Informed consent is not a signature on a form. It is a specific sequence of obligations — disclosure, comprehension, voluntariness, competence — and it applies even when the study involves deception, as long as a debrief follows. In India, two additional legal frameworks now sit alongside the ethics committee: the DPDP Act 2023 and the CERT-In six-hour mandatory incident reporting rule.
Sign in to mark this article as read and track your progress.
Informed consent operationalises the Belmont principle of Respect for Persons. It has four elements, all of which must be present:
Disclosure. The purpose, procedure, and any foreseeable risk or benefit are explained before participation begins — not afterwards.
Comprehension. The information is given in language the participant can actually understand. A consent form written entirely in technical jargon does not satisfy this requirement even if the participant signs it.
Voluntariness. Participation, and withdrawal at any point, must be free of coercion — including subtle forms, such as a student feeling obliged to take part in a professor's study, or an employee fearing their response to a security survey might affect their performance review.
Competence. The participant is capable of understanding the information and its consequences. Studies involving children or people in distress have additional requirements.
An Institutional Review Board (IRB) — called an Institutional Ethics Committee in most Indian universities — checks these elements before a study begins. A proposal is typically required whenever the project involves:
| Project involves… | Ethics review needed? |
|---|---|
| Surveying or interviewing people | Yes, even a short questionnaire |
| Collecting device identifiers, emails, or IP addresses tied to a person | Yes, under the DPDP Act as well |
| Deception, such as a phishing simulation | Yes, with a debrief plan submitted in advance |
| Scanning or testing systems you do not own | Yes, and written authorisation from the owner too |
| Purely public, already-published, anonymised data | Usually exempt — confirm with your committee |
The phishing-simulation study is a useful case because it cannot be run with full advance disclosure: telling participants "we are about to test whether you click suspicious links" destroys the measurement. Informed consent handles this by having the organisation's leadership consent to the exercise being run at all, debriefing individual participants afterwards, ensuring no individual result is used punitively, and anonymising click data before analysis unless the research question specifically requires identifying who clicked. A study that skips the debrief, or reports results in a way that exposes individual employees, has failed Respect for Persons even if no law was broken.
India's Digital Personal Data Protection Act, enacted on 11 August 2023, governs how any organisation — including a university research project — may collect and process personal data. Its key obligations for researchers:
Purpose limitation. Data collected for one stated purpose cannot be quietly reused for another. A survey about password reuse habits collected under one consent cannot be reanalysed for a different study without a new consent.
Data minimisation. Only the data needed for the stated purpose should be collected. Collecting full email addresses when anonymised usernames would serve the same research purpose is a violation.
Documented basis for consent. The basis for processing must be documented and verifiable. A project that collects employee email addresses or device identifiers as part of a security study falls under this Act — whether or not it passes through a formal ethics committee.
The Indian Computer Emergency Response Team (CERT-In) was established under Section 70B of the Information Technology Act, 2000. In April 2022, CERT-In issued a binding direction requiring all service providers, intermediaries, data centres, and body corporates to report cybersecurity incidents within six hours of noticing them.
The categories subject to this rule include data breaches, ransomware attacks, malicious code incidents, and targeted scanning of critical networks.
This creates a specific scenario a student researcher must understand: a security research project that discovers a live compromise on the system under study — or receives information about an ongoing attack — may have a legal reporting obligation that sits entirely separately from any academic ethics obligation. The question "should I report this to my supervisor?" is not the only question. "Does my institution have a CERT-In reporting obligation?" may also need an answer within six hours.
A master's student is conducting a network traffic study on systems belonging to a small company that gave written permission for the research. While analysing captures, she identifies what appears to be active command-and-control traffic suggesting the company has an ongoing compromise — unrelated to her study. List three separate frameworks that now simultaneously create an obligation for her to act, name the specific obligation each one creates, and explain what she should do within the next six hours.