Employer Obligations on Employee Data Under Indian Law

UPDATE: The Personal Data Protection Bill 2019 has been withdrawn by the Indian government after over three years of discussion. The Bill had attracted major criticisms from industry stakeholders, NGOs, privacy activists and tech platforms as it proposed strict rules for international data transfers and giving the Indian government the authority to request user data from businesses. The Government is now considering to work on a new comprehensive legislation that would adequately capture needs and concerns of data privacy, cybersecurity, and overall digital ecosystem to meet the global privacy standard.

India does not have an exclusive comprehensive data protection law yet. The Information Technology Act, 2000 (later amended in 2008) contains few specific provisions that deal with data protection. Section 43-A of the Information Technology (Amendment) Act, 2008 (the "IT Act") provides for protection of 'sensitive personal data or information (SPDI). Section 72-A of the IT Act provides for the protection of personal information and imposes punishment for disclosure of information in breach of a lawful contract or without the information provider's consent.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ("IT Rules") which became effective in 2011 primarily prescribes several requirements for the corporate entities collecting, processing and storing personal data, including SPDI to comply with data protection measures. These IT Rules superficially resemble a data protection law, but they have crippling deficiencies and ambiguities. Half of these IT Rules only apply to a very restrictive definition of ‘sensitive personal data, and not to other personal data; half of them do not impose obligations in relation to data subjects per se, but only to ‘the provider of the information. Since an employer directly collects data from employees so in this article, we would be considering providers of information as employees.

The focus of this article will be on highlighting the employer’s obligations towards employees’ personal data under the IT Act and IT Rules.

Understanding Personal Information and Sensitive Personal Data Information:

Before we delve further into a detailed analysis of the application of IT Rules and It Act to employees, it is imperative to understand the definitions of SPDI and personal data.

As per Rule 2 of IT Rules, Personal Information means “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such a person.”

Under Rule 3 of the IT Rules, SPDI means “any personal information that contains information relating to passwords; financial information; physical, physiological and mental health condition; sexual orientation; medical history and records; and biometric information.”

Employer’s Obligations Under the IT Rules and IT Act:

1. Lawful Collection and Notice Requirement:

An employer should collect the SPDI of an employee only if required for a lawful purpose and in connection with the functioning of the employer and if collection of such information is necessary. The information should be used only for the purpose for which it is collected and should not be retained for a period that is longer than is required.

As per Rule 5(3), employer ‘collecting information directly from the employee concerned’ (but not otherwise), ‘shall take such steps as are, in the circumstances, reasonable to ensure that the employee concerned is aware of the fact of collection, the purpose, the intended recipients, and the contact information for the collector and the party that will hold the data. Because of the broad definition of ‘information in Rule 2((1)(f), this requirement should apply to all ‘personal information collected from employees. Employees are not entitled to any notice when their personal data is collected from third parties.

2. Consent Obligations:

Organizations collect, store, track and process an employee's data from the point of joining an organization to the day the employment contract is terminated. As per Rule 5(1), employers must obtain, before collection, written consent from the provider of the information ‘regarding purpose, means and modes of use’ (sensitive information only). This applies to employees as they are the provider of the information. This needs to be the case for every step of the data lifecycle, from initial data collection to processing and even retention of data.

Without consent, the employer is not permitted to take any action on the SPDI (unless there are legal requirements or the data needs to be processed to complete the contract process). If the data is exempted from obtaining consent, the employer is still required to provide the employee a notice about this processing.

3. Retention Requirements:

As per Rule 5(4), employers may not retain information beyond when it may lawfully be used (sensitive information only). This is not the same as when the purpose of collection has expired and is a low standard of protection. An employer should retain employee personal data for at least three years, as the laws on limitation provide that civil legal proceedings may be initiated during such period. Employers are therefore required to both have and to implement such a security program and be able to demonstrate their compliance—one meaning of “accountability’’.

4. Security of Employees’ Data:

Rule 5(8) of the IT Rules requires employers to keep the information secure. Rule 8 of the IT Rules requires that employers shall be considered to have complied with reasonable security practices and procedures if they have implemented such security practices and standards and have a comprehensively documented information security program and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.

5. Data Disclosure and Cross Border Data Transfer Requirements:

Employers must ensure that the country to which the data is being transferred to has the same level of data protection as is required under Rules 5(8) and 8 of the IT Rules. Furthermore, sensitive data can only be transferred with the consent of the employee, unless the transfer is necessary for performing a lawful contract between the transferor and the employee. With regards to transfers of data to third parties (outsourcing companies), the same obligations apply, which means that the organization needs to assess the third party for sufficient security controls before transfer. The same also applies to sensitive data, where employee consent must be obtained before transferring any such data unless it is required to perform a lawful contract.

6. Privacy Policy Requirement:

Under Rule 4, an employer who collects, receives, possesses, stores, deals or handles personal information of employees shall provide a privacy policy for handling of or dealing in user information including sensitive personal information and ensure that the same are available for view by employees. Employees have the right to seek a privacy policy from the employer.

Employees’ Rights Under IT Rules:

Right to Correction and Access:

As per Rule 5(6), an employer must permit employees, as and when requested by them, to review the information they had provided and ensure that any personal information or sensitive personal data, or information found to be inaccurate or deficient, shall be corrected or amended as feasible.

Right to Withdraw Consent:

As per Rule 5(7), an employer is required to give an option to withdraw consent at any time, in relation to the information so provided. In case of withdrawal of consent, the employer has the option not to provide the goods or services for which the concerned information was sought.

Consequences of Violation of IT Act and IT Rules:

If the employer is negligent in implementing and maintaining security controls as specified under the IT ACT and IT Rules, which in turn results in a wrongful loss or gain to any person, the employer has to pay compensation to the affected person. In case of violation against any other obligation under the IT Rules, employers can be required to pay compensation of up to INR 25,000 (approximately USD 350) to the persons affected by such non-compliance or to pay a penalty of up to INR 25,000 (approximately USD 350).

Operationalizing the IT Act and IT Rules:

In order to achieve compliance, the HR of an organization needs to honor the aforementioned obligations. This can be done in the following ways:

• Disclose how employees’ data is being processed through transparent formal policies.
• Develop formal policies and procedures for data collection and handling.
• Update privacy policies as needed.
• Ensure privacy policies and notices are easily accessible.
• Review and update processes.
• Maintain proper documentation.

Manual methods come with bottlenecks such as high costs and risk of human error. In this day and age, organizations need the help of automation to ensure compliance with the IT Act and IT Rules.

Securiti’s Sensitive Data Intelligence Solution enables organizations to discover, analyze, and protect large datasets. It offers organizations a 360-degree solution to all their compliance needs. Watch a demo of Securiti’s Sensitive Data Intelligence solution and start your journey to IT Rules and IT Act compliance.

Securiti also offers automated data mapping, DSR rights fulfillment, data breach management, and security controls to help you comply with the obligations.