India did not have any exclusive set of laws laid down in relation to data protection until 2023. It is important to note that prior to the passage of the Digital Personal Data Protection (DPDP) Act, 2023, the regime for protection of data belonging to individuals was contained in The Information Technology Act, 2000 (‘
IT Act’) and in particular Section 43A thereof which provided for compensation for failure to protect data.
Further, under Section 72A of the IT Act, provision was made for penalties for disclosing information in violation of a law or without the consent of the information provider. What is also important to point out is the power of the Central Government under Section 87(2)(ob) of the IT Act to make rules for the enforcement of reasonable security practices and procedures and sensitive personal data or information.
By virtue of the powers conferred upon the Central Government under Section 87(2)(ob) as mentioned above, the Central Government framed the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘
IT Rules’). The said IT Rules primarily imposed several requirements on the corporate entities that collect, process and store personal data including sensitive personal data or information (‘SPDI’), to ensure data protection measures are in place.
Data Protection Regime Prior to the Passage of Digital Personal Data Protection Act, 2023
Corporate entities were responsible for implementing strong data privacy measures and ensuring that data processing and data transfer mechanisms of these individuals were safe. Employees are considered a huge asset for any corporate entity and, as such, companies had to ensure that data collected from employees was protected and secured at any cost. Similarly, employees had to be informed of their privacy rights as well.
The said IT Rules set out the compliance requirements for an entity that collects, stores or otherwise processes SPDI (e.g., passwords, financial data, health information, sexual orientation, health records, medical data and biometric records).
Employers collected employee SPDI for a variety of reasons, including selection procedures, record retention, employee assessments or for other legitimate business reasons. Therefore, employers had to be aware of the compliance requirements regarding employee SPDI and their liability. If an employer fails to implement and maintain ‘adequate security procedures and measures’ to protect an employee's SPDI, there is a risk of ‘gross negligence’ resulting in ‘gross loss’ or ‘gross misappropriation’ of the employee's SPDI. In such instances, employers were liable to pay an apt amount of compensation to the affected employees. The affected employee could file a complaint with the IT Act adjudicating officer or the relevant civil courts.
Obligations of the Employer under IT Act & IT Rules
- Lawful Collection and Notice Requirement
An employer should only collect an employee’s SPDI if it is necessary for a legitimate purpose and in the context of the employer’s operations and if it is necessary. The collected information must only be utilized for the usage it was originally obtained for. Further, it should not be saved for any time longer than necessary.
As per Rule 5(3), the employer collecting the required data directly from an employee (but not otherwise) shall make significant efforts to make sure that, in the circumstances in which the data is being collected, the employee is informed that their data is being collected, the reason behind doing so, the individuals who shall receive this data, along with the contact information of the collector and the individual/entity that shall store this data. Due to the broad scope of ‘information’ in Rule 2((1)(f)), this necessity must also apply to an employee’s ‘personal data’ that has been collected from them.
Note: An employee was not entitled to be notified if their personal data is acquired from some third-party. |
From the time an employee joins an organization until the termination of an employment contract, an organization collects, stores, tracks and processes an employee’s data. In accordance with Rule 5(1), an employer is required to obtain, in writing, the provider’s consent to collect, store and process ‘sensitive information only’. This applies to all employees because they are the providers of that information. This must be the case at every stage of the data life cycle, from the initial collection of data to the processing and even the retention of that data.
If an employer does not obtain consent for the SPDI, he or she is prohibited from taking any action on that data (unless there is a legal requirement to do so, or the data must be processed in order for the contract to be completed). Even if the data is exempt from consent, an employer must still provide the employee with a notice of this processing.
As per Rule 5(4), employers are not required to retain information beyond the period of time when it can be legally used (only sensitive information). This is different from the “opt-out” period, which is a low level of protection. The personal data of any employee must be retained for at least a period of three years. The laws on limitation state that civil legal action may be brought during this period. This means that employers must both have and implement a security program, and they must be able to prove compliance. This is one of the purposes of ‘Accountability.’
- Security of Employees’ Data
Employers are mandated to safeguard the information under Rule 5(8) of the IT Rules. According to Rule 8, employers are considered to have adhered to reasonable security procedures and practices if they:
i. have implemented reasonable security procedures and standards,
ii. have a well-documented information security program and
iii. have an information security policy that includes management, technical, operating, and physical security controls that are appropriate to the nature of the information assets to be protected.
- Requirements for Data Disclosure & Cross-Border Data Transfers
Employers need to make sure that the country where the data is transferred adheres to the data protection requirements defined under Rules 5 (8) and (8) of the IT Rules of Procedure. In addition, sensitive information can only be shared with the employee’s consent, unless it is required for the purpose of performing a legal contract between the employee and the transferring company. Data transfers to third parties fall within the scope of applicability of these same obligations as well. This means that the organization must assess the outsourcing company for sufficient security controls prior to transfer. The same applies to transfers of sensitive data where employee consent is required prior to transferring any such data, unless it is necessary to perform a legal contract.
- Privacy Policy Requirement
Under Rule 4, employers who collect, receive, possess, store, trade or handle personal information of their employees must establish a privacy policy regarding the handling of or processing of user information (including sensitive personal information) and must make sure that the privacy policy is accessible for review by their employees. Employees are entitled to request a privacy policy form from the employer.
