Digital Personal Data Protection Act, 2023: Implications for Employment and HR in India

I. Introduction

Pending the implementation of the Digital Personal Data Protection Act, 2023 (“DPDPA”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) enacted under the Information Technology Act, 2000 (“IT Act”) is presently the primary general law enabling protection of personal data in India. It prescribes procedures for the lawful collection of personal data and seeks to ensure adherence to reasonable security standards by body corporates.

Employers are required to adhere to the SPDI Rules’ requirements in respect of its employees and recruitment processes. Similarly, the DPDPA 2023 seeks to introduce changes to the existing data protection landscape which may require employers to modify internal processes and documentation. This note seeks to provide an overview of such changes and the potential impact it may have on employers’ operational practices.

II. Processing under the SPDI Rules

The SPDI Rules do not distinguish between employers and other organisations that process personal data, nor do they distinguish between data controllers and data processors. Accordingly, employers are required to comply with all applicable requirements when processing employees’ personal data, including provision of a privacy notice, appointment of a grievance officer, enabling of individuals’ right to access and correct their information, and seeking consent for the processing of sensitive personal data.

III. Processing under the DPDP Act 2023

The DPDPA permits data fiduciaries to rely on certain ‘legitimate uses’ for processing for employment-related purposes and to safeguard themselves from loss or liability as an employer. This allows employers to process personal data of personnel for all matters related to employment without obtaining consent or providing detailed notice regarding their processing activities. At first glance, this appears to be less favourable for employees, however, as illustrated extensively in jurisdictions such as the European Union, consent, in employment settings, does not form an effective legal basis to process personal data as individuals cannot exercise a real choice over the use of their data as employees.

On the other hand, the DPDPA 2023 does not, at this stage, introduce any additional due diligence obligations on employers to ensure that they can effectively rely on such grounds for processing personal data while safeguarding employees’ interests. For example, under the GDPR, wherein employers usually rely on ‘legitimate interests’ for processing, data controllers are required to perform a ‘legitimate interests assessment’ prior to processing personal data on such grounds to adequately showcase that fulfilment of the requirements of ‘legitimate interests’ prior to processing; such requirements do not seem to be included under the DPDPA, the new data protection law in India. Further clarity on these aspects is expected to be provided through rules issued by the Indian government.

Additionally, employers should note that not all of their processing of their employees’ personal data will qualify as processing for “purposes of employment”, as certain processing activities may be unrelated to the employment itself – for instance, processing of an employee’s personal data (such as their name or image) for the purpose of advertising the business. Accordingly, this ground of processing must be interpreted narrowly to apply only to those processing activities that fall within “purposes of employment” or “safeguarding the employer from loss or liability”. Although not expressly mentioned, we recommend that businesses approach such processing activities through the lens of necessity and proportionality, in line with global data protection jurisprudence
(such as under the GDPR).

Separately, the DPDPA does not address whether this ground of processing applies to (a) pre- and post-employment procedures, such as recruitment, background verification checks, and post-termination processing, or (b) processing of personal data of personnel that are not “employees”, such as interns, consultants, or contractors. Based on a strict reading of the DPDPA’s provisions, it does not appear to extend to such processes, as this ground may seemingly be invoked only upon the existence of an employer-employee relationship. However, this position may be clarified by the government upon implementation of DPDPA, also referred to as the new data privacy law in India.

IV. Use of Third-Party Services

Organisations typically rely on third-party service providers to carry out employee recruitment and mangement processes – for example, background verfication checks are often outsourced to external service providers. The DPDPA categorises such third parties as ‘data processors’, who do not have direct statutory obligations under the DPDPA. Employers should therefore ensure that they enter into comprehensive contractual arrangements with such third parties limiting the scope of personal data processing activities, regardless of the grounds of processing relied upon.

The introduction of the concept of data processors imposes enhanced accountability on employers, as they are mandated to ensure that third-party service providers meet adequate data protection and cybersecurity standards, to minimise their own risk of liability for non-compliance.

V. Impact on Businesses

In order to adhere to the obligations under the DPDPA, businesses will need to rehaul their employee onboarding and personnel management processes, and can utilise the following measures to kickstart compliance:

1. Conduct a data mapping exercise to determine whether they process any employee personal data for purposes related to employment;
   
2. Create a compliance checklist of their documentation such as employment agreements and privacy policies;
   
3. Rehaul relevant service agreements with third-party service providers to ensure compliance with the DPDPA; and
   
4. Implement mechanisms to verify consent for pre- and post-employment procedures, taking into account the available technology and risks inherent in the processing;

We recommend that businesses start evaluating their consent journeys and processing purposes at this stage itself, and perform a global data review of other data laws and best practices to inform their compliance with DPDP Act 2023.

***