Listen to this post
Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

India has been preparing for the Digital Personal Data Protection Act, 2023 (“DPA”), for almost a year now. During this time, companies have realised that relying on consent as a long-term basis for processing may be difficult, and instead, using ‘legitimate uses’[1], as the bases for processing may be a better alternative.

As rulemaking under the DPA gets underway again, and its implementation becomes imminent, we explore in this three-part series, three important legitimate use bases for processing, and why reliance on their seemingly simple language, may not be as attractive as it seems.

We start with dealing with one of the most common types of processing by entities across a range of size, industry, or significance, i.e., collection, storage, and use of personal data pertaining to applicants, employees, consultants and retainers.

Under the DPA, organisations may process personal data:

for the purposes of employment

………..

or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information

………

or provision of any service or benefit sought by a Data Principal who is an employee

The apparently expansive language of this legitimate use basis (hereinafter the “Employment Basis”) is no doubt attractive, and organisations may be inclined to interpret that consent of employees would not be needed to process their data for purposes linked to employment, but such a reading would be tantamount to ignoring some of the history behind this section.

Originally, the Digital Personal Data Protection Bill, 2022 (“Bill”), contained express language, creating a presumption of “deemed consent” for “purposes related to employment … including… verification of attendance and assessment of performance [2]”.

The narrowing of this language, from ‘purposes related to employment’ to ‘purposes of employment’, and the removal of express terms such as “verification of attendance and assessment of performance”, seem to suggest that the legislature intended to narrow the scope of this exception. Such an interpretation is also supported by drafting changes elsewhere in the DPA. For instance, while the Bill allowed the processing of data for all purposes mentioned in a notice,[3] the DPA limits the consent recorded to the processing of data necessary to achieve the specified purpose[4].

A comparable “Legitimate Purpose” provision under Singapore’s Personal Data Protection Act, 2012 (“PDPA”), allows organisations to process employees’ personal data, where such processing is reasonable for the purpose of, or in relation to, entering into, managing or terminating an employment relationship[5].

Given this background, when called upon to determine whether processing is permitted without consent under the Employment Basis, the Data Protection Board (“DPB”)[6] could examine processing in two broad buckets, namely, a) expressly “permitted” uses; and b) other uses.

Measures (such as end point protection, logging, device monitoring, etc.,) that are clearly intended to prevent espionage, protect confidential (or classified) information, trade secrets, intellectual property, or to investigate or prevent employee actions that can clearly lead to liability (such as insider trading, fraud, breach of regulatory obligations, sexual or other harassment) for the employer, would be easier to justify under expressly “permitted” uses. 

A similar reading could be taken for purpose-based necessities – to provide a service or benefit clearly sought by an employee – such as employee meals, creche facilities, or insurance. To process data on this basis, employers would require employees to seek, or “opt in” for the relevant benefit, while calling out what processing is necessary to enable them.

Needless to say, processing for any of the above would have to be limited to the underlying permitted purpose, and strong controls would need to be in place to ensure that data collected for the above is not used or processed for any other reason.

Matters would be less clear under the second category, i.e., uses that are not expressly permitted under the DPA, but are sought to be justified as processing for the purposes of employment.

With the absence of clear guidance on whether specific processing is necessary for an employment relationship (say for instance, mandatory payroll processing, processing for tracking leave, providing statutory employment benefits, or carrying out actions mandated for employers under law), other purposes such as pre-employment checks (especially intrusive background verification), employee monitoring (especially on personal devices, or constant monitoring), processing for granular performance evaluation, implementing employer-driven surveys, diversity, equity or inclusion initiatives, and similar purposes may prove to be difficult to justify on this ground.

The concept of ‘legitimate interest’ under the General Data Protection Regulation (“GDPR”)[7] (while clearly different, broader in ambit, and containing an express balancing requirement) may provide insight into how the DPB and the courts may evaluate this type of processing.

Where processing is necessary (i.e., is the least intrusive way to achieve a said purpose), legitimate (i.e., lawful, real and non-speculative) and proportional (i.e., balanced), employers may take comfort in the fact that their proposed processing satisfies tests under both the GPDR, and Indian law, as embodied under the Puttaswamy judgment[8].

This is by no means a clear position though. Often, employers will be called upon to justify processing under the Employment Basis after the fact, i.e., to defend against a compliant by an employee to the DPB.

As such, employers would be well advised to track the decisions of the DPB and courts, to identify activities that are clearly held to be necessary for the purpose, and for all other purposes, try and obtain clear consent for processing from employees.

In any case, given the precise wordings of the provision, processing of data of consultants, interns, gig workers and other individuals providing services other than as employees, may need to be consented to.

Consent Based Processing

Unlike in Europe, where the guidance,[9] clearly indicates that “freely given” consent may be impossible within the context of an employment relationship, Indian employers have long relied on consent for processing personal data under existing law, i.e., the Information Technology Act, 2000, and related rules.[10]

The DPA does not permit processing based on several non-consent bases (including performance of contract, etc.) that underpin much processing in Europe. Given this background, it seems unlikely that the GDPR positions around the inability of employees to consent, will carry over as is into India.

Accordingly, while consent may be complex to record, and comes with a risk of withdrawal, until there is clearer guidance on this point (potentially under the rules to the DPA), employers in India may choose to adopt the following approach.

  • Where data relates to an employee, and processing is intended for a purpose squarely called out as an Employment Basis, employers can seek to rely on the exception, after ensuring that their processing is both necessary and proportional for achieving the purpose. Employers should create a record of such necessity and proportionality, and clearly notify employees of such processing. Where the employer is a significant data fiduciary,[11] and is required to carry out a data protection impact assessment, the relevant processing should be sought to be covered under such assessment to serve as a basis to defend against any future challenges.  
  • In all other circumstances, employers should seek to obtain clear consent for processing. Such consent should be recorded against a clear, transparent notice, against specific purposes of processing.

While this may well prove to be a somewhat onerous approach, it has the undoubted benefit of demonstrating transparency of the organisation’s data handling practices and fostering trust with current and future employees.


[1] Section 7, DPA.

[2] Section 8 (7), Bill, “for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance”.

[3] S. 7(1), Bill.

[4] Illustration under Section 6, DPA.

[5] First Schedule, Part III, Paragraph 10, PDPA.

[6] The Data Protection Board of India constituted under Section 18 of the DPA.

[7] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.

[8] Justice K.S. Puttaswamy vs. Union of India, (WP (C) 494/2012).

[9] Article 29, Working Party Guidelines on consent under Regulation 2016/679.

[10] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

[11] Section 10, DPA.