Introduction
The Digital Personal Data Protection Act, 2023 (“Act”) received Presidential assent on August 11, 2023. Although no rules have been formulated thereunder and the Act is yet to come into force, the applicability of this Act is imminent.
The Act encompasses the processing of digital personal data, defined under the Act as data about an individual who is identifiable by or in relation to such data in digital form, in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
Processing is defined under the Act and inter alia includes in relation to personal data operations such as collection, recording, structuring, storage, use, indexing, disclosure by transmission, erasure and destruction. (Section 2(x) of the Act)
The Data Fiduciaries, meaning the individuals or entities responsible for determining the purpose and methods of processing personal data, are bound by the provisions of the Act aimed at safeguarding the Data Principals to whom the personal data relates to.
The Act applies to processing of digital personal data collected within the territory of India either in digital form or in non-digital form and digitized subsequently. It even applies to processing of digital personal data outside the territory of India if the processing is related to offering of goods and services to Data Principals in India. (Section 3 of the Act)
Processing Employee Data
The Act does not differentiate between personal data of the users/consumers utilized by an employer to provide goods and services, or personal data of its employees.
However, Section 7 of the Act does enable a Data Fiduciary to process employees’ personal data, “for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.” Relevant portion of Section 7 is reproduced below for the ease of reference:
7. A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:
…
(i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee
Thus, an employer can process personal data for fulfilling any employment purpose or for safeguarding themselves from any loss or liability, even without obtaining employees’ consent. These may include processing data for numerous reasons such as performance assessment, payroll, legal compliance, medical benefits and insurance claims.
For any other purpose not covered under this scope and for which the employee has already given his/her consent to processing before enactment of this Act, the employer must as soon as practicable provide a notice to the employee informing him/her of (i) the personal data and the purpose for which it has been processed or will be processed, (ii) their right of withdrawal of consent and right of grievance redressal, and (iii) the manner in which he/she can make a complaint to the Data Protection Board constituted under the Act. (Section 5(2) of the Act.)
Moving forward, if the employer wishes to process employee’s personal data for a purpose not covered under Section 7 and for which consent has not already been given, then they must follow the abovementioned process again by intimating the purpose of the usage in the notice, which precedes or accompanies the request made to the employees for their consent.
The consent in question must be in accordance with Section 6 of the Act, which provides it to be free, specific, informed, unconditional and unambiguous with a clear affirmative action in a clear and plain English language or any other language from the Eighth Schedule of the Constitution (Section 6 of the Act).
Employer's Duties and Obligations
The Act enforces numerous obligations upon the employers which are primarily enumerated under Section 8 of the Act. The employers are responsible for complying with the Act and the rules made thereunder in respect of the processing of personal data undertaken by it or by Data Processors on its behalf and the employer must engage the Data Processor only under a valid contract.
In the event where the processing of personal data is likely to be used to make a decision affecting the employee or is being disclosed to another Data Fiduciary, the employer must ensure its completeness, accuracy and consistency.
The employer shall also implement appropriate technical and organizational measures to ensure adherence to the Act. The employer shall take reasonable security measures to ensure the protection of the personal data in its possession and to prevent personal data breach and a failure to observe this obligation may result in the employer incurring some penalties.
If there is any personal data breach, the employer must inform each affected employee and the Data Protection Board about this breach and monetary penalty may be imposed on the employer if it fails to intimate the parties.
Once the purpose for which the personal data taken is complete or if the employee withdraws his/her consent, whichever is earlier, the employer must erase the personal data and cause its Data Processors to do the same, unless retention of this data is required under law.
The employer shall also publish the contact information of a person able to answer the employees’ queries, if any, regarding the processing of their personal data and establish and implement an effective grievance redressal mechanism. The personal data must not be processed in any restricted territory or country outside India as notified from time to time. (Section 16 of the Act)
The employee has the right to ascertain a summary of the personal data being processed, the processing activities undertaken by the employer and the identities of all the other Data Fiduciaries and Data Processors in possession of his/her personal data. (Section 11 of the Act)
The employee also has the right to correct, complete, update or erase his/her personal data for which he/she has previously given consent for. (Section 12 of the Act)
The employer, if it engages any third party to process employees’ personal data for any purpose such as accounting, bookkeeping or payroll must revisit their existing contracts to ensure there are obligations on such Data Processors to safeguard the data in accordance with the Act to limit the risk of liability for non-compliance under the Act.
Additionally, the Act is silent whether the ground of processing personal data for employers includes processing done before and after employment, such as recruitment, verification and post-termination processing, and whether it applies to contractual hires like consultants, agents, interns and any other person not strictly falling under the ambit of employee.
It must be noted that clarity with respect to the mechanism to be followed under several provisions will only be attained once the rules are formulated and enacted under the Act.
