09 August 2024
The landmark Puttaswamy judgement recognized the ‘Right to Privacy’ as a fundamental right and the Digital Personal Data Protection Act, 2023 (‘DPDP Act’) will formalize the enforcement process making it a legal mandate across industries.
Under the DPDP Act, employers assume the role of Data Fiduciaries (while employees/candidates/ex-employees are classified as Data Principals). Employers routinely collect and process digital personal data for various legitimate purposes (such as recruitment, payroll management, contributions to social security benefits, medical record maintenance, insurance claims processing, performance monitoring, and reference checks, etc.) therefore, they must comply with its underlying fundamentals or pay the price.
This article, through the seven fundamentals outlined hereunder, cuts across specific provisions of the DPDP Act critically examining the core principles underpinning the DPDP Act, viewed from employers’ lens.
Legitimate uses: ‘Legitimate uses’ forms the cornerstone of the DPDP Act. It outlines the lawful grounds upon which digital-personal data can be processed without requiring explicit consent of the individual. Of the nine distinct ‘legitimate uses’ under Section 7 of the DPDP Act, employers’ legitimate uses of employees’ personal data, in day-to-day parlance, are governed under Section 7(a) (voluntary shared for specified purposes) and 7(i) (employment purposes) as explained hereunder respectively.
This enables the employer to process personal data for the specified purpose for which an employee or job applicant has voluntarily furnished her personal data.
Illustration: Information shared by a candidate in her application while applying for a job allows the employer to process that information only for the stated purpose of evaluating her suitability for the role.
This permits the employer to legitimately use employee’s digital-personal data for ‘employment purposes’ or for safeguarding against any loss or liability. This could allow employers to outweigh legitimate business interest or the obligations of the employment contract against the employees’ rights to privacy.
Illustration: Employer can process (store, adapt, use, index, share, disclose by transmission, disseminate, or otherwise make available, etc.) employees’ data for its legitimate business interest for e.g., safeguarding the organization from loss or liability, preventing corporate espionage, maintaining confidentiality of trade secrets/IPs, complying with laws, or provisioning any service/benefit sought by an employee etc.
Consent: In cases other than the list of legitimate uses, the employer will have to obtain the consent of the employee (or a job seeker) before processing her data as per Section 4(1)(a). Moreover, as per Section 6, such consent should also be:
Furthermore, the employee may manage, review, or withdraw her consent at any time.
Illustration: If the company has created a database of suitable candidates (Often termed a talent pipeline) in the past, it must again obtain such candidate’s consent to store their data in their talent pipeline.
On the topic of consent, the inherent power imbalance in an employer-employee relationship raises concerns about whether an employee’s consent can ever truly be voluntary and free. Therefore, employers run the risk of allegations for exploiting their authority to obtain consent for data processing practices. Any disgruntled employee may claim that her initial consent was under undue influence and coercion, exposing the employer to legal risks for processing personal data without valid consent.
This delicate dynamic necessitates judicial scrutiny to determine if specific instances of employee consent were genuinely voluntary or be rendered invalid by the power differential. Courts may need to adjudicate on a case-by-case basis to establish clear boundaries and safeguards regarding the validity of consent in such cases.
Exceptions: An employer can process a candidate’s/ employees’ personal data without consent and legitimate uses, as delineated under the DPDP Act, if it is collected from a public domain and was shared to be made publicly available by the data principal herself.
Such publicly available data can be a portfolio on a professional website, a profile on a current employer’s website, any information mentioned in publications and articles, public records, press releases, online directories, etc.
Illustration: Screening and judging a candidate’s suitability using her LinkedIn profile, falls within the exceptions as a publicly accessible LinkedIn profile indicates a reasonable expectation of contact.
Furthermore, publicly available data shall also include any data, even though not published directly by the data principal herself but by someone under a legal obligation to publish the data.
Illustration: Personal data of company shareholders and directors as filed with registrars, information in publicly available compliance registers, and those data that can be made available upon payment of requisite government fee.
Employers shall only process the digital-personal data of an employee/candidate for the specific purpose it was provided for. Employers must aptly document the purpose of collection and avoid any secondary usage of such data. Furthermore, employers must obtain separate consent to process the data for any new purpose as it cannot seek consent-in-wholesale (also known as bundled consent).
