Upcoming Digital Personal Data Protection Act, 2023 & HR Challenges

While staff need to understand and implement good data protection practices, it is the responsibility of the Data Fiduciary to ensure that they do so and have the means, including, where appropriate, devices such as shredders, & deliver the required standard of protection.

"An Act to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need  to process such personal data for lawful purposes and for matters connected therewith or incidental thereto"
 
Introduction:
The 'right to privacy' is a fundamental human right that is recognized in the Universal Declaration of Human Rights 1948 (UDHR), as well as in many other international and regional treaties.
​
The idea of privacy in itself may be seen from two different perspectives. The information or personal data & protection, and the extent to which it is shared with other parties.

Judicial activism of the Constitutional courts, which is interesting, played a decisive role in the inclusion of the right to privacy. The Supreme Court, MP Sharma v Satish Chandra, (1954) 1 SCR 1077, Kharak Singh v. State of U.P and others, 1964 SCR (1) 332 had pronounced that "Right To Privacy" is not included in the fundamental rights under the Constitution of India, hence not acceptable. In the case, Unique Identification Authority of India & Anr. v. Central Bureau of Investigation, Special Leave to Appeal (Crl)  No(s).2524/2014. The Supreme Court held that the biometric data shall not be shared with any agency or third party without the consent of the individuals. Additionally, the honourable court also specified that individuals cannot be denied access to any services for not possessing an Aadhar number. In the case of K.S. Puttaswamy v. Union of India, ((2017) 10 SCC, in a landmark judgement, overturning the MP Sharma & Kharak Singh cases, held that the word "personal liberty," arrived at concluding that the right to privacy is inextricably linked to the  right to life and personal liberty, which are both guaranteed by Article 21. Justice D.Y. Chandrachud, in his opinion, emphasized the necessity of creating a robust framework for personal data protection to safeguard the interests of both the State and its citizens. Hence this Act.

The Information Technology Act 2000 provided legal recognition to e-commerce in India. The term Cybercrime is not defined under the legislation. However, the Act mentions few instances of cyber-related crimes. The privacy of digital data is not comprehensively dealt with under the Act. However, the Act assigns a duty on the body corporate to protect the data & penalties [Sec.43A & Sec.72] which includes firms that engage in commercial and professional services to protect sensitive personal data. However, the term sensitive personal data is not adequately defined, confusing as to what constitutes sensitive personal data.

The term "privacy" is derived from the Latin word "privates," which means "to be apart from the rest." It's described as a person's or a group's capacity to keep themselves or information about themselves hidden and then selectively reveal it. Contrary to popular belief, the phrases privacy and confidentiality are not interchangeable. The terms privacy, confidentiality, and information security are sometimes used interchangeably, yet each term has its particular meaning and use in the information security field. In its most basic definition, "confidentiality" refers to the exercise of judgment in the safeguarding of confidential information.

We need to appreciate "Right to Privacy" & "Protection" in the context of employment & workplace. Broad types of "Privacy" are:

1. Personal data like education, experience, technical skills, previous employers, certificates, and various testimonials, physical health, including disclosure of any physical/mental disabilities, assessments of EQ/attitude/managerial skills & abilities, family background.
2. Acquiring technical knowledge of the functional process, technical information relating to design, development, work process, innovations, rapid changes in the process, technical secrets and know-how, quality- related data, and cost of process.
3. Man-management skill ratings, ratings on enhancement of morale/productivity amongst the team, ratings on innovation/design/developments.
4. Adherence to terms of employment contract-non-disclosure, no-solicitation, confidentiality, trade secrets, etc.​​

Before we discuss the "Challenges of HR", let us see important features of the Act which everyone not only knows but also attains the "Competency".

The process of Personal  Data Protection are:
a. Data Collection
b. Data Security
c. Data Process, and
d. Data Access

The DPDP Act applies to Indian residents and businesses collecting the data of Indian residents. Interestingly, it also applies to non-citizens living in India whose data processing "in connection with any activity related to offering of goods or services" happens outside India.
 
