From appetite to austerity: Health underwriting under the DPDP regime

The notification of the Digital Personal Data Protection (DPDP) Act, 2023, and the subsequent Digital Personal Data Protection Rules, 2025, mark a tectonic shift in India’s privacy jurisprudence. The Act's implementation in the health insurance sector exposes a striking structural tension. The industry’s core model, which relies on exhaustive disclosures at various stages, now has to be reconciled with a legal framework that demands a much narrower, purpose-specific approach to data. At the heart of this conflict lie two cardinal principles of data protection: data minimisation and purpose limitation.

For an industry where more data traditionally equals fair risk pricing and coverage sustainability, the DPDP Act’s imposition of data minimization and purpose limitation demands a radical contraction of data appetites.

The objective here is to assess critically:

• how the principles of data minimisation and purpose limitation operate under the DPDP Act,

• why they pose structural challenges for the health insurance industry, and

• what modifications insurers may need to undertake to remain compliant without undermining actuarial accuracy

The DPDP Act embeds data minimisation and purpose limitation as core obligations of a data fiduciary.

Data minimisation demands a forward-looking assessment: what categories of data are strictly necessary to achieve the articulated purpose?

Purpose limitation, in turn, requires clarity at the point of collection about why the data is being gathered and imposes a prohibition on function creep or the gradual expansion of data use beyond its original justification.

These principles are reinforced by the requirement that consent be informed, specific, and unambiguous, and that processing beyond the stated purpose is impermissible unless justified by law.

In theory, these principles are uncontroversial. In practice, however, they are seemingly ill-suited to business models that rely on probabilistic assessment, long-tail risk evaluation, and retrospective analysis - all of which are hallmarks of the health insurance industry.

Under the pre-DPDP regime, governed largely by the IT (SPDI) Rules, 2011, and IRDAI’s regulations, health insurers enjoyed significant latitude. Proposal forms were often expansive, capturing not just medical history but lifestyle habits, genetic predispositions, and even social identifiers under the umbrella of ‘underwriting necessity’.

The DPDP Act terminates this era of data abundance through Section 6(1). It mandates that consent must be ‘free, specific, informed, unconditional, and unambiguous.’ Crucially, it stipulates that consent is valid only for personal data that is necessary for the specified purpose. This ‘necessity test’, coupled with the requirement of specific consent, effectively outlaws the industry-standard ‘bundled consent,’ where a policyholder’s agreement to buy insurance is inextricably linked to their data being used for marketing, profiling, or sharing with third-party wellness partners.

The most significant legal friction arises in the underwriting process, particularly in the process of premium fixation. Actuarial science relies on the ‘law of large numbers’ and granular data points to prevent adverse selection.

However, the sector now faces a deadlock:  while insurers assert that exhaustive disclosures ranging from BMI to familial chronic history are indispensable for equitable premium calibration, the DPDP Act empowers consumers to withhold 'non-essential' data, such as mental health history for physical disability cover, thereby questioning whether an insurer can legally decline a risk based on a privacy-led refusal.

Data-collection stage: Purpose limitation poses an even more complex challenge. Health insurance data is rarely processed for a single, static purpose. Data collected for underwriting may later be used for claims assessment, fraud analytics, portfolio risk management, reinsurance negotiations, or internal research. Health insurers operate within a dense and fragmented data ecosystem. At the proposal stage, insurers collect personal data relating to age, gender, medical history, pre-existing conditions, family history, lifestyle habits, and occupation.

Data-flow stage: During the policy term, data continues to flow through cashless hospitalisation requests, pre-authorisation forms, diagnostic reports, discharge summaries, and third-party administrator (TPA) communications. Post-claim, data may be retained for audit, fraud detection, litigation defence, regulatory reporting, and actuarial recalibration.

Additionally, the sector increasingly relies on data sharing arrangements with hospitals, TPAs, reinsurers, analytics vendors, and wellness service providers, all of which often exceed the narrow data processing limits envisioned by the DPDP Act. Each node in this chain processes personal and sensitive health data, often under broadly worded contractual purposes such as ‘policy administration,’ ‘risk management,’ etc.

The traditional industry practice of relying on expansive consent clauses may no longer suffice, given the Act’s emphasis on specificity and transparency. Under a strict reading of data minimisation and purpose limitation, many of these practices become legally vulnerable.

