SDG 9: Industry, Innovation, and Infrastructure | SDG 16: Peace, Justice, and Strong Institutions

Institutions: Ministry of Electronics and Information Technology (MeitY) | India Data Management Office (IDMO)

Framework for Non-Personal Data

The Ministry of Electronics and Information Technology (MeitY), has notified the draft National Data Governance Framework Policy (NDGFP) and the Digital Personal Data Protection (DPDP) Rules 2025.

The Draft NDGFP aims to establish a uniform, national standard for data management across all government ministries and entities. This framework is designed to address the challenge of digital government data being managed in “differing and inconsistent ways” across various entities, which hinders the efficacy of data-driven governance.

The policy’s core innovation is the creation of the India Data Management Office (IDMO), which will serve as the nodal agency responsible for framing, managing, and periodically reviewing the policy. The IDMO’s primary function is to accelerate data-led research and the AI ecosystem by establishing the India Datasets Program, which securely shares anonymized non-personal data from both government and private entities. A significant policy shift is the omission of the monetization clause found in previous drafts, ensuring data access is solely for public good and innovation. This framework mandates the creation of Data Management Units (DMUs) within every Ministry/Department for implementation.

Policy Connection: Operationalizing Personal Data Protection

The NDGFP’s credibility for sharing anonymized data is critically enabled by the separate Digital Personal Data Protection (DPDP) Rules 2025, which establish the secure legal architecture for all personal data. Key operational rules include:

• Consent and Control: The DPDP Rules establish a system of Consent Managers to manage, record, and revoke the informed and explicit consent of the Data Principal (individual) electronically, ensuring user control and transparency.

• Security and Enforcement: The Rules mandate that Data Fiduciaries (entities controlling data) implement reasonable security safeguards, including encryption and access control, and obligate prompt notification of data breaches to affected individuals and the Data Protection Board.

• Regulator and Rights: The Data Protection Board is established as the regulator and adjudicator, overseeing the enforcement of data processing standards for government subsidies and benefits, protecting the rights of data principals (access, correction, deletion), and imposing penalties for non-compliance.

The government has also notified the commencement of key provisions of the DPDP Act. Sections 18 to 26, which establish the Data Protection Board and define its powers, apply from 13 November 2025. Other obligations will come into effect over the next 18 months.

What the Draft National Data Governance Framework Policy Means for Citizens

1. Stronger Rights Over Personal Data

• Citizens get explicit, informed consent control, managed through digital Consent Managers.

• Rights to access, correct, delete, and port personal data are protected under DPDP Rules 2025.

• Data handlers must use strict security measures and notify individuals and the Data Protection Board of any breach.

2. Better Public Services Through Data Use

• NDGFP aims to improve governance by standardizing and pooling anonymized data for sectors like agriculture, health, justice, and education.

• DPDP Rules set clear limits on how personal data can be used for subsidies, benefits, certificates, and licences—adding legal safeguards to welfare delivery.

3. Protection from Data Monetization and Misuse

• The draft removes earlier proposals to sell or license public data to private players, keeping government data a public-good asset.

• Only anonymized, non-personal data can be shared, overseen by the India Data Management Office (IDMO) to prevent privacy breaches.

The dual framework (NDGFP for non-personal data, DPDP for personal data) is essential for India’s digital future. By simultaneously establishing the IDMO to unlock non-personal data for the AI ecosystem and operationalizing the DPDP Rules to build a legally enforceable trust architecture, India aims to foster innovation while ensuring citizen privacy. The policy challenge lies in ensuring that the IDMO’s centralized control and data anonymization standards are robust enough to prevent the de-anonymization and misuse of data, maintaining the public trust that the entire ecosystem is built upon.

What is the core distinction between “Non-Personal Data” and “Personal Data” under this framework? → Non-Personal Data (NPD) is any set of data that does not contain personally identifiable information and cannot be used to attribute data to an individual. This contrasts with Personal Data, which contains direct or indirect identifiers. The NDGFP is designed to only allow access to anonymized NPD to protect citizen privacy, while maximizing the use of aggregated data (such as data on weather, or anonymized vehicle registration details) for national innovation.

Follow the full update here: Digital Personal Data Protection Rules, 2025