Compliance
DPDP Act 2023 and employee wellbeing data: what HR must know
23 April 2026 · 7 min read · AhaTherapy team
What the DPDP Act actually requires
The DPDP Act 2023 governs the processing of digital personal data in India. It rests on a few principles that matter directly for wellbeing programmes. The first is consent. Personal data should generally be processed only after the individual, called the data principal, has given free, informed, specific and unambiguous consent, accompanied by a clear notice of what you collect and why. Consent bundled into a forty-page employment contract is exactly the kind of thing the Act is designed to discourage.
The second is purpose limitation. You collect data for a stated purpose and you use it only for that purpose. If an employee shares mood data so a wellbeing app can suggest support, that data cannot quietly become an input to a performance review or a promotion decision. The third is the set of data principal rights: people can ask what you hold about them, ask for corrections, and in defined circumstances ask for erasure. A wellbeing vendor that cannot service a deletion request is a liability you are carrying on your own books.
There is also a real obligation around security and accountability. As the organisation deciding why and how the data is processed, you sit in the role of a data fiduciary, and you remain answerable even when a vendor does the actual processing for you. Picking a careless vendor does not transfer the risk away from you. It just hides it.
Why health data is a special category of risk
Not all personal data carries the same weight. A work email address leaking is an annoyance. The fact that a named employee is in therapy for depression leaking is the kind of event that ends trust, careers and sometimes the programme itself. Mental health information sits at the intersection of stigma, livelihood and law, which is why most serious data regimes treat it with heightened care and why you should too, regardless of the precise letter of any single clause.
Indian workplace realities sharpen the point. Wellbeing data often travels alongside identifiers you are already legally required to keep: PF and ESIC numbers, salary bands, shift rosters, tax records. The temptation to join these tables is enormous and almost always a mistake. The instant a counselling record can be linked to a PF number, you have built a file that can follow someone for their entire working life.
Shift work, contract staff and multi-site operations add more edges. An employee on a night shift at a single-team site is far easier to re-identify from a stress report than someone in a thousand-person head office. Sensitivity is not just about the field you store. It is about how easily that field can be traced back to one human being.
~12 billion
working days estimated lost worldwide each year to depression and anxiety, per WHO and ILO
~US$1 trillion
in lost productivity each year from depression and anxiety, per WHO and ILO estimates
about US$4 per US$1
return from scaled-up treatment of depression and anxiety, per a WHO-led study in The Lancet Psychiatry (2016)
3 dimensions
WHO ICD-11 burnout: exhaustion, mental distance or cynicism, and reduced professional efficacy
See what safe reporting looks like before you trust anyone with the data
This is the test for any wellbeing dashboard: it should tell you where the organisation needs help without ever pointing at a person. Try the interactive wellbeing index and watch how findings stay at the cohort level. Notice that you can read the signal for a department or a site, but you can never drill down to a name. That boundary, built in rather than promised, is what separates insight from surveillance.
What's happening across your teams
Q2 2026Anonymised · cohort of 10+ · tap a team to drill in
Team Wellness
71
↑ 5 vs Q1
Team Engagement
38%
≈8× an EAP
Attrition risk
Low
↓ vs last year
Sessions
412
this quarter
Wellbeing breakdown
Engagement over time
Jan → Jun · 9% → 38%
By department
tap to drill inAnonymisation, cohort-of-10 and data residency
The practical defence against wellbeing reporting becoming surveillance is to make sure HR never sees individual records in the first place. Reporting should be aggregated, and aggregation should respect a minimum cohort size. A common and sensible rule is to suppress any figure that would describe fewer than ten people, often called cohort-of-10 reporting. If only six people in a team answered a stress survey, the team-level number simply is not shown, because at that size an average can effectively unmask individuals.
Anonymisation has to be more than dropping the name column. Combinations of attributes, department, location, tenure, gender, can re-identify a person even with no direct identifier present. Genuine anonymisation tests whether any reasonable combination of fields can single someone out, and collapses categories until it cannot. Ask your vendor to describe, in concrete terms, how they prevent re-identification, not merely that they remove names.
