Ethical Code for IDAs

FDPPI-AIDAI Code of Professional Ethics for Independent Data Auditors (IDA)

(V18042026)

 The following is a proposed structure for this code:

  1. Objectives

The purpose of this Code of Ethics is to guide the professional and personal conduct of AIDAI Empanelled  Independent Data Auditors as they fulfil their statutory roles under the Digital Personal Data Protection Act (DPDPA) 2023.

The Primary role Independent Data Auditors is to evaluate the compliance of a Data Fiduciary to the provisions of the DPDPA 2023 and file a report with the management of the Data Fiduciary.

However, the underlying role of the IDA is to ensure that the Data Fiduciary is in conformity of his duties as a “Fiduciary” of the “Data Principal”.

The IDA is also required  to verify the technical measures including algorithmic software adopted by the data fiduciary for processing of the personal data under the scope of DPDPA 2023.

Also, the IDA is the eyes and ears of the Data Protection Board and is required to report any significant observations during the audit that has an adverse impact on the national interests and the interests of the Data Principals at large.

The IDA himself is considered as the “Fiduciary of the Data Fiduciaries” and has a duty cast on him/her to ensure that the objectives of DPDPA 2023 is fulfilled.

  1. Core Ethical Principles

Data Auditors must internalize and uphold these five foundational principles:

  • Integrity: Auditors must be straightforward and honest in all professional relationships, establishing trust as the basis for reliance on their judgment.
  • Objectivity and Independence: Professional judgments should not be compromised by bias, conflict of interest, or the undue influence of the Data Fiduciary being audited.
  • Confidentiality: Auditors must respect the value and ownership of the information they receive, ensuring it is not disclosed to unauthorized parties or used for personal gain.
  • Professional Competence and Due Care: There is a continuing duty to maintain the high-level “Techno-Legal” knowledge required to evaluate complex data governance systems.
  • National and Professional Interest: Auditors must place the interests of the nation and the profession above personal, political, or religious beliefs.
  1. Rules of Conduct

A. Integrity and Professional Behaviour

  1. Perform all audit duties with honesty, diligence, and a high standard of character.
  2. Observe and comply with all relevant laws, specifically the DPDPA 2023 and ITA 2000, and make all disclosures expected by the law.
  3. Avoid any conduct that might discredit the profession or the Foundation of Data Protection Professionals in India (FDPPI).
  4. Refrain from participating in any illegal activities or discreditable acts.

B: Objectivity and Conflict of Interest

  1. Maintain strict independence from the Data Fiduciary; the auditor must not have any relationship that impairs—or is presumed to impair—an unbiased assessment.
  2. Identify and address potential threats to objectivity, such as self-interest threats (e.g., having a financial interest in the client) or familiarity threats (e.g., long association with the audit client).
  3. Disclose all significant facts known to them that, if withheld, might distort the reporting of compliance results.

C: Confidentiality and Information Protection

  1. Be prudent in protecting both physical and electronic data acquired during the course of an audit.
  2. Do not use confidential information for personal financial gain, such as using insider knowledge for stock trading or selling proprietary data to competitors.
  3. Maintain confidentiality even after disassociating with the organization or finishing an audit engagement.

D: Competence and “Techno-Legal” Excellence

  1. Only undertake audit activities that can reasonably be completed with the necessary skills and knowledge.
  2. Continuously update professional expertise regarding evolving Indian frameworks, such as the DGPSI (Digital Governance and Protection Standard of India) .
  3. Contribute to the “Distributed Responsibility” of data protection by educating stakeholders on governance and risk management.

4. Ethical Decision-Making Framework

In “grey area” situations where the right path is not obvious, auditors should apply a framework that involves:

  • Identifying the ethical dilemma and the parties affected.
  • Evaluating whether the action aligns with FDPPI’s goal of building a Secure Information Society.
  • Consulting with the FDPPI-AIDAI Governance Committee or Advisory Board when necessary.
  1. Enforcement and Accountability
  • Voluntary Adoption: Every member shall voluntarily adopt this code to enhance the intrinsic value of the profession.
  • Disciplinary Action: Failure to comply with this Code of Professional Ethics can result in an investigation and disciplinary measures, including the revocation of FDPPI certifications.
  • Reporting Misconduct: Auditors have a duty to prevent breaches of these principles by others and must bring such instances to the notice of the appropriate authorities.

P.S: Kindly confirm acceptance on the enrolment application.

All empanelled IDAs may make use of a draft contract of engagement developed by AIDAI as part of the ethical standards.  Copy will be provided  on request to empanelled Accredited/Certified IDAs and to the trainees of the next CIDA program scheduled in June 2026.