Data-privacy rules for children's health data in India

When a child's developmental data is held with care, families can engage therapy with confidence — privacy is the quiet foundation of trust.

In short

Children's health data in India is governed primarily by the Digital Personal Data Protection Act, 2023 (DPDP Act), which treats children (under 18) as a protected class requiring verifiable parental consent before processing, prohibits tracking, behavioural monitoring and targeted advertising directed at children, and bars processing likely to cause harm. Health data is sensitive in nature, so it attracts heightened duty-of-care from any data fiduciary handling it. Where a digital health tool is a regulated medical device, CDSCO software-as-a-medical-device (SaMD) obligations apply alongside data-protection duties.

The regulatory landscape

• DPDP Act, 2023 — the cornerstone. Anyone processing a child's personal data must obtain verifiable consent from a parent or lawful guardian, process only for clearly stated purposes, and honour rights of access, correction and erasure exercised on the child's behalf. Detrimental processing, behavioural tracking and child-targeted advertising are expressly restricted.
• Data fiduciary obligations — entities must practise purpose limitation, data minimisation, security safeguards, breach notification and retention discipline. Significant data fiduciaries face additional accountability such as data-protection impact assessment and audit duties.
• Sensitive nature of health data — paediatric developmental and clinical data carries elevated risk; responsible custodians apply encryption, access control, de-identification for analytics, and strict role-based handling well beyond a bare legal minimum.
• SaMD overlay (CDSCO) — when a tool meets the definition of a medical device, Medical Device Rules and CDSCO classification apply in parallel; data governance must satisfy both device and privacy regimes.
• Sectoral and ecosystem norms — national digital-health ecosystem frameworks (consent-managed health records) and professional confidentiality expectations reinforce the statutory baseline.

What this means in practice

For any organisation handling children's developmental data, compliance is operational, not merely declarative: verifiable parental consent workflows, transparent purpose statements, de-identified analytics, demonstrable security controls, and clear pathways for guardians to review or withdraw consent. Cross-border transfer, retention limits and breach response should be documented and rehearsed.

The Pinnacle way

A clinical AbilityScore® and any diagnosis are formed only at a Pinnacle Blooms Network centre, under qualified clinician care — never from an app or online form, and the AbilityScore® is a clinician-administered structured assessment. As a CDSCO Class B SaMD operator serving 4.95 lakh+ families across 70+ centres, our data governance is built to honour parental consent, sensitive-data safeguards and child-protective handling by design. Learn [about Pinnacle](/) , how the AbilityScore® is conducted, and how our speech therapy programmes keep family data protected end-to-end.

Trusted sources

WHO guidance on child health and digital health stewardship; WHO ICD framework for clinical classification; national rehabilitation and child-development standards. Statutory authority rests with the DPDP Act, 2023 and CDSCO medical-device rules as applied in India.

Next step — Reviewing how your organisation handles children's developmental data? [Contact the Pinnacle compliance team](/) to discuss safeguards and partnership.

This is general information, not a diagnosis — a clinical AbilityScore® and any diagnosis are formed only at a Pinnacle Blooms Network centre under qualified clinician care.