Assented to by the President of India on 11 August 2023, the Digital Personal Data Protection Act, 2023 (DPDPA 2023 or the Act) has become India’s hallmark data privacy legislation that encompasses the protection of a wide range of digital personal information in the spirit of the ‘right to privacy’ – a part of a larger ‘right to life’ – guaranteed under the Constitution. It provides for the processing of digital personal data, balancing between an individual’s right to protect their personal data and the lawful processing of such personal data for various purposes.
Employee data protection in India
Prior to the DPDPA 2023, employers relied almost exclusively on the Information Technology Act 2000, as amended by the Information Technology (Amendment) Act, 2008 (IT Act), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules) to deal with issues of privacy arising out of the employer-employee relationship in India. Section 43-A of the IT Act and the corresponding Rule 3 of the IT Rules provide for the protection of ‘sensitive personal data or information’ (SPDI). These stipulated that an employer could only collect the SPDI of an employee to the extent necessary for a lawful purpose and in connection with the functioning of the employer and that such information should not be retained for longer than required.
Rule 5 and its subsequent parts laid down consent (including the right to withdraw consent), notice, retention, security, right to access, and administrative policy obligations on the employer to ensure that an employee’s personal information is collected, stored, tracked, and processed lawfully from the time of their joining to the termination of their employment.
Section 72-A of the IT Act penalizes a service provider’s disclosure of personal information without the data subject’s consent or in breach of a contract.
However, with the introduction of the DPDPA 2023, the privacy paradigm as it relates to employment has been significantly altered. Firstly, the lack of a distinction between SPDI and digital personal data has rendered Section 43-A of the IT Act redundant.
Secondly, as it relates to employee consent parameters, the DPDPA 2023 establishes the concept of ‘certain legitimate uses,’ wherein an employee is deemed to have given consent to the processing of their personal data if her employer processes her data for employment-related activities, or to protect themselves from loss or liability (e.g., internal investigations into confidentiality breaches, tracking device activity in case of suspected corporate espionage).
Lastly, it is essential to note that the DPDPA 2023 does not omit Section 72-A of the IT Act. Therefore, until otherwise clarified in future rulemaking or delegated legislation, it is in an employer’s best interest to assume the interoperability between Section 72-A of the IT Act and the DPDPA 2023 as parallel pieces of legislation and implement only those state-of-the-art safeguards and technical organizational measures that meet the highest standards before processing any type of digital personal data belonging to an employee.
Categories of data principals
The provisions of DPDPA 2023 apply to digital personal data related to data principals. In the employment context, data principals include current and former employees, active and rejected job applicants, and contingent employees such as interns, contractors or consultants. As organizations develop their DPDPA readiness strategy, they must ensure compliance measures address all potential personas listed above. For example, the gig economy employers, who may have thus far circumvented traditional labor laws by classifying their workers as independent contractors, will now need to change their stance and afford privacy rights to their independent contractors as well.
DPDPA 2023 compliance strategy for employers
Employers must familiarise themselves with the Act and assess its implications for their organizations. A recent announcement indicated that the government may give the industry a graded timeline to align with the Act. With compliance likely to require significant administrative and technical overhauls within organizations, it is prudent to begin readiness evaluations early. To develop their compliance strategy, employers will need to consider the following:
Employee data inventory: Develop and maintain a comprehensive data inventory to understand employee data processed by the organization, the locations where it is stored, the types of processing performed, and the third parties it is shared with. Data inventory is a foundational requirement that employers will leverage to comply with several other provisions of the Act, such as providing accurate notices to employees about their data and enabling employee privacy rights.
Data governance program: Although the Act does not call out data governance as an obligation under the Act, organizations must include employee data in their existing data governance program scope to ensure data completeness, accuracy, and consistency for decision-making that affects employees. With the recent uptick in employers using AI tools for recruitment, e.g., automatically screening job applicant resumes and matching applicants to new job opportunities, employers must ensure that the underlying data is accurate and processed fairly for decisions impacting employment.
Data minimisation: The Act requires employers to enforce strict data retention schedules and deletion protocols for employee personal data no longer needed for its intended purpose unless retention is necessary for compliance with other laws. For example, employers must delete rejected job applicant data as soon as it is reasonable if the applicant has not consented to be considered for future job opportunities, and COVID-19 related data such as vaccination and health status collected from employees must be deleted once the pandemic management measures have ceased.
Employee rights enablement: Employers will need to develop processes and tools to enable data principal rights under the Act, such as the right to access information about personal data, the right to correction and erasure of personal data, the right of grievance redressal, and the right to nominate. The effort entails building an intake process with identity verification for requesters, logging and tracking all requests, developing standard operating procedures for handling the requests and appeals, and building workflows to fulfill these requests manually or via automated tooling.
Security safeguards: Employers must ensure that their organization’s cybersecurity program includes security safeguards for employee data. Failure to protect employee personal data resulting in a data breach may result in penalties up to INR 250 crores. Organizations should protect employee personal data from unauthorized access and disclosure by deploying appropriate measures such as access controls, data encryption, vulnerability management, and secure configurations.
Third-party risk management: Employers engage third parties for several high-risk employee data processing, such as background checks, user behavior analytics, health insurance, and financial benefits. Employers should establish a third-party due diligence process and ensure all third parties processing employee data have a valid data processor contract with appropriate security and privacy provisions.
Breach notification: Organisations must build mechanisms for informing the Data Protection Board and affected employees in the event of a breach. Breach response preparedness may include developing breach response standard operating procedures, notification templates, communication plans, and periodic tabletop exercises to train appropriate stakeholders.
Notice and policies: Employment agreements, job applicant candidate notices, and internal policies and guidelines for employee data handling will likely need to be revised to align with the Act. Where employees have given consent to processing their data before the commencement of the Act, organizations will have to provide a notice informing employees of their personal data and the purpose for which it was processed, instructions for exercising their privacy rights, and grievance redressal mechanisms in place.
Consent and certain legitimate uses: Employers can process employee personal data that has been voluntarily provided to the organization and where the employee has not indicated that they do not consent to the use of their personal data. Organizations can process employee data for employment or to safeguard the employer from loss, such as to prevent corporate espionage, maintain the confidentiality of trade secrets, or provide benefits sought by the employee. If the organization intends to use employee data for any other purpose unrelated to employment, then free, specific, informed, unconditional, and unambiguous employee consent may be required. Organizations will need to build consent management systems to enable employees to withdraw and provide consent where required.
Training and awareness programs: Employers should train individuals handling employee data on the importance of data privacy during onboarding and periodically as required. Organizations should update existing privacy stewardship training content to include changes brought about by the Act. Employers must establish awareness programs that provide accessible resources to inform employees about their privacy rights under the Act and contact information of the Data Protection Officer (DPO) or the appropriate individual who can field questions related to personal data processing on behalf of the organization.
Employers designated as Significant Data Fiduciary in future guidelines will have additional compliance obligations, such as appointing a DPO responsible to the Board of Directors and serving as a point of contact for grievance redressal, engaging an independent data auditor to perform periodic compliance audits and performing periodic Data Processing Impact Assessments (DPIA). Considering the lack of a distinction between types of personal information under the Act, adopting the more robust DPIAs as the standard assessment mechanism for employee data processing activities may be beneficial.
Additional compliance obligations and guidelines could manifest in delegated legislation and updates to DPDPA 2023; hence, organizations must keep track of these changes and update their employee data compliance strategy as requirements evolve.