Data Privacy: INDIA: DATA PRIVACY FOR EMPLOYERS – Vol. 10 – Nov 2021
Data privacy for employers has become critical in an age where data privacy laws are becoming stringent. Moreover, all employers are bound to collect and process personal information of their employees for various purposes throughout employment lifecycle. The below table depicts the risks associated with collecting personal information from employees:
Employee awareness is also on the rise, individuals are increasingly questioning and tracking excessive data collected by the employer. Employers must build trust with employees to reduce the risk of complaints and legal inquiries.
WHAT IS THE PERSONAL INFORMATION COLLECTED BY EMPLOYERS IN INDIA?
MANDATORY LEGAL OBLIGATIONS FOR EMPLOYERS IN INDIA
In India, the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”) currently impose the data protection and privacy obligations on employers. The SPDI Rules define “sensitive personal data” to include passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, biometric information and other such information provided for a service or under any lawful contract.
Whenever sensitive personal data is collected, the following legal obligations on employers apply:
2. Purpose of Collection: Employee Data, specifically sensitive personal data must be collected only for reasonable purposes in relation to employment. Excessive data must not be collected at pre-recruitment phase.
3. Consent: Explicit written consent must be obtained prior to collecting the data even during the prerecruitment phase. The consent should include instances for data transfers and disclosure to third parties.
4. Rights of Employees: Employers must provide a mechanism to review and modify personal information or withdraw consent. In case of withdrawal of consent, the consequence of such withdrawal must be explained and mapped.
5. Disclosure: Explicit consent must be obtained from employees before the data is disclosed to third parties. Such consent may be taken during the onboarding process or as and when the need arises. (e.g. background verification, corporate programmes, etc.)
6. Data transfers: Employers can transfer Employee Data to third parties subject to prior written consent. Further, the employer must ensure that the receiving entity maintains adequate data protection and privacy standards.
7. Reasonable Security practices: The security measures must be proportionate with the associated risk. Relevant industry certification for information security (ISO, NIST) can be obtained as a good practice. Reasonable security practices include documenting and implementing information security policies, containing managerial, technical, operational and physical security control measures.
Upcoming Laws: The Personal Data Protection Bill, 2019 (“PDPB 2019”) may come into force sometime in the future. While a specific relaxation is provided for employers, the PDPB 2019 is expected to completely overhaul data privacy in India and increase compliance costs and the risks of exposure to legal penalties. The upcoming law will permit employers to collect and use personal data for employment purposes subject to stringent compliances. Apart from obtaining consent, employers can by default collect and use personal data for employment specific purposes such as recruitment, termination, employee benefits, attendance, and performance evaluation.