Some Important definitions:
DATA PROTECTION BOARD: Sec.2[c] The Board established by the Central Government, which is assigned duties/functions limited to hearing the complaints/grievances and levying penalties, in case of any breach.

DATA PRINCIPAL: Sec. 2[f]. An individual to whom the personal data relates, including any disabilities-mental/physical. Here, the employees provide all personal data as required in a digitalized/non-digitalized, by consent by him/her. Consent may be at different stages, like during recruitment, during employment, and after cessation of employment. Consent is very important, and it is the essence of "Privacy" & Protection.
DATA FIDUCIARY: Sec. 2[i]. Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. HR may be the Data Fiduciary.

DATA PROTECTION OFFICER: Sec.2 [j]: An individual appointed by the Data Fiduciary. Maybe Head-HR, or even any officer who is assigned to protect the data.

CONSENT MANAGER: Sec. 2[g]: A person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw the consent through an accessible, transparent method.

DATA: Sec. 2[h]: Representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

DATA PROCESSOR: Sec. 2[k]: Any person who processes personal data on behalf of a Data Fiduciary;

PROCESSING: Sec.2[x]: Relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

HR Challenges: Context of Employment or Engagement
The terms 'employee,' 'worker,' 'contractor,' 'consultant,' and 'partner' have been used interchangeably, taking into account the dynamics of the obligations. The traditional definitions of employer-employee relationship vis-a-vis protections guaranteed under various labour laws, must be kept in view.

Consultants/Freelancers/Subject Matter Experts: These workers are engaged on various terms relating to duration, deliverables and compensation. Interns, Apprentice, Volunteers, Assistants. These include personnel engaged for a specific period/project, who may be paid or unpaid, wherein they are expected to gain practical exposure during the term of their engagement with the organization. Next "Gig Workers as well."
With the increased adoption and integration of technology into the workplace, it becomes even more critical to delineate guidelines  for processing of personal data in the context of employees.

For example, where a company is employing persons to work remotely, to track the activity of its employees, installed software on the laptops provided by the organization to track screens in real time, record the browsing history, chats, and documents worked upon as they are opened. An 'efficiency' report gets generated on a weekly basis  that is reviewed by the managers, enabling them to keep a record of workers' productivity and sanction corresponding salaries. The software is equipped to flag 'suspicious behaviors,' in addition to high-definition cameras that tracked the entirety of daily activities, including breaks taken by the employee.

A garment manufacturing company hundreds of contractual workers to manufacture clothing in their factories at multiple locations. To maintain  over- sight over the workers, factory managers maintain a centralized repository of worker profiles containing records on their family medical history, religious views, and health information. This information was collated by managers during informal chats regarding family issues or religious beliefs, which were then stored and used to evaluate work performance and make employment decisions.

Now here is the challenge for HR to collect data from "Data Principals", namely the workers. Before collecting the data, the workers must be educated/ must be made known, to the extent of meeting the requirements of "Data Fiduciary", may be HR.
 
Recruitment process:
After short listing the candidates for interview, "Data Fiduciary" must list down the data to be sought from the candidates, "Data Principals". Data to be sought must be precise, no ambiguity, no subjectivity and any other details as demanded for the position for engagement. The candidate must give the consent, in writing, to the response of the "data Fiduciary". This is mandated under the Act.

Next step, interview/interactive discussions. During the process of interview/ interactive discussions either in person, or online, video recorded or voice recorded as decided by the "Data Fiduciary" and the same shall be taken as "Consent" by the candidate, "Data Principal".

Two key considerations here are: (a) ensuring confidentiality of personal data in the case of a virtual/remote interview process, and (b) the feasibility of providing alternative modes of interview to the prospective candidate. The HR should, therefore, carefully evaluate the robustness of chosen platforms and their ability to respect and enable privacy considerations.

