The “Right to Erasure” Paradox: Navigating the Conflict Between DPDP Act and Clinical Retention Rules
Medico-Legal Jurisprudence
3

The “Right to Erasure” Paradox: Navigating the Conflict Between DPDP Act and Clinical Retention Rules

January 7, 2026January 7, 2026By

The Executive Summary

With the Digital Personal Data Protection (DPDP) Act fully operational as of late 2025, hospitals are now classified as “Data Fiduciaries.” The most challenging aspect of this new regime is the patient’s Right to Erasure (Section 12). A critical legal dilemma arises when a patient demands the deletion of their medical records, while the Clinical Establishments Act and NMC Regulations mandate their preservation. This advisory outlines the legal reconciliation of these conflicting mandates.

1. The Legal Conflict Defined

The Mandate The Provision The Implication
DPDP Act, 2023 Section 12(3): A Data Principal (Patient) has the right to request the erasure of their personal data. Patients can theoretically demand you delete their history to hide a diagnosis.
NMC Regulations Regulation 3.X: RMPs/Hospitals must maintain inpatient records for 3 years (or more depending on state rules). Deleting data prematurely is professional misconduct.
Consumer Protection Limitation Period: Patients can file negligence suits up to 2 years from the “cause of action.” Deleting records leaves the hospital defenseless in court.

2. The Solution: The “Override” Clause

Section 17(2)(a) of the DPDP Act provides the necessary shield. It states that the “Right to Erasure” does not apply if the retention of data is “necessary for the purpose of enforcing any legal right or claim.”

The Strategy for Hospitals:

You must categorize your data not by “Patient Request,” but by “Statutory Lifecycle.”

  • Zone A (Active Treatment): Erasure is impossible; data is needed for medical service (Section 6).
  • Zone B (The Retention Window): Erasure requests must be formally rejected citing the Clinical Establishments Act.
    • Action: Issue a “Notice of Retention” to the patient explaining that the law prohibits deletion until [Year].

Zone C (Post-Retention): Once the statutory period (e.g., 3-5 years) is over, you must delete the data unless you can prove a specific ongoing legal threat.

3. The “Vendor Risk” Trap (Vicarious Liability)

Under the DPDP Act, your hospital is liable for the data leaks of your Data Processors.

  • Who are your Processors? The external pathology lab, the TPA (Insurance) desk, and your cloud software provider.
  • The Risk: If your pathology lab leaks a patient’s HIV status, you (the Data Fiduciary) pay the fine (up to ₹250 Crore).

Compliance Checklist for Vendor Contracts:

[ ] Data Siloing: Does the vendor delete the data after sending the report, or do they mine it for their own research? (The latter is now illegal without separate consent).

4. Operational Change: The “Verifiable Consent” Manager

The era of “Implied Consent” (walking into a clinic = consent) is over for data processing.

Withdraw consent with a single click.

New Requirement: You need a digital “Consent Manager” system where patients can:

View exactly what data you hold.

Give granular consent (e.g., “Yes to treatment, No to marketing”).