DPDP Act: Employer & Employee Relationship
As the name suggests, the Digital Personal Data Protection Act, 2023 (the “DPDP Act”/ the “Statute”) provides for protecting digital personal data of an individual. Personal data is described to mean any data about an individual who is identifiable by or in relation to such data, irrespective of sensitivity of the data. The broad nature of this definition ensures that any personal data provided by an individual in the context of her employment is also covered by the Statute.
The Statute covers, within its context, not just those companies that collect digital personal data from the public at large but almost every entity with employees, retainers and the likes. While the rules may come up with clarity on applicability of certain provisions of DPDP Act to companies of a specific size, the basic tenets of the Statute will have to be followed by all organisations collecting, processing and storing digital personal data.
In the following paragraphs, we have elaborated on DPDP Act’s applicability on employer employee relationship and commented on the systematic and legal changes required by organisations to be compliant with the requirements of the Statute.
Applicability of Statute
The definition of a ‘data principal’ is broad and inclusive, potentially capturing a wide range of individuals beyond just customers or clients and will include an ‘employee’ as well. Further, a ‘data processor’ refers to any entity that processes personal data on behalf of a data fiduciary, while a ‘data fiduciary’ is any person or entity that determines the purpose and means of processing personal data. These roles are not limited to external organizations or third-party service providers; employers can also function as both data processors and data fiduciaries.
Consequently, when an employer collects, stores, and manages personal data of employees, he acts as a data fiduciary, determining how and why this data will be processed. Similarly, if an employer processes this data on behalf of another entity (such as a subsidiary or parent company), he fulfils the role of a data processor.
Given the above, the digital personal data of an employee, retainer, contractor or similar such hires is protected under the DPDP Act wherein the employer must fulfil the obligations of a data processor and/or data fiduciary, as the case may be.
Employer Employee Relationship
Free consent is contentious in the context of an employer-employee/retainer/contractor relationship because of the imbalance of negotiation power. In the Guidelines on ‘Consent’ issued by the European Data Protection Board (“EDPB”), the EDPB recognises the imbalance of power between employer-employee relationship and in such cases free consent needs to be determined basis the context and facts of each case.1
Under the DPDP Act, personal data of a data principal can be processed for a lawful purpose when there is either a valid free consent or for ‘certain legitimate use’. Processing of an employee’s digital personal data in the course of employment, is considered as processing for legitimate use where consent is not required.
The concept of ‘in the course of employment’ is wide and not defined under the Statute. Similarly, the terms ‘employee’ or ‘employer’ remain vague. Under these circumstances, how does one treat arrangements such as retainership, internship or sub-contracting? Is the employer to process the personal information for arrangements other than traditional employee-employer relationship, in a manner prescribed for consent based processing meant for specified purpose?
In absence of specific definitions, yet another issue arises related to situation where an individual is not yet an employee. Before an individual is employed, the information that may be collected, processed, and stored includes personal details (such as name, address, date of birth), educational qualifications, employment history, references, and any criminal background checks. Additionally, financial information, medical records, and assessments from pre-employment screenings may be gathered.
After the individual leaves the job, the company may retain records of their employment history, performance evaluations, exit interview details, and any post-employment benefits or pension information.
While there are statutes which govern the nature of information that should be retained and the duration for which this information should be retained for ex-employees, there is no similar statutes for information related to pre-employment information gathered especially when the individual was never hired.
The DPDP Act has given liberty to an employer to decide on processing of employee’s personal data if it is established that it is for safeguarding the employer from loss or liability related to corporate espionage, maintenance of trade secrets or for provision of any service sought by the employee. This again is a wide scope for the employer to exercise in the absence of clarity of such terminology or a basic framework to establish say corporate espionage! The provision lacks clarity on how and what types of personal data will be processed and at what stage. Will a mere suspicion or belief of corporate espionage be enough to trigger this?
The Statute exempts data fiduciaries from certain obligations and data principals from their rights in the context of a merger or demerger. This implies that an employer is not required to obtain employees’ consent when their personal data is shared with an acquiring or transferee company.
Multiple Processors
Processing employee information often involves multiple third-party processors to ensure comprehensive and compliant handling of data. Background verification agencies conduct criminal background checks and verify educational and employment records. Payroll service providers manage financial information such as salary disbursements and tax details. Health insurance providers handle medical records and benefits data.
IT service vendors process and secure digital records, including email and access logs. Post-employment, record retention services and legal advisors maintain, and process exit interview details, performance evaluations, and post-employment benefits. These third-party processors collaborate to ensure employee information is accurately processed, securely stored, and compliant with relevant regulations.
Nature of Information Collected
During the course of employment, an employer should collect and process information that is necessary for the employment relationship. This may include personal details (name, address, date of birth), employment history, performance evaluations, attendance records, and financial information related to payroll and benefits. Medical information relevant to workplace safety and health benefits, as well as data necessary for compliance with legal and regulatory requirements.
However, certain types of information should not be collected or retained unless absolutely necessary and legally justified. This includes personal images collected by office cameras, personal communications, or any data that intrudes on an employee’s privacy without a clear, legitimate purpose. Employers must ensure that the collection and processing of employee data are always proportional to the purpose for which it is collected and a general disclosure by the employer about the presence of active surveillance or security cameras may not be sufficient.
Systematic, Legal and Organisational Amendments
To comply with the DPDP Act, employers will need to implement several systematic changes. This may start from identifying situations where consent may be required and situations where the processing may get covered under legitimate use. Thereafter, internal mechanism including IT systems will have to be upgrade for collecting, processing and storing such information. Situations where applicants desire any organisation to erase the information or where there is no specific purpose to retain the information, the organisation’s system will have to adapt the system to erase such information.
From a legal perspective, employee contracts will need changes adopting assurances of personal data safeguards. Third party involved in processing information will be required to guarantee safety of personal data via robust contract clauses. Organizationally, employers will have to adopt the practices of conducting regular training sessions for employees on data protection principles, their rights under the DPDP Act, and the company’s data handling practices.
Conclusion
While companies navigate through the mire of DPDP Act to protect the digital personal information of clients and customers, the internal workings of an organisation from employees’ privacy perspective shall also be governed by the Statute. Apart from the amendments to existing systems for compliances with the data privacy legislation, a company may be required to handle the interplay of multiple legislations, for instances the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 and the DPDP Act or the Labour Laws. Once the privacy laws get implemented, a more comprehensive understanding may develop.
By Rashmi Deshpande and Navaneeta Kanjilal