Employers collect Personal Data Security Information such as SPDI of their employees, including health records, medical data, financial data and so on, for a variety of reasons including payroll purposes, candidate screening based on specific criteria, etc. There are certain obligations that come into play when it comes to SPDI, and an employer needs to be aware of those obligations and the consequences of failing to comply with them.
The Rules require each company to have information security procedures, policies and procedures in place that are appropriate to the information assets being safeguarded. 'Reasonable security practices and procedures' under Section 43 A of the IT Act is defined as ‘
security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force...’
As per the Rules, a corporate body could implement the International Standards (IS/ISO/IEC 27001). Any industry, association, etc., that chooses to adhere to some standards other than IS/ISO/IEC 27001 for data protection is mandated to get their codes approved and notified by the Central Government. In addition, any corporate body that has implemented such standards/codes must get them certified/audited by a Central Government-approved independent auditor.
Employees’ Rights under IT Rules
- Right to Correction and Access
Under Rule 5(6), employers must allow employees, at their own request, to review the information they have provided. Further, they may allow them to correct or amend any personal details or sensitive personal data that is incorrect or deficient as soon as possible.
- Right to Withdraw Consent
Under Rule 5(7), employers are obligated to grant a right of withdrawal at any time in relation to the information provided. In the event of a right of withdrawal, employers have the right to refuse to offer the product/service for the purpose of which the information was acquired.
Consequences of Violation of IT Act and IT Rules
If the employer fails to aptly implement and maintain security controls as mandated under the IT Act and the IT Rules, which, in turn, leads to a wrongful gain or loss to any individual, the employer must pay a certain amount to compensate the affected individual. In case any obligation under the IT Rules is violated, employers shall need to pay INR 25,000 to the affected individuals as compensation or up to INR 25,000 fine.
Data Protection Regime after the Passage of Digital Personal Data Protection Act, 2023
With the passage of the DPDP Act, the entire gamut of data protection law has been encompassed within it. The primary purpose of the DPDP Act is to regulate the processing of digital personal data in a manner that safeguards the rights of the individuals and the need to process the personal data for lawful purposes.
What is also important to note is that the DPDP Act amends the IT Act in such a manner that the entire Section 43A along with Section 87(2)(ob) stand exclusively omitted from the IT Act. |
It is to be remembered that the abovementioned IT Rules were framed by the Central Government by virtue of its powers under Section 87(2)(ob) read with Section 43A of the IT Act. Hence, after the passage of the DPDP Act, the validity of the abovementioned IT Rules which were framed under the provisions of the IT Act which have been exclusively omitted by the DPDP Act, would have to be tested against the settled principles of law.
What will also need to be seen is when the Central Government would come out with the relevant rules by exercising its powers under Section 40 of the DPDP Act.
Certain provisions of the DPDP Act which would mandate the protection of digital personal data by corporate entities (
who will be ‘data fiduciary’ under the DPDP Act) of its employees (
who will be ‘data principal’ under the DPDP Act) are required to be noted below-
1. The Data Fiduciary is under an obligation to protect the personal data in its possession by taking reasonable security safeguards to prevent the breach of personal data.
2. In case of any breach of personal data, the Data Fiduciary would have to intimate the Data Principal as well as the Data Protection Board of India.
3. The Data Fiduciary would have an obligation to ease the personal data of the Data Principal upon the Data Principal withdrawing their consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.
4. The personal data of the Data Principal can be processed only for a lawful purpose for which the Data Principal has given her consent (
which should be free, specific, informed, unconditional and unambiguous) or for certain other legitimate uses.
Further the processing of personal data can only be for the specified purpose for which the Data Principal has voluntarily given her consent.
5. Where the consent for processing of personal data was given prior to the date of commencement of the DPDP Act, the Data Fiduciary as soon as reasonably practicable, give a notice to the Data Principal informing about the personal data and the purpose for which the same is being processed.
6. The Data Principal is also given the right to withdraw their consent at any time.
7. It is also to be noted that the Central Government may notify certain Data Fiduciaries, including startups to whom certain provisions of the DPDP Act (
example - requirement of notice for consent, erasure of personal data, right of data principal to seek information about her personal data, etc.) would not apply.
8. The DPDP Act also has stringent provisions for penalties prescribed for the breach of certain provisions or the Rules under the Act.
9. However, unlike Section 43A of the IT Act which provided for the right to claim damages for breach of personal information, no corresponding provision can be found in the DPDP Act which would confer a right on the Data Principal to seek compensation for breach of personal data.
It would be important to see the Rules which would be framed under the DPDP Act, and it is likely that relevant rules on the lines of the abovementioned IT Rules may be framed which would lay down the mechanism to be followed for protection of digital personal data.
Conclusion
Keeping the various repercussions in mind and more particularly the stringent penalties under the DPDP Act, it is strongly recommended that employers fulfill their obligations towards safeguarding their employees’ privacy and personal data at all times. Besides, employees provide any details requested by employers simply based on the trust that they shall keep the same confidential and not share it with others.