In today’s corporate landscape, organizations routinely collect and manage employee data as a part of their human resource management practices. The objective for such collection could be manifold, often for a variety of operational requirements and compliance related purposes. Once collected, this data is processed and retained in accordance with the company’s policies. Until now, the Information Technology Act 2000 vide its Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (SPDI) Rules (“IT Rules”) effective since 2011, imposed several requirements for the processing of data, including Sensitive Personal Data or Information.

However, the impending notification of the provisions of Digital Personal Data Protection Act, 2023 (DPDP Act) along with its draft rules has instigated a re-examination of key aspects of the DPDP Act through the lens of employment practices, with respect to data collection and retention by employer, which will now be subjected to heightened scrutiny and alignment with the new law.

For a concise and crisp understanding of the relevant provisions of DPDP Act, reference is being made to the following sections of the DPDP Act. Definitions of relevant terms such as Data Fiduciary under Section 2 (i), Data Principal under Section 2(j), Data Processor under Section 2(k),  Digital Personal Data under Section 2(n), Processing under Section 2(x). Additionally, reference is also made to Section 4 which allows for processing personal data for lawful purpose, either for which the Data Principal has given their consent as enumerated in Section 6 or for certain legitimate uses which are outlined in Section 7. Section 7 enumerates an exhaustive list of circumstances under which a Data Fiduciary may process the personal data of a Data Principal for which consent may not be sought from the Data Principal. Among these certain legitimate uses, clause (i) of Section 7 holds particular relevance in the context of employment and specifically addresses employment-related processing. Under this clause the employer is allowed to process an employee’s data for purposes of employment or those relating to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. However, every time a Data Fiduciary or Data Processor processes a Data Principal’s personal data beyond the scope of Section 7, compliance with Section 5 becomes mandatory. This includes issuing a notice and obtaining the Data Principal’s consent under Section 6. In the context of this article, Data Principal is an employee, Data Fiduciary is an employer and Data Processor may be any third-party processing Digital Personal Data on the behalf of the employer.

Given the rise in data breaches and data dealing becoming a billion-dollar market, it becomes a necessary corporate responsibility which is to be adhered meticulously to ensure transparency and obtain data with full disclosure and consent, prior to processing such information.

In this background, as and when the provisions of DPDP Act will come into force along with its rules, there will be a paradigm shift causing a dynamic change in the employer-employee relationship. Sections 8, 10 11, 12 and 13 of the Act shall conceive additional rights and obligations, influencing the hierarchical and collaborative employer employee relationship.

In the context of the rights provided to a Data Principal, Chapter 3 of the Act pertaining to Rights and Duties of Data Principal, sets out specific entitlements. Section 11 confers the right to access information about personal data, Section 12 provides the right to correction and erasure of personal data and Section 13 established the right of grievance redressal. Accordingly, employees, in their capacity as Data Principals, will be vested with precise, unequivocal and definite rights to access, rectify, and erase their personal data. These rights are further reinforced through a robust and structured grievance redressal mechanism. Employers as Data Fiduciaries, shall consequently be subjected to more stringent obligation regarding data security, breach notification, and responding to employee requests for information, correction and erasure of data. Determined by factors such as volume and sensitivity of data processed, there will be additional obligations cast on Data Fiduciaries to appoint a Data Protection Officer and conduct audits. Section 8, which outlines the ‘general obligations of Data Fiduciary’ and which mandates that the Data Fiduciary shall ensure the completeness, accuracy and consistency of the personal data when it is likely to be used for decisions affecting the Data Principal or disclosed to another Data Fiduciary.

As indicated above,  Section 13 bestows a right on the Data Principal to seek availability of a Grievance Redressal Mechanism provided by a Data Fiduciary or Consent Manager. This right extends to any act or omission of such Data Fiduciary or Consent Manager concerning obligations related to personal data or the exercise of rights of the Data Principal under the Act and the rules. Accordingly, every employer or organization must establish an effective grievance redressal mechanism to address employee complaints concerning data misuse, unauthorized processing, or other violations.

The preceding discussion outlines the core obligations an employer has to undertake when handling digital personal data. However, revisiting legitimate uses for the purpose of employment under Section 7(i) raises several practical questions that merit closer attention.

Where employee information classified as Sensitive Personal Data or Information (SPDI), which requires written consent under the SPDI Rules, overlaps with data processed for the ‘legitimate use’ under the DPDP Act, which is based on deemed consent, is the employer still obligated to obtain the employee’s consent?

If the written consent is voluntarily obtained from the employee, how does their right to withdraw consent operate in contexts where Section 7 of the DPDPA permits processing without express consent in case of a legitimate use?

Secondly, can an organization legitimately retain the personal data of a former employee on the premise that employment history remains relevant for its operations and safeguarding the employer from loss or liability? Or does the cessation of employment automatically obligate the organization to erase such data from organization’s record?

Further, in scenarios where a new employer seeks background verification from a former employer, how should data retention and disclosure obligations be placed at an equilibrium?

These considerations become particularly relevant in scenarios such as background verification, where a prospective employer may seek information from a previous one, posing a complex question of how data retention and disclosure obligations should be balanced. This also involves situations where data is obtained from applicants for employment purposes. This data is stored, processed, analysed, shared with recruiters and other third parties. When an applicant or candidate is not selected, is such data required to be retained or is it to be deleted?

The term Purposes of Employment under Section 7(i) encompasses a broad ambit. However, an organization cannot circumvent the requirement of obtaining consent merely by subsuming all data processing activities within this exception. Such an interpretation would undermine the very intent of Sections 8, 10, 11, 12, and 13 of the Act, which establish substantive rights for the Data Principals and obligations and limitations on Data Fiduciaries. Accordingly, it becomes imperative for employers to develop internal standards and policies that clearly delineate which processing activities fall within the ambit of Section 7(i) and for which activities separate consent shall be obtained. For any processing beyond these narrowly defined purposes, the employer must comply with Section 6 and obtain valid consent from employees, in line with the procedural and substantive requirements prescribed under the Act. These discussions and deliberations are likely to be further nuanced and achieve better clarity with the anticipated finalisation of the Digital Personal Data Protection Rules, 2025 (DPDP Rules).

These evolving developments in the data privacy landscape necessitate a proactive and strategic response from organizations across all sectors. These shifts accentuate the critical need for companies to reassess and realign their internal policies, protocols, and operational procedures concerning data collection, usage, storage, and sharing. It is imperative for organizations to ensure that their data processing frameworks are not only legally compliant but are also resilient and transparent enough to withstand future regulatory scrutiny. The challenges are numerous, ranging from technical difficulties in mapping data across systems to cultural resistance toward change within organizations. However, these efforts are not just regulatory checkboxes, they are foundational investments in building trust, ensuring business continuity, and safeguarding individuals’ fundamental rights to privacy. In short, while the journey toward comprehensive data privacy compliance is demanding, it remains a strategic imperative and is essential for long-term resilience, trust, and the protection of data privacy rights.

About the authors: Varsha Kripalani is a Partner and Ipsita Sarkar is an Associate at SNG & Partners.