the Seventh Schedule.
  • The request must be issued through the authorised person specified in that same Schedule.
  • The addressee must furnish the information within the specific period stated in the notice.

The rule also imports the meaning of “intermediary” directly from the Information Technology Act, 2000. If you operate as an intermediary, you must evaluate your status against that statute, because Rule 23 uses that definition without a single change.

The Confidentiality Requirement in Sensitive Matters

The loudest part of Rule 23 is the silence it enforces.

If disclosing the fact that you furnished information is likely to prejudicially affect the sovereignty and integrity of India or the security of the State, the Central Government may direct you not to disclose that you furnished anything at all. This non-disclosure applies to the affected Data Principal and to any other person.

There is exactly one exception: you may disclose that you furnished information only if you have prior written permission from the authorised person.

Illustration of a person holding a document with a padlock, representing data privacy and security.

The takeaway is absolute. If the notice includes a non-disclosure direction of this kind, treat the existence of the request and your response as highly confidential. Do not notify the Data Principal. Do not inform third parties. Do not make public statements. If you believe disclosure is necessary, seek prior written permission from the authorised person first.

Scope and Boundaries You Should Recognize

Before you hand over data, you need to verify the boundaries of the request.

  • Covered entities. The rule applies to any Data Fiduciary and any intermediary. It does not list other categories.
  • Source of authority. Only the authorised person specified in the Seventh Schedule can issue valid requests. Treat requests from any other source as deficient until verified.
  • Purpose limitation. Requests must be for purposes under the Act that are specified in the Seventh Schedule. If a request cites a purpose outside that scope, ask for clarification or correction.
  • Timelines. You must comply within the period set in the notice. The rule does not define a comfortable default period. The clock starts ticking the moment you receive a valid request.
  • Confidentiality trigger. The non-disclosure direction is not automatic. It applies where disclosure is likely to prejudicially affect sovereignty, integrity, or security, and where the Government explicitly requires non-disclosure. If that direction is present, it binds you.

The rule does not spell out formats, transport mechanisms, or the precise categories of information. Expect the notice itself to specify what is needed and by when.

What This Means for Your Operations

You need a disciplined intake and response process for government data request compliance. Treat these as time-bound obligations with heavy audit exposure. The practical steps below turn the rule’s abstract requirements into operational execution.

1) Intake and verification

  • Log the request immediately on receipt. Capture the date, sender, contact details, notice reference, and the deadline.
  • Verify identity and authority. Confirm the signatory matches an authorised person in the Seventh Schedule. If it is unclear, request proof or contact validation.
  • Confirm the cited purpose is one listed in the Seventh Schedule. Ask for clarification if the purpose is ambiguous or outside the legal scope.

2) Scoping and planning

  • Parse the information requested. Break it down into discrete data elements, time ranges, and specific systems.
  • Identify data owners and systems of record. Assign tasks with internal deadlines that track backward from the notice’s final deadline.
  • Apply internal legal review. Confirm that the request fits Rule 23. Document any pushback or queries sent to the authorised person.

3) Collection and preparation

  • Retrieve only the information requested. Do not over-collect. Over-delivering is not a virtue here.
  • Apply integrity controls. Use checksums or audit trails to preserve evidential value if needed.
  • Redact only if the notice allows it or if you have obtained written agreement. Otherwise, furnish exactly as requested.
Illustration of a person organizing data files, representing the collection and preparation phase of data requests.

4) Confidentiality handling

  • If the notice includes a non-disclosure direction, initiate a confidentiality lock. Limit visibility to a strict, predefined need-to-know group.
  • Do not notify Data Principals or third parties. Do not reference the request in general incident logs, Slack channels, or customer communications.
  • If you need to inform anyone outside the locked group, first obtain prior written permission from the authorised person.

5) Furnishing and delivery

  • Follow the delivery method and format specified in the notice. If none is specified, propose a secure channel and confirm it in writing.
  • Include a cover note listing exactly what you are furnishing, any unresolved queries, and contact details for follow-ups.
  • Meet the deadline. If unavoidable delays arise, notify the authorised person in advance and seek an extension in writing.

6) Closure and recordkeeping

  • Maintain a complete, isolated file. Keep the notice, all correspondence, validation notes, search logs, extracted datasets, and proof of furnishing.
  • Store the confidentiality directive and any permission to disclose in the exact same file.
  • Conduct a short after-action review. Capture lessons to improve the speed and accuracy of your next response.

Controls to Put in Place Now

  • Single intake channel. Route all government notices to a monitored address and a designated compliance lead. Do not let these sit in a generic support inbox.
  • Authority verification reference. Maintain an up-to-date reference that maps authorised persons directly from the Seventh Schedule.
  • Playbooks and checklists. Standardize your scoping, search, extraction, and furnishing steps with clear roles and hard deadlines.
  • Confidentiality lock procedure. Build a predefined process that restricts access, enforces naming conventions, and controls communications the moment a non-disclosure direction applies.
  • Deadline and task tracking. Use a tracker that actively alerts on upcoming due dates and unresolved queries.
  • Training. Brief your legal, compliance, security, and key operational teams on Rule 23 mechanics and the extreme sensitivity of gag directions.

Managing Risks and Edge Cases

  • Ambiguous scope. If a request is vague, seek clarification promptly. Document every single clarification request. Do not guess what the government wants.
  • Overbroad asks. You can raise precision questions, but do not refuse to furnish what is squarely requested for a listed purpose.
  • Conflicting obligations. If your internal policies or other commitments suggest transparency, remember that the statutory non-disclosure direction controls. A company policy cannot override a legal gag order. Obtain written permission before any disclosure.
  • Vendor-held data. If the requested information resides with a third party you use, coordinate quickly and document your steps. You remain legally responsible for timely furnishing under the notice.

Summary

Rule 23 gives the Central Government a clear path to call for information from Data Fiduciaries and intermediaries for specified purposes under the Act. It also allows a targeted confidentiality direction where disclosure could harm sovereignty, integrity, or security. Your job is to authenticate the request, limit the scope to exactly what is asked and permitted, meet the deadline, and strictly follow any non-disclosure instruction.

Real execution is about discipline. Requests arrive with short timelines and little context. The gap between theory and practice is closed by a clean intake process, fast verification of authority and purpose, secure data retrieval, and tight confidentiality controls.

Regodit provides a structured way to manage these steps, keep evidence in order, and reduce risk under time pressure.

Ready to simplify compliance?

Explore how Regodit can centralize request intake, verification, and response workflows under Rule 23. If you want to stress test your current process or design one from the ground up, schedule a call and we can talk through your environment and constraints.

Disclaimer: The views and explanations shared in this blog are based on our team's understanding of the relevant compliance frameworks. While every effort has been made to ensure accuracy, readers are encouraged to refer to the original legal provisions and official notifications for authoritative guidance. Please reach out to us at connect@solsphere.ai.

Keep reading

All blogs →