Sensitive Personal Data (or Sensitive Personal Data or Information — SPDI) is a specific category of personal information that receives heightened legal protection under Indian law due to the potential for significant harm if disclosed or misused. Under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, sensitive personal data includes passwords, financial information, health data, biometric data, sexual orientation, and medical records.
Legal definition
Rule 3 of the SPDI Rules, 2011 provides an exhaustive list of categories that constitute sensitive personal data or information:
Rule 3 — Sensitive personal data or information: Sensitive personal data or information of a person means such personal information which consists of information relating to —
(i) passwords; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
Exclusion: The Rules expressly exclude any information that is freely available or accessible in the public domain, or furnished under the Right to Information Act, 2005, or any other applicable law.
Biometric information is separately defined in Rule 2(1)(b) as technologies that measure and analyse human body characteristics — fingerprints, eye retinas and irises, voice and facial patterns, hand measurements, and DNA — for authentication purposes.
The DPDP Act, 2023 takes a different approach. It does not create a separate category of "sensitive personal data" but instead classifies all personal data under a unified framework. The concept of "Significant Data Fiduciary" (Section 10) creates differential obligations for entities processing large volumes of data, but the Act does not retain the SPDI taxonomy. Until the DPDP Act rules are fully notified, the SPDI Rules continue to operate in parallel.
How courts have interpreted this term
Justice K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1]
The Supreme Court (nine-judge bench) in the landmark right to privacy judgment held that informational privacy is a fundamental right under Article 21 of the Constitution. While the Court did not specifically interpret Rule 3 of the SPDI Rules, it established the constitutional foundation for data protection in India. The Court recognised that certain categories of personal data — particularly health information, financial data, and biometric identifiers — are inherently sensitive and require enhanced protection.
Justice K.S. Puttaswamy v. Union of India (Aadhaar) [(2019) 1 SCC 1]
The Supreme Court (five-judge bench), while upholding the constitutional validity of Aadhaar, placed significant emphasis on the protection of biometric data. The Court struck down Section 57 of the Aadhaar Act, which permitted private entities to use Aadhaar authentication, partly on the ground that biometric data constitutes sensitive personal information whose collection and processing must be proportionate and limited to legitimate purposes.
Tamil Nadu Aadhaar Case (Madras High Court, 2012)
The Madras High Court, in an early case concerning the Aadhaar programme, held that biometric data and demographic information constitute sensitive personal data and that their collection, storage, and processing must comply with the safeguards prescribed under the SPDI Rules.
Why this matters
The concept of sensitive personal data is the cornerstone of India's existing data protection framework under the IT Act. Every business that handles any of the categories listed in Rule 3 — which includes virtually all financial institutions, healthcare providers, HR departments, and digital platforms — is subject to enhanced obligations regarding collection, storage, processing, disclosure, and security.
For businesses, the practical implications are substantial. Any entity handling SPDI must: (1) obtain prior consent before collecting sensitive data; (2) collect only data necessary for the stated purpose; (3) implement reasonable security practices compliant with IS/ISO/IEC 27001 or equivalent standards; (4) publish a privacy policy; and (5) not disclose SPDI to third parties without the provider's prior permission. Failure to comply exposes the body corporate to liability under Section 43A of the IT Act.
For individuals, understanding what constitutes SPDI helps in exercising their rights. Under Rule 5, a person can withdraw consent for the use of their sensitive data, and the body corporate must cease processing upon withdrawal. Under Rule 6, the body corporate must allow the person to review and correct their data.
The transition from the SPDI Rules to the DPDP Act, 2023 framework represents a shift from a categorisation-based approach (where specific types of data receive enhanced protection) to a rights-based approach (where all personal data receives baseline protection with additional obligations on significant data fiduciaries). Until the DPDP Act rules are fully operationalised, the SPDI Rules remain in force.
Related terms
Parent framework:
Sibling concepts:
Frequently asked questions
What categories of data qualify as sensitive personal data?
Under Rule 3 of the SPDI Rules, sensitive personal data includes: passwords, financial information (bank account, credit/debit card details), physical or mental health conditions, sexual orientation, medical records and history, biometric information (fingerprints, retina scans, facial recognition data, DNA), and any detail relating to these categories provided to a body corporate for service delivery.
Does the DPDP Act, 2023 retain the concept of sensitive personal data?
No. The DPDP Act does not create a separate category of "sensitive personal data." Instead, it provides a unified framework for all personal data, with enhanced obligations for Significant Data Fiduciaries processing high-volume data. However, the SPDI Rules under the IT Act continue to operate in parallel until the DPDP Act rules explicitly supersede them.
Can sensitive personal data be shared with third parties?
Under Rule 6 of the SPDI Rules, a body corporate cannot disclose sensitive personal data to a third party without the prior permission of the person who provided the information, unless the disclosure is necessary for compliance with a legal obligation or is authorised under a contract between the body corporate and the person.
What is the difference between personal data and sensitive personal data?
Personal data (or personal information under the IT Rules) includes any information relating to a natural person — name, address, phone number, email, etc. Sensitive personal data is a narrower subset of personal data comprising specific categories (passwords, financial data, health data, biometrics, sexual orientation) that receive heightened protection due to the potential for significant harm if misused.
This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.
Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.