Indian Digital Personal Data Protection Act- Impact on Employers

  • Adv. Shasikant
    (IPR Consultant, Mumbai)

In a time of rapid technological development and digital change, safeguarding personal information has become crucial. The Digital Personal Data Protection Act, 2023 (the "Act") is a major step forward in the protection of personal data in the digital era. The consequences of this law are enormous, especially for employers that gather personal data of employees, vendors and customers. The banking industry handles consumer personal data; the healthcare industry handles a wealth of sensitive personal data, including genetic data and medical records; and the IT industry handles customer personal data hence the Act seeks to protect digital personal data in a variety of businesses as privacy issues and data breaches get greater attention. By limiting the collection, use, and sharing of personal data and highlighting the significance of only processing personal data for legitimate reasons, the Act aims to protect individual privacy rights. Employers handle a vast amount of personal information on their staff, customers, suppliers, and potential hires.

APPLICABILITY OF THE ACT

WITHIN INDIA: The processing of digital personal data within the territory of India, where the personal data is collected in a) digital form and b) Personal data collected is in non-digital form and digitized subsequently

OUTSIDE INDIA : The processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to an individual within the territory of India. The DPDP Act does not currently restrict the transfer of personal data outside of India unless the Government specifically restricts transfers to certain countries (blacklisting) or enacts any other form of restriction (Section 16).
NON-APPLICABILITY OF THE ACT : It shall not apply to personal data that is made or caused to be made publicly available by the individual to whom such personal data relates .

KEY TERMINOLOGIES

Data Principal means the individual to whom the personal data relates.
Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
Data Processor means any person who processes personal data on behalf of a Data Fiduciary.
Personal Data means any data about an individual who is identifiable by or in relation to such data.
Processing in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
Personal Data Breach means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
PERSONAL DATA PROCESSING

There are two grounds of processing under which an organization can process personal data-
(i) Consent
(ii) Legitimate use

(i) Consent – Purpose

Every request made to a Data Principal for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing Data Principal,—
• the personal data and the purpose for which the same is proposed to be processed;
• the manner in which she/he may exercise his/her rights and
• the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.
The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.

(ii) Legitimate Uses

No Separate consent is required for Legitimate use.
Legitimate use are (i)Voluntarily provided personal data by data principal (ii) For the purposes of employment or those related to safeguarding the employer from loss or liability(iii)Data principal has not indicated ‘does not consent’ to use personal data (iv) By the state and any of its instrumentalities for any function under any law for the time being in force in India (v)For matters concerning public interest, e.g., medical emergency, judicial use.

Maintaining data privacy when processing data for client projects requires careful consideration, which makes it a difficult but necessary task. One of significant outcomes of the Act is the empowerment of individuals in managing their personal data.

EMPLOYMENT PURPOSE

No Separate consent is required for the purpose of employment as it is considered as one of the legitimate uses. Processing for Salary /employment benefits, Processing with PF/ESI registration, Processing for any other statutory purposes, Processing for safeguarding the employer from loss or liability, Processing by Insurance company for the benefit of employee can be consider as employment purpose. However Processing by any Vendors, Processing by Third Party Trainers, Processing by Audit firm/BGV etc. For Advertising /Marketing /Social media -purposes, Processing by Customer cannot be considered as Employment Purpose by an Employer. As there is no judicial interpretation and case law mentioning what purposes are covered under the employment purpose, for a safer side it is advised to get consent from employees by attaching notice and consent form for processing personal data other than purpose directly related to employment. For all non-employment purpose the employers are recommended to be collected the consent from its employees.

Data Security: Strict restrictions for the collection, storage, and handling of such data are established under the Act. To guarantee the protection of personal data, employers must have strong data encryption, access restrictions, and audit trails in place. It will be necessary to invest in cutting-edge cybersecurity infrastructure to protect against cyber attacks in order to comply with the Act.

Ensuring Personal Data Privacy: The purpose of the Act is to give individuals more control over their personal data by requiring companies to get express authorization before collecting, using, or disclosing any personal information.

Challenges to ensure Compliance: Employers can find it difficult to adjust to the strict compliance standards. To prevent data breaches and maintain compliance, employers must make investments in reliable data management systems, encryption technology, and cybersecurity measures. Moreover, the difficulty in securing knowledgeable compliance and the difficulty of convincing individuals to provide their informed consent.

PENALTIES

If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.

Maintaining data privacy when processing data for client projects requires careful consideration, which makes it a difficult but necessary task. One of significant outcomes of the Act is the empowerment of individuals in managing their personal data. Individuals gain the right to access their personal data records, request corrections, and even request the deletion of their data under certain circumstances. This shift in power dynamics encourages individuals to take an active role in their data management decisions.

WAY FORWARD FOR EMPLOYERS


Training: Provide training sessions to key stakeholders within the organization (HR, TA, IT, Procurement, Finance etc..).
Appointment: Appointment of Data Protection Officer (DPO) .
Identification: Identify all third parties including service providers/customers/vendors who are storing or processing personal data on behalf of an Employer. Employer will need to amend the third-party agreements/contracts with respect to their obligations.
Contact: Connect with data processors and communicate to them their upcoming responsibilities and obligations with respect to personal data which they are handling on the Employer ’s behalf.
Revision: Continuous Review Process of data, consent, erasure, purpose etc.
Monitoring: Review and monitoring existing data flow to evaluate the nature of data collected, methods of processing data, status of data currently possessed, data storage and retention policies etc.
Deletion: Delete existing data of inactive Data Principals.
Review: Revisiting the company’s existing privacy policy and ensuring adherence to the Act.
Establish Process: Establish processes for data privacy breach management, including notifications to stakeholders (data principals, data protection board) and integrate these breach management mechanisms with existing incident management processes.
References: Refer to recent notifications and amendments made by the Central Government and take appropriate action, e.g., notification from the Government on countries or territories outside India where data transfers would be restricted.


While challenges will arise during its implementation, some of the actions an employer can take as follows:
Identify the requirement/ purposes of personal data.
Notice & Consent management System.
Breach Safeguards and internal control for Data Processes .
Grievance Redressal System.
Revision of Contracts, POs, T&C with Data Processer.
Prepare Sops, Compliance Matrix and DPDP Manual for organization.

  • Data Privacy