The New Era of Insurance Claims: Navigating Data Sharing Under the DPDP Act 2023

Data Sharing

If you operate in the Indian health or general insurance sector, the way you handle policyholder information just experienced a massive paradigm shift. On November 13, 2025, the Ministry of Electronics and Information Technology (MeitY) formally notified the Digital Personal Data Protection (DPDP) Rules. For insurers and their vendor ecosystems, this wasn’t just another regulatory update to pass down to the legal department. It fundamentally rewrote the rules of engagement for Data Sharing between primary insurance companies and Third-Party Administrators (TPAs).

We are no longer living in an era where an insurer can casually hand over medical records to a processor and expect a standard Service Level Agreement to protect them from liability. The grace period of ambiguity is officially over, and the clock is ticking toward the strict compliance deadlines rolling out through 2026 and 2027.

The Fiduciary Trap: Redefining Roles

Let’s get straight to the reality of the situation. Under the DPDP Act, the roles are clearly defined:

Insurance Company

Data Fiduciary — you determine why and how a customer’s personal information is collected. Ultimate legal liability rests here.

TPA, Broker, Cloud Vendor

Data Processor — they manage claim settlements strictly on the Fiduciary’s behalf.

In the past, if a TPA suffered a cybersecurity breach or an employee leaked sensitive health records, the insurer could point fingers at the vendor. The DPDP Act entirely eliminates this escape hatch. The law introduces a framework of non-delegable vicarious liability. In plain English: if your vendor messes up, you pay the price. And that price is steep. The Data Protection Board of India (DPBI) can levy penalties up to ₹250 crore against a Data Fiduciary for failing to implement reasonable security safeguards.

Because of this intense financial and reputational risk, informal exchanges of policyholder files are now legally toxic. Section 8(2) of the Act demands that any Data Sharing with a processor must happen under a valid, legally binding contract. If you are sending claims data to a TPA without a robust Data Processing Agreement (DPA) that explicitly meets DPDP standards, you are already operating outside the law.

Tearing Down the Old SLAs

Most legacy vendor agreements in the insurance industry focus heavily on operational metrics. Turnaround times for cashless approvals, grievance resolution windows, and uptime guarantees usually take center stage. Data Sharing and privacy clauses, if they exist, are often generic copy-paste jobs from the IT Act of 2000.

Those days are done. A modern DPDP-compliant contract requires you to aggressively dictate how your TPA manages the information they touch. You have to restrict their operations to exact, narrow parameters. When an insurer executes Data Sharing for a health claim, the TPA can only use those medical records for adjudicating that specific claim.

If the TPA decides to run analytics on that data to build their own risk models, or worse, uses the contact information to cross-sell wellness programs, they have violated the principle of purpose limitation. But again, the DPBI won’t just punish the TPA. They will hold the insurer responsible for failing to govern their processor. Your agreements must explicitly prohibit any unauthorized Data Sharing or secondary use of policyholder data.

The Anatomy of a Compliant Processor Agreement

So, what exactly needs to change in your vendor contracts? The newly notified DPDP Rules 2025, specifically Rule 6, lay out non-negotiable security safeguards. Your agreements must ensure that all Data Sharing with TPAs follows these specific technical controls before a single byte of information changes hands.

Encryption and Access Controls

You cannot simply ask your TPA to “keep data safe.” The contract must mandate end-to-end encryption for personal data both in transit and at rest during Data Sharing. Furthermore, access to sensitive medical records must be strictly governed by role-based access controls (RBAC). A customer support agent at the TPA shouldn’t have access to the same depth of clinical history as a senior medical adjudicator.

One-Year Log Retention

Rule 6 explicitly requires organizations to maintain access and activity logs to monitor who touches personal data involved in Data Sharing. Your TPA must have systems capable of logging who accessed a specific policyholder’s file, when they did it, and what changes were made. Crucially, these logs must be retained for a minimum of one year. If the Data Protection Board initiates an inquiry, your TPA needs to produce these logs immediately to prove compliance.

Immediate Breach Notification

The rules stipulate that fiduciaries must notify the DPBI and affected users within 72 hours of a personal data breach. However, as the primary insurer, you can’t afford to let the TPA take their time reporting an incident up the chain. Your DPA must include an accelerated notification clause, forcing the TPA to alert your security team immediately—often within 6 to 12 hours—upon discovering a compromise.

Strict Erasure Protocols

Data hoarding is a massive liability under the new regime. Rule 8 dictates that personal data must be erased as soon as the purpose for collection is no longer served. When a policy expires, or if a policyholder exercises their right to withdraw consent, the TPA cannot hold onto those records indefinitely. Your contract must establish a rigid, verifiable protocol for data destruction, requiring the TPA to securely delete or return all personal data within a strict window, typically 30 days.

Navigating the Overlap with IRDAI Guidelines

Insurance companies don’t just answer to the Data Protection Board; they also answer to the Insurance Regulatory and Development Authority of India (IRDAI). This regulatory overlap makes Data Sharing compliance particularly tricky.

In April 2026, IRDAI issued updated Information and Cyber Security Guidelines that heavily reinforce DPDP mandates. When structuring your Data Sharing workflows, you have to satisfy both watchdogs simultaneously.

DPDP Act Requires

  • Explicit, unambiguous affirmative consent before processing health data
  • Valid Data Processing Agreement under Section 8(2)
  • 72-hour breach notification to DPBI and affected users

IRDAI Goes Further

  • Itemized consent before any health data is processed
  • Mandatory information security assessments before onboarding any TPA or web aggregator
  • Audit rights written into contracts and periodically exercised

You cannot just take a vendor’s word that their encryption is solid; you must have audit rights written into your contract and actually execute those audits periodically to ensure they are meeting both IRDAI and DPBI standards.

