India’s Data Protection in the Workplace and its Impact on Employers
In January 2024, Amazon France Logistique was fined €32 million by the French Data Protection Authority, CNIL for its employee data processing practices. The company’s employee monitoring practices¹ caught attention of the regulator for being excessive, non-transparent and violative of privacy rights of employees under the Eur0pean Union’s (EU) General Data Protection Regulation (GDPR).
The action against the logistics firm in France signals the risk that Indian companies will have to navigate as India’s Digital Personal Data Protection (DPDP) Act, 2023, becomes operational. While most organisations tend to look outward in their DPDP compliance framework, the case from France underscores that looking inward will be just as critical. They cannot afford to ignore the significant personal data of their employees that they regularly collect, store and process as part of their daily operations.
Navigating India’s DPDP Act, 2023 and Employee Data?
Employers are data fiduciaries under the DPDP Act, and therefore must ensure that the privacy and rights of their employees (data principals) are protected. A failure to do so can lead to penalties up to INR 250 cr².
The DPDP Act, 2023 provides two grounds for processing digital personal data – consent and legitimate use cases. Section 7(i) lays down purposes of employment³ as a legitimate use case, where employers can process personal data of employees for uses such as:
1. Safeguarding the employer from loss or liability
2. Maintenance of confidentiality of trade secrets, intellectual property
3. Provision of any service or benefit sought by an employee.
Employees now have a framework of rights over their data, which employers have to guarantee. For instance, they have the right to seek completeness, accuracy, and consistency of their data, especially if it is being used to make a decision affecting them or if their data is being shared with another fiduciary.
If employers want to process any employee personal data which may be beyond the scope of legitimate use cases, they will have to obtain consent from them. A broader set of rights is available to data principals in that case. For instance, employees will then have the right to access how their information is processed and the right to correction and erasure of their data .
In either case, employers are responsible for implementing reasonable security safeguards to protect all personal datasets against breaches. The DPDP Act empowers employees with more control over their personal data and provides them a mechanism to redress their grievances against their employers’ data processing activities. Resultantly, they can file complaints against their employer if they fail to protect their rights over their personal data and secure it against breaches.
Privacy Implications for Employers
Organisations will have to pay close attention to their internal employee data handling policies and processes. But they tend to also share their employee data with others. In such cases risks to employee data can arise out of at least two scenarios – sharing data among group companies or outsourcing it to third parties for provision of certain services.
It is common for group companies constituted of several distinct companies fulfilling different functions, to share data among themselves. This data could include employee data which may be shared for purposes such as standardising salaries across the group. Under EU’s GDPR, group companies can transfer data among themselves, but they need to be able to prove a legitimate interest for transferring such data. If legitimate interest is not proved, it could have implications not just for the company processing the data, but also for the entire group. They are likely to have similar implications under the DPDP Act.
Many organisations also outsource employee data for provision of certain services. Recently, the demand for business process outsourcing has increased, which frees-up businesses to focus on their core functions. There are many Human Resources functions being outsourced to third party service providers. Several such providers also use automation and AI for greater efficiency, and their data processing practices could be vastly different from that of the data fiduciary’s.
The DPDP Act makes it clear that any processing of personal data is the primary responsibility of the data fiduciary. This means that employers will be accountable for the data processing activities of their data processors, such as the ones discussed above. It is therefore crucial for organisations to look both inward and outward to carefully examine all their data flows.
The Road to Privacy Compliance
The DPDP Act will be implemented once the Rules under it are notified, which will lay down certain operational details. These Rules are likely to be part of the new government’s 100-day agenda.
Much preparation can be done before the Rules are notified. Data fiduciaries need to start assessing how they can comply with the spirit of the law. They can no longer afford to view their employee data with less seriousness than their customer data when a data breach or privacy violation of employee data can have grave consequences for them.
For starters, organisations should conduct a Data Protection Impact Assessment (DPIA) to examine the impact of their processing activities on data principals. Certain significant data fiduciaries are mandated by law to conduct a DPIA, however, it is a critical exercise that all organisations must undertake to assess themselves against the new law. A DPIA can help them identify data protection risks, arrive at a quantifiable risk-score and establish a baseline. This framework can be used to review all their processes around digital personal data, including their handling of employee data.
While solutions for becoming DPDP compliant will be unique to each organisation, any solution will have to be a combination of – people, policies, processes, and technologies.
These are early days for the privacy regime in India and people will be a key component of data governance in any organisation. It is important to note that vast amounts of data flows through employees. Risks can arise out of both – handling employee data and employees’ handling of data.
Both can be remedied by institutionalising periodic training programmes for employees. When the Sexual Harassment of Women at Workplace (Prevention, Prohibition, and Redressal) Act (PoSH Act) was enacted in India, it was evident that employees needed to be sensitised about their rights and responsibilities under the law. The DPDP is also a law where employers can borrow the training framework from the PoSH Act. In fact, data privacy laws of some countries, such as South Korea’s Personal Information Protection Act makes it mandatory for employers to provide data privacy training to their employees.
While the DPDP Act does not mandate it, organisations should start looking at data privacy training as a critical component of change management. Sensitising employees about their rights and responsibilities under the DPDP Act will go a long way in building a privacy-oriented culture in organisations that come under its ambit.
If you are planning to make your organisation compliant with the DPDP Act, 2023, you can write to us at [email protected]
References:
2.See the Schedule I, Digital Personal Data Protection Act, 2023
3. Section 7(i), Digital Personal Data Protection Act, 2023
