DPDP Board vs RTI Appeal: Which Route to Use? — citizen guide 2026

Since the Digital Personal Data Protection Act 2023 came into force, citizens dealing with government bodies handling their personal data face a new question: which grievance channel applies — the Right to Information Act route, the DPDP Data Protection Board route, or both simultaneously?

Understanding this is critical because the two systems have different purposes, different timelines, and different remedies. Using the wrong one wastes months. Using both strategically can maximise results.

Use the following logic to identify which route applies:

Step 1: Is your grievance about a government body that is a public authority under the RTI Act?

• No → Use DPDP Board (private company, tech platform, etc.)
• Yes → Continue to Step 2.

Step 2: Are you asking for access to government records or information held by that body?

• Yes → Use RTI route (file RTI application; if refused → first appeal → CIC).
• No → Continue to Step 3.

Step 3: Are you complaining that the government body collected, stored, or used your personal data improperly (without consent, beyond the stated purpose, or failed to correct/erase it)?

• Yes → Use DPDP Board route (file complaint with Data Protection Board once operational).
• No → Continue to Step 4.

Step 4: Are you seeking both — records of how the government body processed your data AND accountability for that processing?

• Yes → Use both routes simultaneously or sequentially. The RTI gives you the processing records; the DPDP Board gives you the corrective remedy.

What happened: UIDAI linked your Aadhaar to someone else's bank account. Your gas subsidy and DBT payments went to the wrong account for 8 months.

Which route:

• RTI route: File RTI with UIDAI (Central public authority) seeking the correction-request logs, the audit trail of the wrong linkage, and the current linkage status. This forces UIDAI to produce records.
• DPDP Board route: Once the Board is operational, file a complaint about the incorrect processing of your Aadhaar data (a sensitive personal data category under DPDP) and seek corrective direction + compensation.

Primary route first: RTI — because you need the records to understand what went wrong before you can frame a DPDP complaint.

What happened: Your PSU employer published a list of employees with salary details on an e-procurement portal, visible publicly, without any legal basis.

Which route:

• RTI route: Not directly useful — you are not seeking information, you want information removed.
• DPDP Board route: Primary route. A government-owned PSU is a data fiduciary under DPDP. Publish your complaint with the Board seeking removal of the data and a penalty direction.

What happened: A First Information Report was registered involving you. You seek a copy but the police station refuses.

Which route:

• RTI route: Primary route. The FIR is a government record. File RTI with the SP's office (state public authority). Refusal of your own FIR is well-settled as untenable — see State of UP v Ram Bahadur Yadav line of cases. No DPDP issue here — this is about access to records, not data processing.
• DPDP Board: Not applicable for getting copies of existing government records.

What happened: You underwent treatment at a government hospital. You need your discharge summary for insurance purposes. The hospital refuses citing “personal data”.

Which route:

• RTI route: File RTI with the Medical Superintendent (public authority). Government hospitals are public authorities. Medical records of the patient themselves, sought by the patient, are disclosable (S.8(1)(j) does not exempt a person from getting their own records — the exemption protects third-party privacy).
• DPDP Board: If the hospital shared your medical data with a third party without consent, the Board is the right forum for that specific complaint.

Use RTI first for access; use DPDP Board if access leads you to discover unauthorised sharing.

What happened: A government-private joint portal (say, a skill development scheme portal) leaked your PAN number and income details.

Which route:

• RTI route: File RTI with the government body that was the data controller to understand what happened and what security measures existed.
• DPDP Board: File a complaint against both the government body (as data fiduciary) and the private partner (as data processor) for breach and seek directions + financial remedy.

Yes. There is no bar in either statute against using both routes for the same underlying issue. Many activists recommend:

1. File RTI first (30 days; get the documents).
2. Use the documents to build a detailed DPDP Board complaint.
3. If the government body mishandles either, you have two parallel tracks generating pressure.

The only caveat: do not duplicate your claims for the same relief. If CIC orders disclosure of a document, do not then ask the DPDP Board to order the same document disclosed — that wastes the Board's time and may be seen as forum shopping.

① Confirm the data fiduciary is covered by DPDP — government bodies that “process digital personal data” are covered.

② Establish that you are the data principal (the person whose data was processed).

③ File a formal complaint at the Board's portal (once operational; check meity.gov.in for current status).

④ Include: description of the data processed, the alleged violation, the harm caused, and the relief sought (correction, erasure, compensation, compliance direction).

⑤ The Board may refer the matter to a mediation process first.

⑥ If unsatisfied with the Board's order, appeal to the High Court with jurisdiction.

• RTI application with acknowledgment number
• PIO refusal or deemed-refusal certificate
• First appeal and FAA order
• Any correspondence with the public authority
• Fee payment proof

• Proof of your identity as the data principal
• Evidence of data processing (screenshots, records, notices)
• Evidence of the violation (unauthorised sharing, wrong processing, refusal to correct/erase)
• Any prior grievance filed with the data fiduciary and their response

The DPDP Act 2023 provides for the constitution of the Board by the Central Government. As of May 2026, the Board has been constituted but its complaint-filing portal and full operational framework are still being finalised. Check meity.gov.in for the latest status. For now, RTI remains the more reliably operational route for government-related personal data grievances.

Yes. Once the Data Protection Board is constituted, it will be a public authority under the RTI Act. You can file RTI applications with the Board (or the Ministry of Electronics and Information Technology, which oversees it) to seek documents about your complaint's status, internal procedures, etc.

If CIC does not grant relief and the DPDP Board process is stalled or unsatisfactory, you can approach the High Court by way of a writ petition under Article 226 of the Constitution, seeking mandamus for disclosure or compliance. High Court RTI writ petitions have been successful in forcing both PIOs and CIC to act.

No. The DPDP Act specifically stated in its original draft and the final version that it does not override the RTI Act's disclosure obligations. The S.44(3) amendment to S.8(1)(j) is a surgical change to one provision, not a wholesale override of RTI rights. Courts have confirmed that RTI and DPDP are complementary frameworks.

1. Digital Personal Data Protection Act 2023 (No. 22 of 2023), Sections 3, 14, 18, 25, 28, 44.
2. Right to Information Act 2005, Sections 6, 7, 8(1)(j), 8(2), 19, 20.
3. Ministry of Electronics and Information Technology, meity.gov.in.
4. PRS India, DPDP Act Bill Analysis 2023.
5. Internet Freedom Foundation, DPDP Deep-Dive series.
6. Common Cause v Union of India, (2018) 5 SCC 1 — privacy as fundamental right (Puttaswamy follow-up).

• DPDP × RTI series hub
• S.8(1)(j) before vs after
• CIC orders post-DPDP
• Draft RTI to survive S.8(1)(j)
• All 10 RTI exemptions
• RTI Act 2005 complete guide
• Build your First Appeal →
• AI RTI Drafter →
• AwaazRTI voice interface →