Additionally, during the interview, personal notes may be taken about the candidate by the panel and/or the digital meetings may be recorded. In either case, the candidate should be informed and advised about the rights that the candidate may exercise in this regard. On the other hand, during an in-person interview as well, personal data may be collected through various documentation processes, or  recordings  captured by the CCTVs installed at the premises of the hiring organization. At this stage, a clear notice should be provided to the candidates informing them of the personal data that is likely to be collected. Usually, all data forming a part of digital media may be required to be kept for certain purposes, including but not limited to audits, necessitating addressing the lifecycle management of such data through a clear policy.

The data principal in these situations should be able to exercise their rights over the personal data stored about them, and while the obligation of notification persists, the process by which they can exercise their rights must be delineated.

Sec.11 of the Act, the "Data Principal" is empowered to obtain from the Data Fiduciary to whom he/she has previously given consent, a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary concerning such personal data; Section 12. (1) A Data Principal shall have the right to correction, completion, updating and erasure of her/his data for the processing of which he/she has previously given consent.

A Data Fiduciary shall, upon receiving a request for correction, completion, or updating from a Data Principal, (a) correct the inaccurate or misleading personal data; (b) complete the incomplete personal data; and (c) update the personal data.

(3) A Data Principal shall request in such manner as may be prescribed to the Data Fiduciary for erasure of her data, and upon receipt of such a request, the Data Fiduciary shall erase his/her personal data unless retention of the same is necessary for the specified purpose or compliance with any law for the time being in force.

Data Principal is empowered to raise any grievance/complaints, in case of any breach by Data Fiduciary, to the Board constituted by the Central Government. The Board shall hear such complaints and be empowered to levy penalties to the extent of Rs. Two hundred Crores on Data Fiduciary.

Next, employment contract, particularly the terms governing intellectual property, non-disclosure, non-solicitation, trade secrets, dual employment, etc, must be precisely incorporated. In order to strengthen the "Consent", additional consent incorporating the above is recommended.

The next important step is to obtain consent for "Background Verification".
 
EMPLOYMENT STAGE:
During the tenure of employment, HR must digitize various activities in systems, like discipline, productivity, demonstration of leadership qualities, managerial abilities, integrity, honesty, work culture & work ethics, sincerity, innovative, adherence to each term of the contract strictly, confidentiality, tracking Productivity/efficiency, etc. HR also must carry out an interactive audit of the above-mentioned items in the "Consent" and keep updated the Data Principal and digitalized. Actually, this is a vast area which is significant. Entire thing must be digitally processed and maintained.

Most essential to note: Outsourcing of maintaining personal data & monitoring:
Many organizations choose to out-source certain processing activities to third parties. When processing data on behalf of the organization, these are termed as 'Data Processors'.  'Processing on behalf of the data fiduciary' means that the data fiduciary continues to determine the means and purpose of  processing and that the processor simply follows the instructions as provided by the data fiduciary. Section 8 of the Digital Personal Data Protection Act 2023 requires that the data fiduciary remain responsible for the acts of the data processor, irrespective of the arrangement, over and above a valid contract. Thorough due diligence must also be undertaken for the third party before the decision to outsource.

In case of cessation of employment, another most important aspect is to identify the data to be maintained and the data to be erased & removed. This is another challenge  to  HR, which must be diligently planned, processed, and maintained.
 
Conclusion:
"While staff needs to understand and implement good data protection practices, it is the responsibility of the Data Fiduciary to ensure that they do so and have the means - including, where appropriate, devices such as shredders, & deliver the required standard of protection."
 
Reading materials:
a. DSCI Privacy Leadership Forum. Privacy at Workplace.
b. PursuIT Data Protection and Data Privacy.
c. ICREP Journal of interdisciplinary Studies. Cochin University. Dr. Pradip Kumat Kashyap
d. International Journal of Creative Research thoughts. Christ University.
e. Indian Kanoon
 
About the Author
K. Vittala Rao is Legal & Management Consultant, Bangalore

Courtesy:
Business Manager
August 2025

Upcoming Digital Personal Data Protection Act, 2023 & HR Challenges
File Size:	679 kb
File Type:	pdf

Download File

---

---