The Digital Personal Data Protection Act, 2023 (“Act”), after many iterations, has come as a breath of fresh air and marks the beginning of a fresh era that demands the implementation of a more robust safeguarding of digital personal data. The Act has immediately made its impact being felt across the industry and represents a departure from the existing lenient data protection requirements, which impose minimal consequences for non-compliance.
Regardless of the industry that any organization operates in, it will regularly need to handle and safeguard personal data of employee as a basic requirement. While the Act is yet to come into effect, all organizations need to utilize this transitioning phase to revaluate their internal processes established for protection of their employee data and work towards adapting the new changes (including within their existing policies) to be prepared when the Act comes into effect.
To implement the changes introduced under the Act regarding employee personal data, one of the key debate points which has surfaced is of treatment of employment as a ‘legitimate use’ for data processing. We highlight below some of the key issues that employers may need to reflect upon as well as examine whether a balancing act is required by organizations between considering employment as a legitimate use v. obtaining specific consents from the employee as a data principal to safeguard the organization.
Legal basis for employer to process employee data
The Act provides that personal data can be processed only for a lawful purpose for which (i) the data principal has either given her consent, which consent must be free, specific, informed, unconditional and unambiguous with a clear affirmative action; or (ii) such processing is undertaken for a ‘legitimate use’. While the term legitimate use has not been defined, the Act provides guidance on various scenarios which can be considered as legitimate use, which includes employment. From an employment context, the Act allows organizations to process personal data of individuals without prior consent for broadly three purposes: (a) for the purposes of employment; or (b) for safeguarding itself from loss or liability in the capacity of an employer (e.g. prevention of corporate espionage, trade secrets etc.); and (c) for provision of any service or benefit sought by the employees.
But do the above mean organizations now have a blanket exemption from processing their employee data without consent under the umbrella of legitimate use? What happens to the employee data for which the organization has already obtained consent under the current laws? These are some of the obvious questions and issues that emerge as we move towards adapting the new data protection law.
Scope of legitimate use for purposes of employment
From an employment standpoint, the Act does not use the traditional connotation of ’employer-employer relationship’ and allows processing of personal data ‘for the purposes of employment‘ as one of the legitimate uses, that arguably could encompass a much wider scope. However, even so, the term ‘for the purposes of employment‘ is not defined under the Act and leaves much room for debate, particularly in complex and grey scenarios. For instance, there is no conclusive guidance under the Act whether ‘purposes of employment’ can also include the data collected and processed for the purposes of recruitment and background checks when an employment offer is given to a candidate but there is still no ’employer-employee’ relationship established. However, as mentioned above, given the wider ambit, one can argue that it does help the organization from an employment purpose for say filtering down future candidates.
There could also be other scenarios wherein there may not be a traditional employer employee relationship, say for the purposes of processing of data of non-executive directors or contract workers, accessing personal devices of employee during corporate investigations, transfer of employee data to its parent organization for workforce management, etc., will fall within the scope of legitimate use. One will need to see how the jurisprudence on such aspects evolve. It is also to be seen if Data Protection Board of India, that will have powers to inquire into any breach of the Act and impose penalty provided in the Act (“Board”), interprets this scope of legitimate use by employer broadly or it will further narrow down on the rights available to the employers under the Act.
What happens with existing employee data?
There is a general requirement under the Act where, if a data principal has given her consent for processing of her personal data prior to commencement of the Act, the data fiduciary has to issue notice to such data principals (after the Act comes into force) informing them of the following:
- the personal data and purposes for which the same has been processed,
- the manner in which the employee, being the data principal, may exercise their available rights under the Act including the right to withdraw consent, and
- manner in which the data principal may make a complaint to the Board.
In view of the prevailing industry norms, most of the global organization as of today obtain consent of its employees, including through the terms of the employment agreement and employment policies, for processing their data. In view of this, and given the above requirement, it appears that even with the legitimate use enablement, all such organization will have to revisit their employment contracts and policies and circulate fresh notices under the Act to their employees in the manner required by the new law.
It is also interesting to note that, typically, consents obtained today are in form of all-encompassing language without going into the details of each specific purpose for which the data will be processed, and which may not meet the quality of consent prescribed under the Act. It remains to be seen how the Board accepts the consents obtained prior to the enactment of the Act (especially when such all-encompassing consents are not permitted under the Act) and whether it will require the employer not only to issue the aforesaid notice but also obtain fresh affirmative consents as per the scope of the Act.
Hefty cost of non-compliance
Given the issues mentioned above, dealing with processing and handling of employee personal data under the Act is going to be a new challenge for the organization, especially for organizations having large employee database. This may require a dedicated compliance team and change in systems to ensure compliance with the Act, failing which there could be significant exposure for the organization. Depending on the nature of contravention, monetary penalties up to INR 250 crores may be levied by the Board on the conclusion of an inquiry. Several factors may be considered to determine the quantum of penalties including nature, gravity and duration of breach, type of personal data affected, repetitive nature of breach, etc.
Way forward on processing employment data
Due to the concerns discussed above and the emphasises of the Act on purpose-specific data processing, the risks of non-compliance with the Act for processing employee personal data, can be mitigated in case employers obtain a clear affirmative consent from their employees, after communicating the lawful purposes for which it can retain and process employee personal data. While there could be scenarios (as highlighted above) wherein employment as a legitimate use may not come to the rescue of the organization, in our view, obtaining appropriate consent from such data principals (such as candidates, nonexecutive directors etc.) could go a great way mitigating the risks. This will provide the employers with dual cushion for legally processing their employee data, i.e., based on express consent and the permitted legitimate use.
It’s almost time for the affected organizations and HR departments to revisit terms of their employment contracts, policies, and the quality of consent basis which they are processing personal data of their employees. These initial steps will help the organization to be ready for the new law coming into effect without affecting their rights to continue processing their employee data.