Illustration: If the employer has obtained a particular set of data for hiring purposes, it cannot further use the said data to send newsletters. Furthermore, an employer cannot collect data simply for building a talent database (also known as just-in-case-talent) by storing candidate’s data, in case it may be urgently required in the future. Doing so shall defeat the purpose of law.
Employers are under an obligation to only process the bare minimum data necessary to fulfil the specified purpose. Moreover, there must be a clear nexus between data collected and the purpose specified.
Illustration: While employers may require Aadhaar details for remitting social security contributions, they should refrain from collecting such sensitive information during the initial hiring process itself. Similarly, a detailed medical history might be necessary when employing workers in hazardous manufacturing environments, but such extensive personal data may be unwarranted for hiring accountants or for other white-collar jobs. MNCs that provide devices (mobile phones and laptops) to employees should limit the scope of tracking and surveillance to the bare minimum limited to protecting employers’ legitimate business interests.
Employers are under an obligation to ensure the completeness, accuracy and consistency of an employee’s/candidate’s personal data if it is used to make a decision that affects her or if it is shared with another Data Fiduciary.
The DPDP Act provides an employee the right to request a summary of her personal data that is stored by the employer, as well as the identities of all other Data Fiduciaries (sister/associate establishments, payroll managers, service providers, etc.) with whom the employee’s data has been shared by the employer.
Furthermore, an employee also has the right to get her personal data corrected, completed, updated or erased as and when requested. However, a request to erase one’s data can be denied by the employer if such data retention is necessary for the purposes of complying with any law for the time being in force.
Employers are mandated to erase all personal data upon withdrawal of consent by the employee or as soon the specified purpose for such data is served. Except if required to be archived for fulfilling certain obligations and compliances under the law.
Illustration: Employer may retain the said data for the purposes like filing ITR, making certain obligatory communications, re-employment in cases of retrenchment, etc.
It is advisable for the employers to have a data retention policy in place that delineates justifiable retentions and lays out the compliances to be undertaken by the company once data is no longer required. This data retention policy can be shared with the employees.
The DPDP Act casts an obligation on the employers to protect data and prevent data breach by undertaking ‘reasonable’ security safeguards by implementing appropriate technical and organisational measures ensuring prevention of any breach of personal data in its possession or control.
The DPDP Act does not explicitly define what constitutes ‘reasonable’ security safeguards, despite imposing substantial fines—up to INR 250 Crores—for failing to implement such ‘reasonable’ safeguards. Rule 8 of the Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 (SPDI) could serve as a good starting point for adopting such reasonable safety measures. These reasonable safety measures are to be ensured even when the Data Fiduciary engages a third-party processor. To comply with this provision, it is important to have a valid contract in place with such third-party processor which requires them to implement such safety measures.
Employers are recommended to maintain up-to-date security systems (by way of using firewalls and encryption technology), procure necessary ISO certification (applicable, if any), and train its staff on data security, employ tokenisation or pseudonymisation systems that conceals real identities, etc.
The DPDP Act casts a legal obligation, under Section 8(6), on the employer to notify the Data Protection Board of India (‘Board’) as well as the affected employees in case of any data breach. The penalty for contravention in observing this obligation can be as high as INR 200 Crores.
Employers are required to establish a ‘readily available’ mechanism for redressing grievances in a timely manner. This mechanism shall be the first point of contact for an aggrieved individual for grievance redressal under the DPDP Act. She can approach the Board for grievance redressal only after this opportunity is exhausted. Additionally, in case the employer qualifies to be a Significant Data Fiduciary it shall also be required to appoint a Data Protection Officer.
Data protection law is a complex and nuanced subject matter. Even though many specifications of the DPDP Act are still to be clarified through its Rules, the Board is yet to be set up, and the law is yet to be made effective, employers cannot afford to be in ignorance because the Act has not shied in prescribing huge penalties (up to hundreds of crores) for any contravention of the law.
As preemptive measures, it is best if employers brace up and begin compliance preparations at the earliest and start preparing an updated data protection policy that balances the employer’s right to process and employees right to privacy, and train employees to imbibe a culture of data privacy.
[The authors are Partner and Senior Associate in Corporate Law practice at Lakshmikumaran & Sridharan Attorneys, New Delhi]