Data residency is the third leg. Know where the data physically lives, which sub-processors touch it, and whether it leaves India. You do not need to become a network engineer, but you do need a clear, written answer, because under the DPDP regime you remain accountable for the chain of processing even when it runs through someone else's cloud.
A short clause to put in your next vendor contract
Require, in writing: HR-facing reporting is aggregated only, with a minimum cohort of ten and suppression below it; no individual-level data is ever exposed to managers or HR; wellbeing data is never joined to PF, ESIC, payroll or performance records; the vendor will service data principal access, correction and erasure requests within a defined window; and data residency plus all sub-processors are named. If a vendor resists any of these, treat the resistance itself as the answer.
“Psychological safety is a belief that one will not be punished or humiliated for speaking up with ideas, questions, concerns, or mistakes.”Amy Edmondson, on the condition that makes any wellbeing programme actually work
What to demand so reporting never becomes surveillance
Start with consent that an actual person can understand. The notice should say, in plain language, what is collected, why, who can see it and how to withdraw. Withdrawal should be as easy as joining, and it should not quietly punish the employee who chooses it. If using the programme feels risky, people protect themselves by staying away, and a wellbeing service nobody uses helps no one.
Insist on a hard wall between aggregate insight and individual record. The legitimate job of analytics is to tell the organisation where to invest: which sites are carrying the heaviest load, where burnout signals are rising, whether a policy change moved the needle. None of that requires a single name. Amy Edmondson's research on psychological safety, and Google's Project Aristotle, both point the same way: teams perform when people feel safe to be honest, and people are only honest when they are sure their disclosures will not be used against them.
Then ask the awkward questions out loud. Can a manager ever see who flagged a concern? Can this data reach a disciplinary process? What happens to it when someone leaves? A serious vendor will have crisp answers and will have designed the system so the dangerous paths are closed by construction, not by policy you have to trust. Aha builds its wellbeing reporting on exactly this principle, but the principle matters more than any one product: insist on it from whoever you choose.
Frequently asked
Does the DPDP Act 2023 treat employee mental health data differently from other personal data?+
The Act applies to digital personal data generally and is built on consent, purpose limitation, security and data principal rights. While the statute's treatment of categories continues to evolve through rules, mental health information should be handled with heightened care in practice because of its sensitivity and the real harm that disclosure can cause. The safest posture is to apply the strongest controls, aggregated reporting, strict access limits and clear consent, to all wellbeing data regardless of how any single clause is finally interpreted.
What is cohort-of-10 reporting and why does it matter?+
Cohort-of-10 means any reported figure must describe at least ten people, and numbers covering fewer are suppressed. It matters because small-group averages can effectively unmask individuals: in a team of six, a single stress score can be traced back to a person. Combined with proper anonymisation that guards against re-identification from attribute combinations such as department, site and tenure, a minimum cohort size keeps wellbeing reporting at the level of the organisation rather than the individual.
What should HR demand from a wellbeing vendor under the DPDP Act?+
Get four things in writing. First, consent and notice an employee can actually understand, with easy withdrawal. Second, aggregate-only reporting with a minimum cohort of ten and no individual records exposed to managers or HR. Third, a guarantee that wellbeing data is never joined to PF, ESIC, payroll or performance systems. Fourth, the ability to service access, correction and erasure requests, plus named data residency and sub-processors. As the data fiduciary you stay accountable for the vendor's processing, so vague answers are a real risk to you, not just to them.
Can wellbeing data ever be used in performance reviews or disciplinary decisions?+
No, and designing the system so it cannot is the point. Purpose limitation under the DPDP Act means data collected to offer support should not be repurposed for evaluation. Beyond the legal argument, the practical one is decisive: the moment employees suspect that mood entries or counselling activity could surface in a review, they stop using the programme honestly, which destroys both its value and the psychological safety it depends on. Keep a hard, structural wall between support data and any HR decision-making process.
Aha for Work is a whole-person employee wellbeing platform: clinical mental health, physical health, life skills and financial wellness, with anonymised intelligence HR can act on. Book a consultation →