In a significant milestone for data privacy in India, the Digital Personal Data Protection Act, 2023 (DPDPA 2023), was assented to by the President of India on August 11, 2023. This groundbreaking legislation, also known as the Act, ushers in a new era of digital personal data protection, aligning with the constitutional principles of the right to privacy and the right to life. The Act aims to strike a balance between an individual’s right to safeguard their personal data and the legitimate processing of this data for various purposes. In this article, we delve into how the DPDPA 2023 impacts employee data protection in India and outline the compliance measures employers must adopt to navigate this new landscape.
A Shift in the Privacy Paradigm
Before the enactment of the DPDPA 2023, employers in India primarily relied on the Information Technology Act, 2000, amended by the Information Technology (Amendment) Act, 2008 (IT Act), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules) to manage privacy concerns related to the employer-employee relationship.
Under the IT Act, Section 43-A, along with corresponding Rule 3 in the IT Rules, provided safeguards for ‘sensitive personal data or information’ (SPDI). These regulations outlined that employers could collect an employee’s SPDI only to the extent necessary for lawful purposes and in connection with the functioning of the employer. Additionally, they specified that this information should not be retained longer than required.
Furthermore, Rule 5 and its subsequent parts set forth various obligations on employers, including consent, notice, retention, security, right to access, and administrative policies to ensure lawful processing of an employee’s personal information. Section 72-A of the IT Act imposed penalties for service providers who disclosed personal information without the data subject’s consent or in breach of a contract.
However, with the introduction of the DPDPA 2023, the distinction between SPDI and digital personal data has been blurred, rendering Section 43-A of the IT Act redundant. The Act introduces the concept of ‘certain legitimate uses,’ whereby an employee is considered to have consented to the processing of their personal data if their employer processes this data for employment-related activities or to protect against loss or liability. This includes activities such as internal investigations into confidentiality breaches or monitoring device activity in suspected corporate espionage cases.
It is important to note that the DPDPA 2023 does not negate Section 72-A of the IT Act. Employers are advised to consider these two pieces of legislation as parallel and implement robust safeguards and technical organizational measures before processing any digital personal data belonging to an employee.
Categories of Data Principals
The provisions of the DPDPA 2023 apply to data principals, a term encompassing various individuals in the employment context. Data principals include current and former employees, active and rejected job applicants, as well as contingent employees like interns, contractors, and consultants. Organizations must ensure that their compliance measures address the privacy rights of all these categories of individuals. For instance, gig economy employers must now extend privacy rights to their independent contractors, a shift from previous classifications as independent contractors exempt from traditional labor laws.
Compliance Strategy for Employers
To navigate the implications of the DPDPA 2023, employers must prepare comprehensive compliance strategies. Considering that compliance is likely to require substantial administrative and technical changes within organizations, it is advisable to initiate readiness evaluations early. Here are key aspects employers need to consider:
- Employee Data Inventory: Develop and maintain a comprehensive data inventory to understand the employee data processed by the organization, its locations, types of processing, and third-party sharing. This forms the foundation for complying with various provisions of the Act, including providing accurate notices to employees and enabling their privacy rights.
- Data Governance Program: While the Act does not explicitly mandate data governance, organizations should include employee data in their data governance program to ensure completeness, accuracy, and consistency, particularly for AI-driven decision-making in recruitment and employment.
- Data Minimization: Enforce strict data retention schedules and deletion protocols for employee personal data no longer needed for its intended purpose, unless required by other laws.
- Employee Rights Enablement: Develop processes and tools to enable data principal rights under the Act, including access, correction, erasure, grievance redressal, and nomination.
- Security Safeguards: Ensure robust cybersecurity measures for employee data to prevent data breaches, with penalties of up to INR 250 crores for failure to protect personal data.
- Third-Party Risk Management: Establish due diligence processes for third parties processing employee data and secure valid data processor contracts.
- Breach Notification: Create mechanisms to inform the Data Protection Board and affected employees in case of data breaches, including breach response procedures and communication plans.
- Notice and Policies: Revise employment agreements, job applicant notices, and internal policies to align with the Act and provide employees with clear information about their data processing.
- Consent and Certain Legitimate Uses: Implement consent management systems to process employee data for purposes unrelated to employment.
- Training and Awareness Programs: Train individuals handling employee data on data privacy, update privacy training content, and establish awareness programs for employees regarding their privacy rights.
Employers designated as Significant Data Fiduciaries will have additional compliance obligations, necessitating the appointment of a Data Protection Officer, independent data audits, and Data Processing Impact Assessments (DPIA). The latter may be a valuable assessment mechanism for employee data processing activities.
As compliance obligations and guidelines may evolve through delegated legislation and updates, organizations must stay updated and adjust their compliance strategies accordingly. Employers must remain proactive in adapting to the changing landscape of data privacy in India.
Conclusion
With the introduction of the Digital Personal Data Protection Act, 2023, India has taken a significant step in strengthening data privacy rights. Employers need to adapt to this new privacy paradigm by developing comprehensive compliance strategies to ensure the protection of employee data and adherence to the Act’s provisions. Navigating this landscape will require diligence, proactive measures, and a commitment to safeguarding personal information, ultimately ensuring a more secure and private environment for employees in India.