In the absence of regulatory guidance, insurers face the risk that such secondary uses may be characterised as unlawful processing.

Non-compliance with data minimisation and purpose limitation is not merely a theoretical concern. The DPDP Act empowers the Data Protection Board to impose significant financial penalties for breaches, with insurers potentially vulnerable to higher penalties given the nature of data and the processing involved. In addition, insurers face reputational risk and the possibility of consumer litigation, particularly where data misuse intersects with claim repudiation or premium escalation.

Given that health insurers process ‘high-volume’ and ‘high-sensitivity’ data (medical records, genomic data, and financial info), many will likely be notified as Significant Data Fiduciary by the Central government under Section 10 of the Act. For these entities, the compliance burden shifts from standard care to extraordinary accountability. For health insurers, therefore, compliance cannot be achieved through cosmetic changes to consent forms alone. A deeper recalibration is required.

I. Consent and transparency best practices

Since consent must be specific, informed, and unconditional, insurers must move away from "all-or-nothing" terms.

Layered privacy notices: Use a brief summary for key points (data type, purpose, transfer rights) followed by a detailed notice.

Language inclusivity: Provide notices in English and the relevant Eighth Schedule languages (e.g., Hindi, Bengali, Marathi) based on the customer's region.

Unbundled opt-ins: Use separate checkboxes for different purposes. Buying a policy (Purpose A) cannot be conditional on agreeing to marketing calls (Purpose B).

The mirror withdrawal: Ensure the process to withdraw consent is as simple as the process to give it (e.g., a one-click ‘Revoke’ button in the app if they signed up via a one-click ‘Accept’).

II. Data minimization and purpose mapping

Insurers must justify every data point they collect to pass the Necessity Test.

The purpose-to-data matrix: Create an internal register mapping every data field collected to a specific legal or contractual purpose. If a field doesn't map to ‘Underwriting,’ ‘Claims,’ or ‘Legal Obligation,’ then one must stop collecting it.

Dynamic proposal forms: Use Smart Forms that only trigger sensitive medical questions if a primary condition is disclosed, rather than asking everyone for exhaustive family medical history by default.

No speculative collection: Avoid collecting data just in case it might be useful for future AI modelling unless there is specific consent for research.

III. Contractual safeguards

Because the data fiduciary is absolutely liable for the errors of the data processor, contracts must be robust.

The flow-down principle: Explicitly state in contracts that the Processor (e.g., a TPA or Cloud Provider) must adhere to the same DPDP standards as the Data Fiduciary/Insurer.

Mandatory breach reporting: Require Processors to notify of a potential breach within a specific, tight window (e.g., 2–4 hours) so the IRDAI 6-hour reporting deadline can be met.

Unlimited indemnity for breaches: Negotiate Unlimited Liability or regulatory penalty-linked thresholds for data breaches caused by the vendor's gross negligence, as regulatory fines can reach ₹250 Crore.

IV. Technical and organizational measures

Data silo-ing: Restrict access so that a marketing executive cannot see a policyholder's specific diagnostic reports, even if they can see their contact details.

Anonymization for analytics: If using data for actuarial trends, use anonymized or aggregated datasets which fall outside the scope of ‘Personal Data’ under the Act.

V. Protection of minors

Health insurance often involves family floaters with children's data.

Verifiable parental consent: Implement mechanisms to verify that the person providing a child's data is indeed the parent or legal guardian.

Tracking prohibition: Ensure that ‘Wellness Apps’ that track steps or heart rates automatically disable behavioural tracking and targeted advertising for any user registered as a minor.

The principles of data minimisation and purpose limitation strike at the heart of the health insurance business model. What was once justified as prudent risk management now faces scrutiny as potential overreach.

The DPDP Act signals a shift: personal data, even in the context of insurance, is not an inexhaustible resource to be mined, but a regulated asset to be handled with restraint. In the absence of a GDPR-style classification where health data is treated as a 'special category’, the DPDP Act leaves health insurers to navigate the daunting task of aligning general data protection principles with the operational requirements of the insurance sector.

Compliance for the health insurance sector is not merely an exercise in regulatory box-ticking, but demands a fundamental mindset pivot towards the protection of data principals’ rights.

About the authors: Davis Kanjamala and Vaishnavi Viswanathan are Partners and Viswanathan G is a Director at Viswanathan & Associates.

Disclaimer: The opinions expressed in this article are those of the author. The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.