Most CA firms collect client documents every day.
PAN, Aadhaar, Form 16, AIS/TIS, bank statements, salary slips, GST records, TDS workings, KYC documents, and investment proofs are shared through WhatsApp, email, Google Drive, and office staff.
This is routine.
But under DPDPA, one practical question becomes important:
If the client sends the document voluntarily, is that enough consent?
A CA firm may collect documents from one person, but the file often contains personal data of many others:
- Spouse’s Form 16
- Children’s PAN details
- Parents’ pension records
- Employee payroll data
- Director KYC documents
- Vendor bank details
- Family investment proofs
- Proprietor’s personal bank statements
Many of these people may never have signed the engagement letter.
Still, their personal data may sit in the CA firm’s WhatsApp, Gmail, Google Drive, staff laptops, and old client folders.
Now the risk becomes practical.
A website privacy policy may exist.
An engagement letter may exist.
But if the firm cannot clearly show why the data was collected, who authorised it, where it is stored, who has access, and how long it will be retained, the compliance gap remains.
So the issue is not only “consent”.
The issue is whether the CA firm has a defensible data-collection process.
In my view, CA firms do not need an impractical separate consent for every PAN copy or bank statement.
But they should have a basic DPDPA-ready process:
- Give a simple privacy notice before or during onboarding
- Mention what personal data is collected and why
- Add DPDPA/data-handling language in the engagement letter
- Ask the client to confirm authority where family, employee, director, or vendor data is shared
- Restrict staff and article assistant access to client documents
- Maintain a basic record of what data is collected and where it is stored
- Define retention and deletion rules
That is more practical than relying only on “client sent it, so consent is assumed”.
My question to fellow professionals:
How are CA firms handling consent under DPDPA while collecting PAN, Aadhaar, Form 16, bank statements, and other tax documents?
Are firms:
- Continuing with existing practice?
- Adding clauses in engagement letters?
- Publishing a privacy notice?
- Taking separate consent?
- Asking clients to confirm authority for family/employee data?
- Maintaining a data register?
- Waiting for more clarity?
Would appreciate views from fellow members on how this is being handled in actual practice.
For anyone who wants to self-check current DPDPA readiness gaps, this may be useful:
https://saralprivacy.com/assessment
https://saralprivacy.com/industries/ca-firms
CAclubindia
