As the recently passed Digital Personal Data Protection Act, 2023 (‘DPDPA’) awaits implementation guidance from the Government, it is slated to have significant impact across all sectors and industries. As a result of the same, entities would have to reimagine data handling practices when processing personal data of customers, employees and other third parties who are individuals.
A common thread tying all types of businesses together (B2B, B2C etc.) would be the impact on processing of employee data. Unlike the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’), the DPDPA would apply uniformly to all personal data and provide a comprehensive framework for such processing, regardless of whether the information is ‘sensitive’[1]. It also proposes the constitution of a Data Protection Board (‘DPB’), which would adjudge non-compliances and impose penalties[2].
Employee data is widely processed by businesses for a variety of purposes including performance assessment, extending various benefits, payroll, legal compliance and occasionally, to safeguard employer’s interests. In some instances (such as use for group insurance), this would also include personal data of the family members of such employees.
Do employers need to rely on consent now?
The DPDPA adopts a nuanced view by enabling the processing of personal data on the basis of ‘certain legitimate uses’[3] without obtaining consent[4]. As part of the same, it permits employers to process employee data for the purposes of employment[5]. It also allows employers to process employee data for safeguarding employer from loss or liability (such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, IP or classified information) or for providing services or benefits to employees.
It remains unclear if processing for the ‘purposes of employment’ would include processing for pre-employment activities such as shortlisting, interviews or for conducting background checks. The rules to be notified under the DPDPA may provide further clarity in this regard.
While employers may not be required to seek consent when processing employee data for such purposes, other obligations would continue to apply. Some of these may include:
- Processing of personal data by Data Processors only pursuant to a valid contract;
- Implementing technical, organisational and security measures to protect personal data;
- Ensuring accuracy and consistency of employee data, especially where such data is used to make decisions affecting employees[6];
- Intimating the DPB and affected Data Principals in case of a personal data breach;
- Erase personal data (and cause Processors to erase) once purpose of collecting is no longer served;
- Establish effective mechanisms for grievance redressal[7];
- Extending rights to data principals as provided under DPDPA[8]; and
- Ensuring that personal data is not transferred to a restricted territory or country[9].
Employers may be subject to certain additional safeguards in respect of handling of certain personal data of children and/or persons with disabilities. In such cases, they may be required to obtain consent of guardians and restrain from undertaking specific types of processing such as undertaking any processing likely to cause harm. This may be relevant when processing personal data of families of employees.
Transitioning to the DPDPA
As a transitionary mechanism, employers are permitted to continue processing of employee data, until consent for such data is withdrawn. However, employees must be provided with a notice containing personal data being processed, manner for exercise of rights and making complaints upon implementation of the DPDPA.
A smooth transition necessitates employers to undertake certain measures with regard to processing of employee data. Some of these key measures include:
- Data discovery and mapping: Employers may undertake data discovery and mapping exercises to determine the nature of employee data and datasets being processed by the Company and assess purposes and legal basis for processing in each such case.
- Fortifying documentation: Employers must review and strengthen documentation, procedures and process flows to ensure that employment agreements, internal policies and frameworks governing employee data remain compliant and enable employers to process employee data for all purposes contemplated.
- Vendor Assessments: Employers must revisit agreements with service providers (such as cloud providers, payroll processors, insurers etc.) to ensure compliance with key obligations. Additionally, employers may be safeguarded through appropriate indemnifications which may be sought from such providers.
- Training and Sensitization: Employers must conduct periodic training and awareness programmes to sensitize employees of key obligations and ensure ground-level implementation of the requirements provided under the DPDPA.
While certain comfort has been extended under the DPDPA to processing employee data, employers are still required to reimagine their data handling practices to align with the DPDPA. Further, there is lack of clarity as to whether ‘contractual hires’ (i.e., agents, labourers) or employees on secondments would be considered employees and whether the said exemption from consent would apply to processing in that context.
Despite some conceptual similarities, multi-national organizations (familiar to the GDPR) would still have to undertake certain measures to adopt a tailored approach to complying with the DPDPA. While implementation timelines are awaited, the specification of the rules are also likely to infuse more clarity in the regime.
[The first author is a Senior Associate in the Data Protection and TMT practice, while the second author is a Principal Associate in the Corporate and M&A practice, of Lakshmikumaran & Sridharan Attorneys at Hyderabad]
[1] Rule 3, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
[2] Section 33, Digital Personal Data Protection Act, 2023.
[3] Section 7, Digital Personal Data Protection Act, 2023.
[4] Section 6, Digital Personal Data Protection Act, 2023.
[5] Section 7(i), Digital Personal Data Protection Act, 2023
[6] Section 8(3), Digital Personal Data Protection Act, 2023
[7] Section 8, Digital Personal Data Protection Act, 2023
[8] Chapter III, Digital Personal Data Protection Act, 2023
[9] Section 16, Digital Personal Data Protection Act, 2023