Data Fiduciary Obligations: Security, Retention, and Erasure

Section 8 sets out eleven sub-sections covering the core duties of every Data Fiduciary. These obligations apply regardless of any contractual arrangements with third parties and regardless of whether the Data Principal has performed their own duties under the Act.

Accountability is non-delegable. Sub-section (1) makes clear that a Data Fiduciary remains responsible for complying with the Act even if a Data Processor handles the actual processing. You cannot outsource your compliance obligations through a contract.

Data Processors must be engaged under valid contracts. Sub-section (2) requires that any Data Processor — a third party that processes data on your behalf — may only be engaged under a valid contract. This means written agreements with clear terms about how data will be handled.

Data accuracy matters. Sub-section (3) requires the Data Fiduciary to ensure completeness, accuracy, and consistency of personal data, but only in two specific scenarios: when that data may be used to make decisions affecting the Data Principal, or when it may be disclosed to another Data Fiduciary. For example, if you use personal data to decide whether to approve a loan, or if you share customer data with a partner company, you must make sure it is complete and accurate.

Technical and organisational measures are mandatory. Sub-section (4) requires appropriate technical and organisational measures to be in place. This is a broad obligation — the Act does not prescribe specific technologies, but expects measures proportionate to the risk.

Security safeguards to prevent breaches. Sub-section (5) requires reasonable security safeguards to prevent personal data breaches. What counts as "reasonable" depends on the nature and volume of data, as further detailed in Rule 6.

Breach notification is mandatory. Sub-section (6) requires the Data Fiduciary to notify both the Data Protection Board and each affected Data Principal in the event of a personal data breach. The specifics of timing and content are covered in Rule 7.

Erasure obligations. Sub-section (7) requires the Data Fiduciary to erase personal data when consent is withdrawn or the specified purpose is no longer being served — whichever happens first. The Data Fiduciary must also ensure that any Data Processor it has engaged erases the data as well. Retention is permitted only when required by law.

Deemed purpose fulfilment. Sub-section (8) introduces a time-based trigger: if a Data Principal does not approach the Data Fiduciary or exercise any rights for a prescribed period of time, the specified purpose is deemed to have been fulfilled. This means the erasure obligation kicks in automatically after a period of inactivity. Sub-section (11) clarifies that "not having approached" means the Data Principal has not initiated any contact — whether in person, electronically, or in physical written form.

Published contact information. Sub-section (9) requires every Data Fiduciary to publish the contact details of its Data Protection Officer or an authorised person who can handle queries. Rule 9 adds that this must be done prominently on the Data Fiduciary's website or app, and the same contact information must be included in every response sent to a Data Principal.

Grievance redressal. Sub-section (10) requires the establishment of an effective grievance redressal mechanism. This is not optional — every Data Fiduciary must have a process through which Data Principals can raise concerns and receive responses.

While Section 8(5) of the Act requires "reasonable security safeguards," Rule 6 translates that into concrete minimum requirements. These are not optional best practices — they are mandatory baselines.

Encryption and data protection techniques. Data Fiduciaries must use encryption, obfuscation, masking, or virtual tokens to protect personal data. The Rule does not mandate a specific encryption standard, but the expectation is that data must not be stored or transmitted in a form that can be easily read if intercepted or accessed without authorisation.

Access controls. Access to computer resources containing personal data must be controlled. This means not everyone in the organisation should have access to all personal data — access should be limited based on role and necessity.

Logging, monitoring, and review. Data Fiduciaries must maintain logs, conduct monitoring, and perform reviews aimed at detecting unauthorised access to personal data. This is not a one-time setup — it requires ongoing vigilance.

Backup and continuity measures. Backup measures must be in place to ensure that personal data processing can continue even if data is compromised. This covers scenarios like ransomware attacks or accidental deletion.

Minimum retention for detection purposes. Logs and personal data must be retained for a minimum of one year. This retention is specifically to enable detection, investigation, and remediation of breaches — it exists alongside (and is separate from) the erasure obligations under Section 8(7).

Contractual provisions with Data Processors. When a Data Processor handles personal data on your behalf, your contract with them must include provisions for maintaining security safeguards. The Data Fiduciary cannot simply hand over data without ensuring the Processor will protect it.

Appropriate technical and organisational measures. As a catch-all, Rule 6 reiterates the requirement for appropriate technical and organisational measures. This ensures that the list above is treated as a floor, not a ceiling — additional measures may be needed depending on the nature and volume of data being processed.

The Act's default rule under Section 8(7) is straightforward: erase personal data when consent is withdrawn or the specified purpose is no longer being served — whichever happens first. The Data Fiduciary must also ensure that any Data Processor it has engaged erases the data. The only exception is when retention is required by another law.

Section 8(8) adds an automatic trigger. If a Data Principal does not approach the Data Fiduciary or exercise any of their rights for a prescribed period of time, the specified purpose is deemed to have been fulfilled. Once that happens, the erasure obligation kicks in. This prevents organisations from retaining data indefinitely by arguing the purpose is still technically alive.

Rule 8 prescribes specific retention periods for certain categories of large-scale Data Fiduciaries. E-commerce entities with two crore or more registered users must retain data for three years. Online gaming intermediaries with fifty lakh or more registered users must retain data for three years. Social media intermediaries with two crore or more registered users must retain data for three years.

Before erasing data, the Data Fiduciary must inform the Data Principal at least 48 hours in advance. This gives the individual an opportunity to take action — such as downloading their data — before it is deleted.

Separately, all Data Fiduciaries — regardless of size or category — must retain logs and personal data for a minimum of one year. This retention is mandated by Rule 6 for the purpose of detecting, investigating, and remediating security breaches, and it operates independently of the erasure timelines above.