The Evolving Landscape of Data Privacy in India: A Guide for Human Resource Professionals and Organizations

Dr Aniruddha Babar
Dept of Political Science, Tetso College  

(This article was dictated over the phone by me to S. Moa, who meticulously typed and edited the content. S. Moa is a promising young leader and lawyer from Nagaland, supported by his associate, Ms. C. Veronica, a budding journalist based in Bangalore.

The article has been vetted by Dr. Sudhanshu Chakraborty, with additional insights provided by Rajaram Upadhye, a retired senior chartered accountant and Government Consultant. Their collective efforts have been instrumental in refining the discourse presented herein in public interest as a contribution to society).

“In an era where data is often viewed as a valuable asset, it is crucial to recognize that employee data constitutes a form of national property. This sensitive information, if mishandled or compromised, could potentially fall into the hands of hostile entities, posing significant risks not only to individuals but also to national security. Consequently, organizations should exercise extreme caution when considering third-party vendors for HR processes. It is advisable for organizations utilizing such services to conduct rigorous security audits of their vendors and transparently publish the findings to employees and other stakeholders. By prioritizing these measures, organizations can safeguard sensitive employee data and ensure that national security is not compromised.”

Navigating the legal landscape of personal data protection in India is essential for every citizen, employee, and organization. The collective provisions of the Aadhaar Act, the Information Technology Act, and the anticipated Personal Data Protection Bill serve to protect sensitive personal data, ensuring that individuals retain control over their information. As we continue to live in an increasingly data-driven world, understanding these legal frameworks and exercising our rights is more crucial than ever. Embracing these principles not only safeguards our privacy but also cultivates a culture of respect and responsibility in our interconnected lives.

The legal landscape in India surrounding personal data protection has undergone significant evolution in recent years, especially as the importance of privacy has become increasingly recognized. With the rapid digitization of personal information and the reliance on sensitive documents such as Aadhaar numbers, Permanent Account Numbers (PAN), and bank passbooks for various identity verification and compliance processes, it is crucial for individuals and organizations to understand their rights and the legal framework designed to protect them.

At the center of this discourse is the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, which regulates the use of Aadhaar for identity verification. While this legislation facilitates access to government services, it raises substantial privacy concerns. The Supreme Court's landmark ruling in Justice K.S. Puttaswamy (Retd.) vs. Union of India (2018) established that privacy is a fundamental right under Article 21 of the Constitution. This ruling asserts that individuals cannot be compelled to provide their Aadhaar numbers or other sensitive information unless such requirements are mandated by law. This legal clarity is vital, as individuals may feel pressured to share their Aadhaar details in various contexts without fully understanding their rights.

The Supreme Court underscored that any intrusion into personal privacy must be justified, necessary for a legitimate purpose, and proportionate to that aim. This principle obligates organizations to respect individual autonomy and ensure that personal data is collected and utilized solely for legitimate purposes, reinforcing the notion of accountability in data handling.

One of the pivotal aspects of the Aadhaar Act is the requirement for explicit and informed consent. According to Section 8 of the Aadhaar Act, organizations seeking to authenticate Aadhaar must ensure that individuals are fully aware of the purpose behind the data collection and must voluntarily agree to its use. This provision is critical in empowering individuals to maintain control over their sensitive information. For those uneasy about sharing personal details, this requirement serves as a fundamental legal safeguard.

Complementing the Aadhaar Act, the Information Technology Act, 2000, along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), establishes a robust legal framework for handling sensitive personal data. Organizations must obtain prior written consent before collecting sensitive information and clearly communicate the purpose of this data collection. This legal obligation is particularly significant in today’s context, where individuals are increasingly aware of their data rights and expect assurances that their information will be handled responsibly.

The SPDI Rules impose specific obligations on organizations regarding the processing and storage of sensitive personal data. For instance, organizations must implement reasonable security practices and procedures to protect sensitive data from unauthorized access or breaches. In the event of a data breach, organizations are legally required to notify affected individuals and report the breach to the relevant authorities. Failure to comply with these regulations can lead to severe penalties, highlighting the imperative for organizations to adopt stringent data protection measures.

Furthermore, organizations may also face civil liability for data breaches under tort law principles, such as negligence, if they fail to adequately protect sensitive information. This potential liability underscores the necessity for organizations to prioritize comprehensive data security strategies.

