The DPDP Act significantly impacts routine tax practice because tax professionals regularly handle sensitive digital personal data such as PAN credentials, income details, bank statements, investment records, and financial documents shared through email, WhatsApp, cloud folders, and scanned copies. The Act requires clear purpose-based processing, prior notice, and consent under Sections 5 and 6, making it essential for practitioners to adopt structured onboarding communication. Return filing, rectification, assessments, and appeals all involve substantial data flow, requiring informed consent, limited data collection, controlled staff access, and defined retention policies. Practitioners must explain what data is collected, who can access it, how long it will be retained, and the client’s rights. The Act encourages minimization—collecting only what is necessary and avoiding indefinite storage. For long-running matters like assessments and appeals, extended retention should be disclosed. Ultimately, the DPDP Act formalizes good professional discipline: clear communication, secure handling, limited access, and timely deletion.
This note highlights the key touchpoints in a simple, practice-oriented manner.
Page Contents
1. Brief Background of the DPDP Act
The Act regulates the processing of digital personal data. Any data handled in electronic form—whether received by email, WhatsApp, cloud folders, or scanned copies—falls within its scope.
Applicability – Sections 3 and 4
Section 3 applies the Act to the processing of digital personal data within India. Section 4 allows processing only for a specific purpose and generally with consent.
Notice and Consent – Sections 5 and 6
Before collecting data, the individual must be informed of:
-
the purpose of collection,
-
how the data will be used, and
-
their rights under the Act.
Consent must be clear and linked to the stated purpose. For most professional engagements, a simple onboarding notice-cum-consent is sufficient.
2. Income-Tax Return Filing: Key DPDP Considerations
Return filing involves the maximum volume of personal data, making DPDP compliance especially relevant.
(A) Types of Data Collected
Typical data received includes:
-
login credentials (PAN, password, OTP-based access), personal information, bank details, income particulars, supporting documents (Form 16, AIS/TIS, bank statements, investments, loan documents, etc.).
This information qualifies as personal data and, in many cases, sensitive financial data.
(B) Modes of Data Collection
Documents commonly reach practitioners through:
-
email, WhatsApp, cloud folders, departmental portals, scanned copies of physical documents.
Regardless of the mode, once the data exists in digital form, DPDP obligations apply.
(C) Staff Access and Internal Handling
Team members or assistants often:
-
interact with the client,
-
collect documents, and
-
work on the return.
Clients should be informed that their data will be handled by authorized personnel of the practice solely for tax-related purposes. This can be covered in a standard engagement communication.
(D) Obtaining Consent
Consent may be recorded through:
-
an engagement letter,
-
an onboarding email,
-
a digital acknowledgment, or
-
a standard acceptance form.
The notice should briefly mention:
-
purpose of processing,
-
types of data required,
-
who may access the data,
-
retention period,
-
client rights under the Act.
(E) Minimizing Data Collection
DPDP encourages the collection of only what is strictly necessary. In practice, this may involve:
-
asking for relevant portions of documents,
-
avoiding bulk data that is not required,
-
refraining from retaining older documents as a matter of habit.
(F) Data Retention and Deletion
After completing the return:
-
data should be deleted or archived based on a defined retention policy,
-
recurring clients can be informed that certain KYC details will be retained for future work,
-
supporting documents should not be stored indefinitely unless required for statutory or practical reasons.
3. Rectification Requests
Rectification assignments typically involve:
-
the intimation under Section 143(1),
-
revised computations,
-
supporting evidence for mismatches or error corrections.
Because the nature of the data is similar to return filing, the same DPDP requirements apply—brief notice, limited collection, secure handling, and defined retention.
4. Assessments and Appeals
These assignments generally require deeper documentation:
-
notices, questionnaires, submissions,
-
bank summaries and transaction details,
-
financial statements,
-
past orders and appellate records.
Since assessments and appeals often run over longer periods, the consent or engagement communication should mention extended retention of related records. Secure storage becomes even more important due to the sensitive nature of the data involved.
5. Closing Remarks
The DPDP Act essentially formalises good data-handling practices—clarity of purpose, limited collection, controlled access, and timely disposal of data. These are practical steps that can be easily integrated into routine tax practice.
A simple notice at onboarding and some internal discipline can ensure smooth alignment with the Act while maintaining the trust of clients who share their most sensitive financial information.
Author Bio
