A Project by Meridian Bridge Strategy
Book Consultation
Healthcare

1mg

Ready Score 48/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 9 Feb 2026

Executive Summary

Tata 1mg handles prescription medicines, lab tests, and health content consumption — each revealing health conditions. At 48/100, the platform's e-commerce-style privacy approach is inadequate for what is effectively a health data processor. The Tata Group integration adds cross-entity data flow concerns.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Medicine purchase history = health data treated as e-commerce data
  • Prescription upload and storage terms undefined
  • Tata Group data sharing scope unclear (Tata 1mg)
  • No data retention timelines for health records
  • Data Protection Board not referenced
  • Lab test results storage and sharing policies vague

✅ Strengths

  • Detailed data collection categories listed
  • Security measures including encryption
  • Grievance officer designated
  • Some purpose limitation mentioned

Overview

Tata 1mg (formerly 1mg) is India’s leading online pharmacy and health platform. Users upload prescriptions, order medicines (often for chronic conditions), book lab tests, and consume health content. Every interaction reveals health information — making 1mg effectively a health data processor operating under e-commerce privacy standards.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

1mg’s consent is standard e-commerce style: “By using our platform, you consent…” This is fundamentally inadequate for health data processing.

What 1mg collects that reveals health conditions:

  • Medicine orders (diabetes medication = diabetes diagnosis)
  • Prescription uploads (complete medical history on paper)
  • Lab test bookings (thyroid panel = thyroid concern)
  • Health content browsing (“symptoms of cancer” searches)
  • Doctor consultation records

DPDP requirement: Health data should have explicit, informed, purpose-specific consent with clear explanation of how it will be used and who will access it.

Section 7 — Certain Legitimate Uses 🔴

1mg extends processing well beyond medicine delivery:

  • “Personalizing health recommendations” based on medicine purchase history
  • Health product advertising (supplements, wellness products) targeted based on prescriptions
  • Integration with Tata ecosystem (BigBasket, Tata Neu)

Critical gap: Using prescription medication data to target supplement advertising is not a legitimate use under DPDP.

Section 8 — Obligations of Data Fiduciary ⚠️

Standard security. But prescription uploads (images of medical documents) require:

  • Enhanced encryption
  • Access controls limiting who can view prescriptions
  • Automatic redaction of unnecessary information
  • Secure deletion after purpose fulfillment

Section 9 — Data Retention 🔴

No retention timelines. Critical concerns:

  • Prescription images: How long are uploaded prescriptions stored? They contain complete health information
  • Medicine purchase history: Chronic medication orders create a longitudinal health record
  • Lab results: Stored indefinitely or time-bounded?
  • Health content browsing: “Searched for [condition]” data — retained?

Section 11 — Rights of Data Principal 🔴

  • No mechanism to delete prescription uploads selectively
  • No health record portability
  • No transparency on how medicine purchase data influences recommendations
  • No nomination rights (Section 14)

Section 12 — Right of Grievance Redressal ⚠️

Grievance officer exists. No DPB pathway. No mechanism for health data-specific privacy complaints.

Section 16 — Cross-Border Data Transfer ⚠️

As a Tata Group entity, data may flow within the conglomerate. Health data localization should be a priority — prescription and medicine data should ideally not leave Indian jurisdiction.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineCriticalHealth data mishandling = highest penalty tier
Medicine data = health dataCriticalEvery purchase reveals a health condition
Prescription storageCriticalUploaded prescriptions = complete medical snapshot
Tata ecosystem sharingHighHealth data flowing to BigBasket/Tata Neu
Data retentionCriticalNo timelines for deeply sensitive health data

The Medicine-as-Health-Data Problem

Every 1mg purchase is effectively a health data point:

Medicine CategoryHealth Condition RevealedSensitivity
Metformin, insulinDiabetesHigh
AntidepressantsMental health conditionVery High
AntiretroviralsHIV/AIDSExtremely High
Fertility medicationsReproductive healthVery High
Blood pressure medicationHypertensionHigh
Generic vs. brandedFinancial health/insurance statusModerate
Refill patternsTreatment adherenceHigh

Treating this data with standard e-commerce privacy standards is a critical oversight.

Recommendations

  1. Reclassify medicine data as health data — Apply enhanced protections, consent, and retention rules
  2. Implement prescription auto-deletion — “Prescription images are verified and deleted within 72 hours; only the verification status is retained”
  3. Separate Tata ecosystem health data — Clear firewall between 1mg health data and other Tata entities
  4. Create health data consent layers — Separate consent for medicine delivery, lab test booking, health content personalization, and health product marketing
  5. Define health-specific retention — “Medicine purchase history: 5 years per drug regulatory standards; Lab results: 3 years; health browsing: 90 days; prescriptions: deleted after verification”
  6. Add nomination mechanism — Allow patients to nominate a family member for health data access

How Does Your Policy Compare?

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation