Ashima Obhan heads the corporate law and M&A practice at Obhan & Associates, a full service law firm with offices in New Delhi and Pune. She has extensive experience in foreign investment, M&A, joint ventures, cross-border transactions and commercial disputes. She has been advising clients in many notable transactions and caters to both domestic and international clients. She has worked on multiple intellectual property licensing transactions as well. She is active in the publishing, education, real estate, IT and renewable energy sectors in India.
When it comes to data privacy and protection of customer data, businesses tend to go to lengths to be on the right side of the law. But do they put equal efforts when it comes to data relating to their employees? Let’s find out why is it important for HR professionals to be aware of the issues relating to data protection and data privacy when it comes to managing teams in the age of digital transformation.
If you were running a business, phrases such as “data protection” and “data privacy” would perhaps bring to mind consumer data, and consequently, the department handling information technology (IT) or consumer affairs. The assumption that these are only outward-facing issues, however, is not correct.
A great deal of data protection and data privacy pertains to the data within a company as well, and specifically, to the data relating to its employees. It becomes imperative, therefore, for teams handling human resources (HR) within companies to be equally aware of the issues relating to data protection and data privacy, to ensure that they are on the right side of the law when managing teams.
This article discusses some of the issues relating to data protection and privacy that HR teams are likely to encounter in companies of all sizes.
Protecting Sensitive Personal Data or Information: The Law in India
In India, data protection is currently governed by the Information Technology Act, 2000 (“IT Act”). Among the various aspects of data that it regulates, it also lays down the law relating to the protection of sensitive personal data or information (“SPDI”), the reasonable security practices and procedures for protecting such SPDI, and punishment in case of wrongful disclosure and misuse of personal data. Specifically, Section 43A of the IT Act makes a company liable to pay damages to the affected person, if its security practices and procedures pertaining to the SPDI in its possession or control is negligent, and such negligence leads to wrongful loss or gain to any person. The damages are payable by way of compensation to the person affected.
Explanation (ii) to the provision defines the term “reasonable security practices and procedures”. This phrase refers to those practices and procedures designed to protect SPDI from unauthorized access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties, or specified in any law. If no such prior agreement or law exists, by default, reasonable security practices and procedures would mean such practices and procedures as prescribed by the Central Government.
Further, under Section 72 of the IT Act, a person is liable to criminal punishment, if he discloses personal information in breach of contract or without the consent of the concerned party and the disclosure is made with the intention to cause, or knowing that disclosure is likely to cause, wrongful loss or wrongful gain.
What is Personal Information? In order to better understand the legal position around SPDI, a critical term that requires understanding is “personal information”. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) defines the term to mean such personal information which relates to:
- Passwords;
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history; and
- Biometric information.
Any information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law is not to be regarded as SPDI.
Rights and Duties Under the SPDI Rules
An employee commencing work with a company almost always provides some or all of these kinds of personal information to the company at some point in their employment. The control of such information invariably rests with the persons or team managing HR in that company. In the context of the obligations cast upon the holder of SPDI under the IT Act, the responsibilities of the HR team take centre stage with regard to employee data. Equally, employees must know their rights with regard to their SPDI after they hand it over to others.
Obligations of a Data Controller or Processor
(i) Privacy Policy: The SPDI Rules require that a person who collects, receives, possesses, stores, deals or handles such information must provide a privacy policy. This policy must be published on the data controller or processor’s website, and the policy must be available for viewing by the data subject. A “data subject” is the technical term used to refer to the provider of the information. In the case of businesses handling employee data, the data subject would be the employee. The privacy policy must mention the type of personal or sensitive personal data or information collected, the purpose of collection and usage of such information, disclosure of information, and the reasonable security practices and procedures undertaken.
(ii) Consent: The SPDI Rules require written consent to be taken from the employee and prohibit the collection of SPDI unless it is necessary and for a lawful purpose (1). The Rules also provide that any disclosure of SPDI requires the consent of the employee (2).
(iii) Grievance Officer: The SPDI Rules require a grievance officer to be appointed by the organisation and the contact details of such person to be specified in the privacy policy.
Employee’s Rights
Under the SPDI Rules, employees have the right to review the information they have provided and ensure that any information that is recorded and found to be inaccurate or deficient be corrected or amended as feasible (5). This right to review is available on request. The employee also has the right to withdraw in writing his/her consent at a later point in time (6). The SPDI Rules do not provide for any mandatory notification of data breach, and also do not provide an individual with the right to have his/her data erased.
Transfer of Data
There are many occasions when employee data might need to be transferred from one entity to another. The SPDI Rules anticipate such situations as well and allow such transfers. But two conditions must be met for such transfer to be made successfully. Firstly, the transfer of SPDI is allowed only if it is necessary for the performance of the lawful contract with the employee or if the employee has consented to such data transfer (9). Secondly, the SPDI recipient must ensure the same level of data protection provided for under the SPDI Rules.
Limitations of the SPDI Rules
While the SPDI Rules were significant when they were introduced in 2011, our understanding of data protection, privacy and employee rights was very different from what it is today. Given the pace at which technology and the world around us continue to change, a stringent legal framework regulating data protection is absolutely essential.
A major limitation of the SPDI Rules is the absence of a regulator. There is no entity that is responsible for monitoring the applicability of the SPDI Rules or to hold entities accountable if the Rules are not applied. The way the law is structured at present, the enforcement mechanism is defensive and reactionary, responding only when a claim for compensation is made. The jurisdiction for adjudicating such claims depends on the value of the claim itself. Claims for compensation of less than INR 50 million made under Section 43A of the IT Act are adjudicated by the Secretary of the Department of Information Technology of the relevant state government, while claims above INR 50 million are adjudicated by civil courts (10).
The lack of a clear regulatory and enforcement mechanism around the SPDI Rules was recognized in the Srikrishna Report as well. The Expert Committee which brought out that report also commented on certain other shortcomings of the SPDI Rules. Specifically, it pointed out that the definition of sensitive personal data was unduly narrow, and left out several categories of personal data from its purview. It also observed that the obligations of data protection did not appear to be applicable to the Government itself and that on a strict reading, Section 43A of the IT Act could be overridden by contract, which would effectively defeat the purpose of the law.
EU General Data Protection Regulation and its Global Significance
Data protection and privacy are new challenges that businesses are facing the world over. The most significant regulatory development in this space has arguably been the enactment of the General Data Protection Regulation (GDPR) in the European Union (EU) that brings about significant changes in the manner in which personal data is protected and processed. After it came into effect on May 25, 2018, there is now only one set of data protection rules for all organisations operating in the EU, irrespective of where such organisations are based. The GDPR also mandates free movement of all such personal data.
The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. Critically, it does not apply to the processing of personal data which is done by an individual in the course of a purely personal or household activity or by competent authorities for preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties (including safeguarding against and preventing threats to public security).(11)
Although focused on the use of data in the EU region, the GDPR has relevance for businesses globally, with India being no exception. Why is this so? This is because GDPR does not concern itself with the place where a person who processes or controls data is based, but with the personal data of individuals residing in the EU. The GDPR clearly provides that it applies to the processing of personal data of individuals who are in the EU by a controller or processor not established in the EU where the processing activities are relating to offering goods or services to individuals in the EU or to monitor the behaviour of such individuals as far as their behaviour takes place in the EU12. As Indian businesses go global, with offices and employees located across continents, knowing how the GDPR works is of fundamental importance for HR teams within such businesses.
Conclusion
The idea of doing business is changing in many ways, big and small. Most fundamentally, it has changed how businesses must deal with data both externally and internally. Consumer protection has always been a subject of key importance in matters of business regulation. With new changes to laws in India and other parts of the world, matters traditionally regarded as internal, such as employee protection, are also coming into focus. Businesses must now be increasingly wary and careful about how they handle sensitive personal data that they hold, especially that belonging to its employees. This note serves merely as an introduction to some of the emerging issues in the area. Even though regulation is not as stringent in India as it is in other parts of the world, there is enough guidance in the relevant laws to ensure that businesses follow best practices in such matters. All of this points to the need to have an HR team that is updated with the latest developments in data protection and data privacy, and be made aware of the compliance requirements that this entails.
References-
1. Rule 5(1) and (2) of the SPDI Rules
2. Rule 6 of the SPDI Rules
3. Rule 5(1) and (2) of the SPDI Rules
4. Rule 6 of the SPDI Rules
5. Rule 5(6) of the SPDI Rules
6. Rule 5(7) of the SPDI Rules
7. Rule 5(6) of the SPDI Rules
8. Rule 5(7) of the SPDI Rules
9. Rule 7 of the SPDI Rules
10. Section 46(1A) of the IT Act
11. Article 2(2)(c) and (d) of the GDPR
