When you offer mental-health support, you're asking people to hand you the most private thing they have: what keeps them up at night. Handled with care, that's an act of trust. Handled carelessly, it's a betrayal — and, increasingly, a legal liability.
For Indian employers, the Digital Personal Data Protection (DPDP) Act, 2023 has turned data privacy from a back-office concern into a board-level one. Here's how it intersects with workplace wellbeing, in plain terms.
This is general information, not legal advice. Check your specific obligations with your legal team.
Why this data is different
All personal data deserves protection. Mental-health information deserves more. Because the moment an employee suspects that what they share might reach their manager, affect an appraisal, or simply leak, they stop sharing. And a program no one trusts is a program no one uses.
Which leads to the most important idea in this whole piece: for a wellbeing program, privacy isn't a feature. It's the product. It's the foundation everything else stands on.
What the DPDP Act means in practice
The Act sets out how organisations must handle the personal data of individuals in India. Without drowning in legalese, a few principles matter most here. Data should be collected for clear, stated purposes, with consent — not quietly repurposed later. You should collect only what you actually need. You must protect it with real security. And you remain accountable for how it's handled — including by the vendors you choose.
That last point is the one HR teams underestimate. When you pick a wellbeing vendor, their data practices become your accountability. Choosing a privacy-serious provider isn't just ethics; it's governance.
The questions to ask any provider
Before you sign with anyone, get clear, unambiguous answers to these:
Is individual data confidential from the employer — can a manager or HR ever see who used the service or what they discussed? (The answer must be a firm no.) What exactly does the employer dashboard show, and can you see a real sample? It should be aggregated and anonymised — trends, never individuals. What's the minimum group size before any insight appears, so small teams can't be de-anonymised? Where is data stored and processed, and how is it secured? How does the provider align with the DPDP Act, 2023 — consent, retention, deletion? And what happens to the data if you end the contract?
If a provider gets evasive on any of these, treat it as the serious warning it is.
How a privacy-first program is actually built
Good privacy isn't a paragraph in a policy PDF — it's built into the architecture. In practice that means individual conversations are never exposed to the employer, full stop. Insights only appear above a minimum group size, so no one can be singled out. Anonymisation happens at the source, not as an afterthought. And the people using it are told, clearly, how it all works.
That's the approach Anshap is built around — we call it Privacy by Architecture: DPDP Act, 2023 native, hosted in India by default (AWS Mumbai region), end-to-end encryption, and a minimum cohort size enforced before anything appears on a leadership dashboard — with no identity-linked signals in those dashboards, ever, and conversation content that never leaves the user's own surface. Individual privacy and organisational insight sit on opposite sides of a deliberate wall. You can read the detail on our security page.
You don't have to choose between the two
Here's the misconception worth killing: that protecting individuals means starving HR of useful information. It doesn't. The entire point of aggregation is that you can see the trends — is stress climbing in one function? did a reorg dent morale? — without ever seeing a single person's data. Done well, you get both: people are protected, and you can still act. That's not a compromise. It's just good design.