Consent Capture (Sec 6)
Consent is recorded at patient registration with purpose, timestamp and the data principal's acknowledgement. The consent record is auditable.
DPDP
DPDP Act 2023 Compliance
The Digital Personal Data Protection Act 2023 governs how hospitals collect, process and store personal data. OneCity captures consent at registration with purpose and timestamp, enforces purpose limitation in data access, supports the right to access and erasure, and logs processing activities.
Why it matters
DPDP applies to every hospital processing digital patient data. Non-compliance exposes the hospital to penalties up to ₹250 crore per Section 33.
How OneCity covers it
Purpose Limitation (Sec 5)
Data collected for treatment is not repurposed for marketing or research without separate consent.
Data Minimisation
Registration and clinical forms collect only what the workflow requires. Optional fields are clearly optional.
Right to Access & Erasure (Sec 12-13)
Patients can request their records through the portal. Erasure requests are processed per the Act.
Data Breach Notification (Sec 8)
The audit trail supports breach investigation. Notification to the Data Protection Board is an organisational step the system supports with evidence.
Modules involved
Patient RegistrationConsent ManagementPatient PortalAudit Trail
Related reading
Official sources
- DPDP Act 2023 — MeitY — Ministry of Electronics and IT — data protection
Questions
Does OneCity encrypt patient data?+
Data at rest and in transit is encrypted per infrastructure configuration. The application enforces access control by role.
Can patients delete their records?+
Erasure requests are supported per DPDP Sec 13, subject to retention obligations under other laws (e.g. MTP Act, NABH).
See DPDP compliance in the live system.
Book a walkthrough or start free up to 5 doctors.