Confidential Dispatch
At a glance

Discovery bundles, witness statements and confidential settlement agreements are some of the most sensitive personal data a law firm handles — and even though this work largely falls under the DPDP Act’s legal-claims exemption, the security-safeguards duty still applies to it. In practice that means the same evidence and agreements a firm already treats as confidential under professional-conduct rules also need controlled-channel handling: access limited to the matter team, encrypted transmission for sensitive bundles, and no discovery documents sitting in a general shared drive or personal inbox.

Educational resource only. This explains the surviving security expectations under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) for litigation evidence and confidential agreements; it is not formal legal advice.

The situation

A litigation file accumulates personal data faster than almost any other legal work product — witness statements naming individuals, discovery documents pulled from a client’s systems, medical or financial records entered as evidence, and eventually a confidential settlement agreement naming the parties and terms. Much of this processing sits inside the DPDP Act’s legal-claims exemption. The handling discipline around it doesn’t get to sit inside that exemption too.

What moves through a typical litigation file

  • Discovery and disclosure bundles — often containing a client’s or a third party’s employee records, financial data, or correspondence, pulled in bulk and rarely pre-filtered for sensitivity.
  • Witness statements and depositions — personal accounts, often naming other individuals beyond the witness themselves.
  • Expert reports — sometimes containing medical, financial or technical personal data specific to the matter.
  • Confidential settlement agreements — naming parties, terms, and sometimes financial or health detail, with confidentiality obligations attached by the agreement itself, on top of the DPDP Act.

Why the exemption doesn’t relax handling discipline

Section 17(1) covers processing necessary for enforcing a legal right or claim — it doesn’t extend to how the resulting documents are stored, transmitted or accessed. As covered in the companion piece on client-attorney document security, the security-safeguards duty (Section 8) survives the exemption. A discovery bundle assembled entirely for exempt litigation purposes still needs the same reasonable security a firm would apply to any other sensitive client file — the exemption changes the notice-and-consent obligations around the collection, not the protection owed to the document once it exists.

Step-by-step: handling evidence and agreements securely

  1. Route discovery and evidence intake through one controlled channel — a secure portal or access-controlled folder, not email threads accumulating attachments over months.
  2. Limit access to the matter team. Discovery bundles routinely get shared more broadly than the working team out of convenience — restrict by matter, not by department.
  3. Encrypt or password-protect sensitive bundles before any external transmission — to opposing counsel, experts, or the court, where the format allows it.
  4. Avoid personal devices and personal cloud storage for evidence review, even for convenience during a tight deadline.
  5. Set a deletion point tied to the matter’s conclusion — see the companion retention guide for how long to actually hold the file afterwards.

Digital evidence and chain of custody

A forensic chain-of-custody log is itself personal data — who accessed a piece of evidence and when — and needs the same protection as the evidence it tracks. Most litigation evidence today is digital first: email threads, chat exports, forensic device images pulled from a client’s laptop or phone. Preserving it for court means more than copying files — a defensible chain of custody records who collected the evidence, when, using what method, and every person who has touched it since, usually backed by a cryptographic hash that proves the file hasn’t been altered. That log, tracking named individuals against timestamped actions, is personal data in its own right, and it deserves the same access-controlled handling as the underlying evidence — a chain-of-custody spreadsheet sitting in an unrestricted shared drive undermines both its evidentiary value and the security duty around it.

Cross-border discovery

Discovery evidence crossing borders — to a foreign co-counsel, a multinational client’s overseas legal team, or in response to a foreign court’s request — still runs through the DPDP Act’s ordinary cross-border transfer principles, exemption or not. India’s transfer regime is a negative list: the government can restrict transfers to specific countries, and as of now none are restricted, so a transfer itself isn’t blocked by DPDP for most jurisdictions. What the exemption doesn’t remove is the underlying security duty — a bundle sent abroad for a Hague Evidence Convention request or a foreign discovery obligation needs the same encrypted-channel discipline as a domestic transfer, and sector regulators (RBI for financial-services litigation, IRDAI for insurance disputes) can layer stricter rules on top of DPDP’s baseline for their regulated entities. Treat “the data is leaving India” as a reason to tighten the channel, not a separate legal gate DPDP itself throws up.

Sharing data with experts, translators and e-discovery vendors

Every third party who touches litigation evidence for the firm — an expert witness, a translator, an e-discovery vendor running document review — is a Data Processor, and that relationship needs the same written-agreement discipline as any other outsourced processing. An expert report often requires handing over the underlying medical, financial or technical records the report is based on; a translator working on a foreign-language witness statement sees the same personal detail a bilingual lawyer would; an e-discovery vendor running keyword search or predictive coding across a document set has, functionally, been given the whole evidence pool. None of that stops being the firm’s responsibility once it’s handed off — a data-processing agreement (scope, security obligations, return-or-destroy terms at engagement end) belongs in each of these relationships, not just the ones that feel like “vendors” in the traditional sense.

Data rooms for high-value disputes

Large commercial disputes and arbitration matters increasingly run on the same virtual data room (VDR) infrastructure as M&A due diligence — and the access controls that make a VDR useful for a deal are exactly what evidence handling needs too. For document sets running into the thousands of pages — a commercial arbitration, a shareholder dispute, litigation arising out of a failed transaction — a VDR’s granular permissioning (who can view which folder, at what level of detail), watermarking (deterring leaks by marking every page to the viewer), view-only access that blocks downloading, and a full audit log of who viewed what and when are worth the setup cost that a smaller matter wouldn’t justify. The same principle as everywhere else in this piece applies at bigger scale: the VDR provider is a processor, the audit log is itself personal data worth protecting, and access still narrows to the working team, not the whole deal or dispute roster.

Confidential settlement agreements specifically

A settlement agreement’s own confidentiality clause and the DPDP Act’s security duty are two separate protections, not one. The agreement’s confidentiality terms bind the parties to non-disclosure; the Act’s security duty separately requires the firm to actually protect the document — and any personal data within it — from unauthorised access or a breach. A firm that stores an executed settlement agreement in an unsecured shared drive has kept its confidentiality promise to the client while still falling short of its security obligation under the Act; the two aren’t interchangeable.

FAQ

Does the legal-claims exemption cover how discovery documents are stored?

No — the exemption covers the underlying processing obligations for enforcing a legal claim; the security-safeguards duty for storing and transmitting the resulting documents survives regardless.

Can discovery bundles be sent to opposing counsel or experts by regular email?

Nothing in the DPDP Act names email as banned, but an encrypted or access-controlled channel is a much closer fit for sensitive discovery material than a plain attachment, especially at bundle scale.

Is a settlement agreement’s confidentiality clause enough to satisfy the DPDP Act?

No — a confidentiality clause governs disclosure between the parties; the Act’s security duty separately requires the firm to protect the document itself from unauthorised access, which is a distinct and additional obligation.

Who should have access to a litigation file’s evidence?

The assigned matter team only, by default — not the whole firm, even where convenience (a shared drive, a general case-management view) makes broader access the path of least resistance.

Does sending evidence to a foreign co-counsel or court trigger extra DPDP requirements?

Not a separate transfer ban — India’s cross-border rule is a negative list and no country is currently restricted — but it’s a reason to tighten the security channel, and to check whether a sector regulator’s own stricter rule applies to the matter.

Does an e-discovery vendor or expert witness need a formal data-processing agreement?

Yes — anyone processing litigation evidence on the firm’s behalf, including experts, translators and e-discovery vendors, is functionally a Data Processor and should be under a written agreement covering scope, security, and what happens to the data once the engagement ends.

Reviewed by Confidential Dispatch Editorial Team
Last updated 17 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →