At a glance
A tax practice — CA-led or independent, income-tax or GST — concentrates clients’ complete financial identities: ITRs, Form 16s, bank statements, investment proofs, collected in a compressed filing season through whatever channel is fastest. All of it is regulated personal data under India’s DPDP Act, and one habit stands out as the sharpest risk: holding clients’ e-filing and GST portal passwords — custody of their entire tax identity. Statutory retention keeps its legal-obligation footing; the seasonal pile beyond it is yours to secure and to shed.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to tax practitioners and GST consultants; it is not formal legal advice.
The situation
Filing season is a data stampede: hundreds of clients’ documents arriving in weeks, over WhatsApp and email, chased by reminders, filed against deadlines, and then — left wherever they landed. Add the trade’s open secret: clients hand over their income-tax portal and GST logins wholesale, because it’s easier than OTP-relay every time. A tax practice ends the season holding more per-client financial data than the client’s own bank — with none of a bank’s systems. The DPDP Act doesn’t care that the season was busy; it regulates the pile that’s left.
Does DPDP apply to a tax practice?
Yes — solo preparer, GST consultant or a CA firm’s tax desk: deciding why and how a client’s data is used makes you a Data Fiduciary. No qualification requirement or firm size changes it: if clients’ PANs, returns and statements flow through your practice, the duties attach — notice at collection, a lawful basis, security safeguards, breach reporting, retention limits, and answerability for your tools (the filing software, the cloud drive, the assistant’s laptop). Independent, non-CA practitioners should hear this clearly: professional-body membership isn’t what triggers the Act, handling personal data is — the unregulated end of the trade gets no unregulated status here.
The client data a tax practice actually holds
The complete financial identity, per client, per year — and it compounds.
- Identity core — PAN, Aadhaar (for e-verification), addresses, family members’ details for joint matters and dependants.
- Income documents — Form 16s, salary slips, bank statements, interest and capital-gains statements, rent receipts, business books for GST clients.
- The returns themselves — filed ITRs with every income source and the mandatory list of all bank accounts; Form 26AS and Annual Information Statement (AIS) pulls showing the client’s financial year as the department sees it.
- Credentials — e-filing portal passwords, GST logins, sometimes net-banking access “for challans”: the category beyond data.
- The archive — all of the above, times every year the client has stayed with you.
The compounding is the point: a ten-year client relationship, handled casually, is a decade of one household’s financial life sitting in inboxes and folders nobody audits.
The obligation that actually bites: credential custody
A client’s portal password isn’t a datum — it’s the keys to every return, every bank account listed in them, and the ability to act as the client; treat credential custody as its own discipline. The habit is universal because the alternative is friction: OTPs relayed on calls, logins re-shared every season. But under the DPDP Act’s security-safeguards duty, the practitioner holding credentials owns what happens through them — and a password spreadsheet on the office desktop, or logins saved in a shared browser, is a breach happening in slow motion. The defensible pattern:
- Prefer the flows that don’t need custody — the e-filing ecosystem’s authorised-representative and e-verification mechanics exist so practitioners can act with authorisation rather than impersonation; use them where they fit.
- Where clients insist on sharing logins, contain it — stored in a proper password manager with per-staff access, never in chats, sheets or browsers; changed by the client after the engagement’s heavy phase; never reused across staff.
- Log who used what, when — if a client’s account is ever misused, your access log is the difference between an answer and a suspicion.
- Say it in the engagement letter — that you hold credentials, how they’re stored, who can use them, and when the client should rotate them. Custody the client understood is professionalism; custody by accumulation is liability.
Where DPDP sits alongside tax law’s own record rules
Tax law forces long memories — the DPDP Act accepts that, and regulates everything the mandate doesn’t cover. The reconciliation is the same as the CA profession’s: income-tax law requires books and records to be kept for years (six years from the relevant assessment year is the general anchor, longer in reopened cases), and holding what a law requires is a recognised legal-obligation ground (Section 7) — no consent needed for that retention. What the mandate doesn’t cover is the rest of the pile: the WhatsApp threads full of statements, the duplicate scans, the prior-year working files past their periods, the ex-client folders. Those follow the ordinary purpose-and-erasure logic — a written retention schedule per record type, with the statutory holds named, is what makes the split real. And the purpose-binding rule has a seasonal edge: a client list built from filings is not a marketing asset — cross-selling insurance or investments to your tax clients uses their data for a new purpose, which needs its own consent.
Common mistakes tax practices make
Filing-season habits, annualised into standing exposure.
- The WhatsApp intake — a season’s worth of statements and Form 16s in chat threads, on the practitioner’s and every assistant’s phone, unrecallable forever.
- The password sheet — client logins in a spreadsheet, a diary, or the browser’s memory; the single worst artefact in the trade.
- The eternal archive — every client year kept forever, statutory periods never mapped, nothing ever deleted.
- Marketing on the client base — filings data repurposed into pitches for loans, insurance or investments without a separate consent.
- Staff churn with data attached — assistants leaving with client files and credentials on personal devices, because intake was personal from the start.
- “I’m not a CA, so the rules aren’t mine” — the Act attaches to the data, not the designation.
Collecting filing documents compliantly
One intake channel, one purpose-marked ask, one post-season cleanup — the filing calendar makes discipline easy to schedule. A single controlled route for documents (a portal or shared vault; at minimum protected files to one address), an ask that names each document and its purpose, and a recurring post-deadline cleanup: file what the engagement needs, delete the chat and inbox strays, rotate any credentials the season required. The ask-and-channel mechanics are shared across professions — see secure client document collection for professionals and the document-request email pattern — and your clients are reading the ITR and Form 16 sharing guides, which tell them to expect purpose-marked, protected handling. A practice that already works that way keeps those clients.
FAQ
Does the DPDP Act apply to independent tax consultants who aren’t CAs?
Yes — the Act attaches to handling personal data, not to professional membership. A solo GST consultant holding client financials carries the same fiduciary duties as a firm.
Can I keep clients’ e-filing and GST passwords?
The safer flows are the authorised-representative mechanics that avoid custody. Where a client still shares logins, contain them: proper password-manager storage, per-staff access, usage logging, rotation after the engagement — and say all of it in the engagement letter.
How long should I keep client tax records?
Statutory retention (six years from the assessment year as the general anchor) is a legal-obligation ground — keep those records for those periods. Everything beyond the mandate — duplicates, chat copies, ex-client files — needs a purpose or a deletion date.
Can I offer my tax clients insurance or investment products?
Only with their separate consent to that use of their data — a client base built from filings is purpose-bound to tax work. The cross-sell itself may be fine; doing it on unconsented filing data is the violation.
What’s the single highest-risk habit to fix first?
Credential storage. A leaked statement is one document; a leaked e-filing password is the client’s entire tax identity and every bank account listed in their returns. Move logins into managed storage this week, then fix the intake channel.