Looking ahead, the Personal Data Protection Bill, 2019 (PDPB) is poised to significantly enhance India's data protection framework. Although still pending enactment, the bill aims to establish a comprehensive approach to data privacy, aligning with global standards like the General Data Protection Regulation (GDPR). Central to the PDPB is the emphasis on informed consent, stipulating that personal data-especially sensitive information such as financial and biometric data-cannot be processed without explicit consent. This provision empowers individuals to control their data, enabling them to request deletion when it is no longer necessary. The rights to access, rectify, and be forgotten are vital tools for individuals navigating the complexities of personal data usage.

Moreover, the PDPB introduces the concept of data localization, mandating that certain types of sensitive personal data be stored within India. This provision aims to enhance data security and privacy while ensuring that Indian citizens’ data is governed by local laws. The implications of data localization can be substantial, influencing how organizations manage data and potentially impacting cross-border data flows. Organizations will need to reassess their data management strategies in light of these requirements, ensuring compliance with both national and international regulations.

For Human Resource (HR) professionals, understanding the legal obligations surrounding data protection is particularly crucial. As custodians of employee data, HR departments must exercise due diligence when engaging with third-party applications that handle sensitive employee information. It is imperative to verify that these platforms adhere to legal standards and employ robust security measures to protect data from breaches.

Scenario: Consider Person X, an employee in an organization that issues a notice mandating all employees to upload their Aadhaar card picture and bank passbook picture onto a third-party vendor platform for HR purposes. However,  the HR department impliedly mentions that employees do not have the right to refuse the upload- in short there is no second option like keeping the documents in a Hard File in the office cupboard. If the data uploaded by Employee X is misused by the third-party vendor or compromised in a security breach, legal responsibility may be shared between the organization and the vendor.

The organization could be held liable for not ensuring proper data protection measures and for failing to obtain explicit consent, while the vendor could face liability for failing to adequately protect sensitive information. This situation highlights the critical importance of establishing clear contractual obligations regarding data security and liability in vendor agreements. Also, seriousness of situation will continue to increase when security breach in data warehouse poses direct threat to National Security. 

Possible Solutions and Legal Strategies
To address the challenges and risks associated with data protection, organizations can adopt several legal strategies and practical solutions:

1.    Comprehensive Data Protection Policies: Organizations should develop and implement robust data protection policies that delineate how sensitive data will be collected, stored, processed, and disposed of. For instance, a policy could mandate encryption for sensitive documents like Aadhaar cards and bank passbooks when stored on cloud platforms. Such measures enhance data security and help mitigate legal risks associated with data breaches.

2.    Robust Vendor Management: Organizations must establish rigorous vendor management processes to ensure that third-party vendors comply with data protection standards. This includes conducting regular audits of vendor security practices and requiring vendors to provide certifications regarding their compliance with relevant data protection regulations. For example, before contracting with a cloud service provider, an organization could request a detailed data protection impact assessment and evidence of the vendor's security protocols.

3.    Employee Training and Awareness: Regular training sessions should be conducted to educate employees about data protection principles, their rights, and the significance of safeguarding sensitive information. This training could include modules on recognizing phishing attempts and understanding the implications of sharing personal data, empowering employees to make informed decisions regarding their privacy.

4.    Incident Response Plans: Organizations must have incident response plans in place to swiftly and effectively address data breaches. This includes appointing a data protection officer responsible for managing data breaches and notifying affected individuals promptly. For instance, in the event of a breach, the organization should have a predefined communication strategy to inform employees and relevant authorities, ensuring transparency and compliance with legal obligations.

5.    Enhanced Consent Mechanisms: Organizations should implement clear and user-friendly consent mechanisms that allow employees to understand what data is being collected and how it will be used. Also employees should be made aware of potential risks involved in sharing ultra sensitive Data like Adhar card and Bank details on third party vendor HR process applications. Rather than a blanket consent approach, HR can provide granular options for employees to select which personal information they are comfortable sharing, thereby enhancing trust and compliance with data protection laws. 

Additionally, HR departments must be acutely aware of the potential legal implications of mishandling sensitive data. The penalties for non-compliance with data protection laws can be severe, ranging from significant financial fines to reputational damage to the great threat to National Security. Consequently, organizations should invest in training their HR staff to comprehend data protection principles and the importance of maintaining the confidentiality and security of personal information.

Fostering a culture of data protection within organizations is paramount. HR departments must remain vigilant and proactive in their approach to data management. By prioritizing strong data protection practices and emphasizing employee privacy, organizations can build trust and reinforce the message that they value the privacy of their employees.