The Cross-Border Transfer Nuance

What if your TPA uses a cloud infrastructure hosted outside India? Rule 15 of the DPDP Rules 2025 clarifies the government’s stance on Data Sharing involving cross-border transfers of personal data. Unlike the intense data localization requirements proposed in earlier drafts of the bill, the final rules adopted a more pragmatic approach.

Currently, Data Sharing with servers or processors outside India is permitted by default, unless the Central Government issues a specific order restricting a particular country.

However, “permitted” does not mean “unregulated.” The fiduciary remains entirely responsible for the data regardless of where it lives. If your TPA uses a foreign subsidiary for back-office processing, your agreement must enforce the exact same DPDP-level safeguards on that overseas entity. Furthermore, sectoral regulations like those from IRDAI might still impose stricter localization rules for core insurance documents, meaning you must carefully govern Data Sharing, map where every piece of data physically resides, and ensure compliance with both frameworks.

Children’s Data and Special Protections

Health insurance frequently covers entire families, meaning TPAs process vast amounts of data belonging to minors. Data Sharing involving children’s personal information is therefore subject to heightened obligations under Section 9 of the DPDP Act and Rule 10 of the 2025 Rules, creating intense friction for standard operating procedures.

Before processing a child’s personal data, the fiduciary must obtain “verifiable parental consent.” Your DPA needs to specify exactly how the TPA handles pediatric claims and Data Sharing involving minors. They must have technical measures in place to flag minor records and ensure that the parent or lawful guardian has actually authorized the processing. Any behavioral tracking or profiling of minors is strictly prohibited. If your TPA runs wellness gamification apps or risk profiling programs, they must completely exclude individuals under 18 from those specific analytics.

Automating Compliance to Survive the Transition

Attempting to manage this web of vendor obligations and Data Sharing requirements through manual spreadsheets is a recipe for a massive fine. With the phased implementation timelines pushing toward full enforcement by May 2027, the window to get your operations aligned is closing fast.

You have to track consent versions, monitor vendor audit schedules, manage breach reporting timelines, and execute updated contracts across dozens of third parties. This is where specialized compliance software becomes non-negotiable.

Solutions like RuleExpert are designed specifically to handle this operational chaos. By centralizing your vendor risk management, these platforms allow you to:

  • Automate Processor Agreement Tracking Generate and track DPDP-compliant processor agreements, and continuously monitor the compliance status of every TPA in your ecosystem, ensuring they upload security attestations and annual audit reports on time.
  • Integrate Consent into the Data Sharing Pipeline If a policyholder revokes their consent through your customer portal, the system automatically flags the change and triggers an erasure protocol down the chain to the relevant TPA, ensuring you don’t inadvertently process data illegally.

It’s time to stop looking at data protection as merely an IT problem or a legal checkbox. How you govern Data Sharing and the flow of information to your vendors is now a core pillar of your operational resilience. Start auditing your TPA contracts today, implement the necessary automation, and protect your organization from the vicarious liabilities of the modern digital economy.

Author Bio

Nitin Ray is a Compliance Manager at RuleExpert with expertise in DPDP compliance, data privacy, consent management, and governance. He helps organizations implement practical compliance frameworks and automation strategies to meet the requirements of India’s Digital Personal Data Protection Act, 2023.


Frequently Asked Questions (FAQs)

1. Does the DPDP Act ban insurers from sharing data with TPAs entirely?

No. The Act fully permits insurers to share information with processors, provided there is a valid, legally binding Data Processing Agreement in place that complies with Section 8(2) of the Act, and the data subject has consented to this processing.

2. Who is legally responsible if a TPA suffers a data breach?

The insurance company (the Data Fiduciary) holds primary legal liability. While the insurer may seek contractual damages from the TPA later, the Data Protection Board will hold the primary insurer accountable and can issue penalties up to ₹250 crore for failing to secure the data.

3. Do we need a new consent form every time a TPA processes a claim?

Not necessarily. The initial consent collected by the insurer must be itemized and specific enough to cover the claim settlement process. It must explicitly mention that third-party processors will handle the data strictly for this exact purpose.

4. What happens if a policyholder withdraws their consent during an active claim?

This is a complex scenario. While the DPDP Act allows users to withdraw consent, insurers are also bound by other laws requiring the retention of financial and medical records. Furthermore, processing necessary to provide emergency medical treatment is exempt from the consent requirement under specific provisions of the Act.

5. How long can a TPA keep policyholder records after a claim is settled?

Rule 8 mandates that data must be erased when the specified purpose is fulfilled. TPAs cannot retain data indefinitely. The exact timeline should be defined in your DPA, typically requiring the secure deletion or return of data within a short window after the policy expires or the service contract ends.

6. Are TPAs required to appoint a Data Protection Officer (DPO)?

Only entities classified as “Significant Data Fiduciaries” (SDFs) are legally mandated to appoint a DPO resident in India. However, practically speaking, large TPAs should designate a privacy point-of-contact to handle the rigorous audit and compliance requests coming from their insurer clients.

7. Can a TPA use claims data to train their own AI models?

No. This violates the core principle of purpose limitation. The data was collected specifically to settle an insurance claim, not to train machine learning algorithms. Any secondary use of the information requires separate, explicit, and informed consent from the policyholder.

8. When do these rules become fully enforceable?

The DPDP Rules 2025 were officially notified on November 13, 2025. While the Data Protection Board is already operational, obligations for Data Fiduciaries are operating on an 18-month transition timeline, pointing toward full enforcement by May 2027. Businesses are strongly advised to align well before this deadline.