Overview
Tata 1mg Healthcare Solutions Private Limited (“Tata 1mg”) is a prominent digital healthcare platform in India, offering online pharmacy, diagnostics, and doctor consultation services. As a healthcare provider, it handles a significant volume of sensitive personal data, including medical information, prescriptions, and health conditions. The robust protection of this data is paramount, making its privacy policy’s alignment with the Digital Personal Data Protection Act 2023 (DPDP Act) critically important.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
While Tata 1mg’s policy states that “where required under applicable law, we will only use your personal information (including sensitive personal information) with your consent”, and explicitly mentions the “Right to Withdraw Consent”, the initial user agreement often appears bundled. The policy states, “By accessing or using the website, you agree to be bound by the terms described herein and all the terms incorporated by reference”. This ‘take it or leave it’ approach for initial consent may not fully meet the DPDP Act’s requirement for consent to be “freely given, specific, informed, and unambiguous”. There is no explicit mention of layered consent mechanisms or integration with a Consent Manager as envisioned by the DPDP Act.
What the policy says: “By accessing or using the website, you agree to be bound by the terms described herein and all the terms incorporated by reference. If you do not agree to all of these terms, do not use the website.” “You have the following rights… Right to Withdraw Consent.”
DPDP requirement: Consent must be free, specific, informed, and unconditional, given for a specific purpose, and capable of withdrawal at any time. The Act also introduces Consent Managers.
Gap: The initial consent seems broadly tied to service terms, lacking explicit granularity for different processing purposes.
Section 7 — Certain Legitimate Uses ⚠️
Tata 1mg lists various purposes for data collection and use, including “processing the User’s requests and provision of Services,” enabling “Tata Group Entities and Partners to offer their products and/or services,” and “improving content and to ensure safety and security, as well as enhance performance”. While some of these, like providing services and complying with legal obligations, align with DPDP’s legitimate uses, broad categories like “personalization” and “marketing” may require more explicit and granular consent under the DPDP’s narrower definition of “certain legitimate uses”.
Gap: Certain data uses, particularly for marketing and personalization via Tata Group Entities and Partners, may fall outside the narrowly defined “legitimate uses” of the DPDP Act without more specific consent.
Section 8 — Obligations of Data Fiduciary ✅
The policy details several security measures: “We have implemented reasonable security practices and procedures that are commensurate with the information assets being protected”. It specifies the use of “technical and organisational measures to safeguard your Data” and storing data “on secure servers”. Furthermore, it mandates that “all Tata 1mg - MediAngels employees and data processors… are obliged to respect its confidentiality” and requires “appropriate written contracts with Tata Group Entities, Partners and Service Providers” to ensure data protection consistent with applicable law. This reasonably aligns with Section 8’s requirements for implementing “reasonable security safeguards”.
Strength: Comprehensive description of security safeguards, including technical, organizational, and contractual measures for third-party processors.
Section 9 — Data Retention 🔴
Critical gap. Tata 1mg’s policy states: “Tata 1mg retains Data for as long as necessary for the use of our products and/or services or to provide access to and use of our website or mobile application, or for other essential purposes such as complying with our legal obligations, resolving disputes, enforcing our agreements and as long as processing and retaining your Data is necessary and is permitted by applicable law”. This “as long as necessary” language is vague and does not provide specific retention timelines or clear triggers for data erasure, as required by Section 9 of the DPDP Act, which mandates erasure when the purpose is fulfilled or consent is withdrawn within a reasonable period.
Gap: Absence of specific data retention periods or automated deletion protocols.
Section 11 — Rights of Data Principal ⚠️
Tata 1mg acknowledges several data principal rights, including the ability to “access, modify, correct and delete the Personal Information” and the “Right to Access, Review and Modify; Right to Correction; Right to Withdraw Consent”. However, the policy does not explicitly mention the “right to nominate another person” to exercise rights on the data principal’s behalf (Section 14 of the DPDP Act). While mechanisms for access and correction exist, there is no direct reference to the right to grievance redressal before the Data Protection Board.
Partial compliance. Basic rights are present, but DPDP-specific rights and mechanisms for their exercise are not fully articulated.
Section 12 — Right of Grievance Redressal ⚠️
The policy clearly publishes the contact information for a Grievance Officer, including an email address and physical address. This is a strength for initial redressal. However, it does not outline the Data Protection Board as an escalation path for unresolved grievances, nor does it commit to specific response timelines, both of which are expected under the DPDP Act.
Partial compliance. While a grievance mechanism exists, the DPDP-mandated escalation path and timelines are absent.
Section 16 — Cross-Border Data Transfer ⚠️
Tata 1mg states that “Data collected under this Privacy Notice is hosted on servers located in India”, which is a positive step towards data localization. However, the policy also mentions that Tata 1mg may “disclose or transfer the User Information, to another third party as part of reorganization or a sale of the assets or business of a Tata 1mg corporation division or company”, and shares data with “Partners” and “Service Providers”. The policy does not explicitly restrict cross-border transfers to countries notified by the Central Government, as required by Section 16 of the DPDP Act. Specific safeguards for any potential international data transfers are not detailed.
Gap: While data hosting is in India, the policy lacks explicit provisions regarding cross-border transfers that fully align with DPDP’s requirements for restricted jurisdictions and detailed safeguards.
Risk Assessment
| Category | Risk Level | Details |
|---|---|---|
| Consent & Notice | Medium | Bundled consent for sensitive health data poses a risk of non-compliance with “freely given” and “specific” consent requirements under DPDP Section 6. |
| Data Retention | High | Vague retention periods increase the risk of over-retention, a direct violation of DPDP Section 9, especially for sensitive health data. |
| Data Principal Rights | Medium | Absence of explicit nomination rights and the Data Protection Board escalation path creates compliance gaps under DPDP Sections 11, 12, and 14. |
| Cross-Border Transfer | Medium | While hosted in India, the lack of explicit rules for potential transfers to third parties or other Tata Group entities internationally could expose 1mg to Section 16 non-compliance. |
| Accountability | Medium | No explicit mention of DPDP Act 2023 indicates a policy framework that may not be fully updated to the new law, potentially leading to broader accountability risks. |