EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
research-methodologyinformed-consentdpdp-actcert-in

Informed Consent, Ethical Review, and Indian Law

Informed consent is not a signature on a form. It is a specific sequence of obligations — disclosure, comprehension, voluntariness, competence — and it applies even when the study involves deception, as long as a debrief follows. In India, two additional legal frameworks now sit alongside the ethics committee: the DPDP Act 2023 and the CERT-In six-hour mandatory incident reporting rule.

Ashish Revar7 July 20269 min read2 views

Sign in to mark this article as read and track your progress.

More articlesTest your knowledge

Informed Consent: Four Elements

Informed consent operationalises the Belmont principle of Respect for Persons. It has four elements, all of which must be present:

Disclosure. The purpose, procedure, and any foreseeable risk or benefit are explained before participation begins — not afterwards.

Comprehension. The information is given in language the participant can actually understand. A consent form written entirely in technical jargon does not satisfy this requirement even if the participant signs it.

Voluntariness. Participation, and withdrawal at any point, must be free of coercion — including subtle forms, such as a student feeling obliged to take part in a professor's study, or an employee fearing their response to a security survey might affect their performance review.

Competence. The participant is capable of understanding the information and its consequences. Studies involving children or people in distress have additional requirements.

When Ethics Review Is Required

An Institutional Review Board (IRB) — called an Institutional Ethics Committee in most Indian universities — checks these elements before a study begins. A proposal is typically required whenever the project involves:

Project involves…Ethics review needed?
Surveying or interviewing peopleYes, even a short questionnaire
Collecting device identifiers, emails, or IP addresses tied to a personYes, under the DPDP Act as well
Deception, such as a phishing simulationYes, with a debrief plan submitted in advance
Scanning or testing systems you do not ownYes, and written authorisation from the owner too
Purely public, already-published, anonymised dataUsually exempt — confirm with your committee

The phishing-simulation study is a useful case because it cannot be run with full advance disclosure: telling participants "we are about to test whether you click suspicious links" destroys the measurement. Informed consent handles this by having the organisation's leadership consent to the exercise being run at all, debriefing individual participants afterwards, ensuring no individual result is used punitively, and anonymising click data before analysis unless the research question specifically requires identifying who clicked. A study that skips the debrief, or reports results in a way that exposes individual employees, has failed Respect for Persons even if no law was broken.

The DPDP Act, 2023

India's Digital Personal Data Protection Act, enacted on 11 August 2023, governs how any organisation — including a university research project — may collect and process personal data. Its key obligations for researchers:

Purpose limitation. Data collected for one stated purpose cannot be quietly reused for another. A survey about password reuse habits collected under one consent cannot be reanalysed for a different study without a new consent.

Data minimisation. Only the data needed for the stated purpose should be collected. Collecting full email addresses when anonymised usernames would serve the same research purpose is a violation.

Documented basis for consent. The basis for processing must be documented and verifiable. A project that collects employee email addresses or device identifiers as part of a security study falls under this Act — whether or not it passes through a formal ethics committee.

CERT-In and Mandatory Incident Reporting

The Indian Computer Emergency Response Team (CERT-In) was established under Section 70B of the Information Technology Act, 2000. In April 2022, CERT-In issued a binding direction requiring all service providers, intermediaries, data centres, and body corporates to report cybersecurity incidents within six hours of noticing them.

The categories subject to this rule include data breaches, ransomware attacks, malicious code incidents, and targeted scanning of critical networks.

This creates a specific scenario a student researcher must understand: a security research project that discovers a live compromise on the system under study — or receives information about an ongoing attack — may have a legal reporting obligation that sits entirely separately from any academic ethics obligation. The question "should I report this to my supervisor?" is not the only question. "Does my institution have a CERT-In reporting obligation?" may also need an answer within six hours.

Check Your Understanding

A master's student is conducting a network traffic study on systems belonging to a small company that gave written permission for the research. While analysing captures, she identifies what appears to be active command-and-control traffic suggesting the company has an ongoing compromise — unrelated to her study. List three separate frameworks that now simultaneously create an obligation for her to act, name the specific obligation each one creates, and explain what she should do within the next six hours.