Listen to this post

Within the broad bucket of internal investigations that companies often undertake, disciplinary procedures in relation to employee misconduct are one of the most common forms of investigations. In this piece, we explore the current laws and best practices in relation to employee investigations and conducting disciplinary processes, the potential ramifications of Indian data protection law, upcoming developments in the field of artificial intelligence (“AI”) on such investigations, and steps employers can take to ensure compliance and minimise any risk of wrongful termination.

Background – Disciplinary Process and the Allure of AI Tools

Before terminating an employee for  cause (i.e., misconduct), employers are required to follow a disciplinary process, in line with the principles of natural justice. The Industrial Disputes Act, 1947 (“IDA”), stipulates that the employees be allowed to defend/explain their actions, and considers the dismissal of an employee in utter disregard of the principles of natural justice in the conduct of a domestic inquiry or with undue haste as unfair labour practice. Further, shops and establishments legislations of some states, for example, the Delhi Shops and Establishments Act, 1954 (“Delhi Shops Act”), prescribe that an employee can only be dismissed on account of misconduct after being provided “an opportunity to explain the charge or charges against him in writing.”

The Indian labour statutes do not set out the exact steps of the process. However, judicial precedents indicate that adherence to certain key elements is critical, to ensure that principles of natural justice are followed. For example, among other things,  (i) the accused employee must be informed clearly of charges against him, through a show-cause notice; (ii) witnesses, if any, should be examined (and cross-examined by the accused employee[1]); (iii) documents relied upon should be available to the accused employee[2]; (iv) findings (with reasons) should be recorded in the enquiry report by the inquiry Officer; (v) if found guilty, the employee should be given a notice of immediate termination, containing reasons and summary of findings; and (vi) parties must maintain confidentiality.

However, courts have suggested dispensing with the process of holding a disciplinary inquiry if the facts of a case show that following such a process would be a mere formality, which would neither change the outcome nor prejudice the employee. This principle, referred to as the “useless formality” test, has been recognised in judicial precedents. The courts have also observed the following: (i) where termination causes no prejudice to the concerned party, and the admitted or indisputable facts in the case lead to only one conclusion, the requirement to send a notice is not mandatory; and (ii) where the workman himself has, in answer to the charge levelled against him, admitted his guilt, there is nothing more to inquire and it cannot be said that there is a violation of principles of natural justice. Thus, in certain limited instances, employers may rely on the “useless formality” test to dispense with the requirement of a disciplinary process.

The conduct of a disciplinary process requires dealing with large swathes of data. As a result, to assist in the investigative process, employers are increasingly considering the use of modern AI tools as an option. These tools have become useful for organisations to deep delve into investigations of not only employee misconduct but also complex white-collar crimes, such as fraud, financial misconduct, data breaches, among others. For example, tools such as ChatGPT can sift through mountains of data to help organise it according to the needs of its user.  

Forensic investigations employ a blend of methodologies by using data analytics, digital imprints, and allied tools to trace irregularities more effectively. By meticulously collecting and assisting with real time analysis of evidence, forensic investigations play a pivotal role in building a watertight case, should the entity prefer to initiate any legal proceedings as also assists in internal decision-making.

Dealing with Employee Data

Given that an investigation for employee misconduct involves strict adherence to the principles of natural justice, it is important to handle employee data in accordance with the law, considering it undoubtedly plays a pivotal role in an investigation. The extant law – the Information Technology Act (“IT Act”) – read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and the upcoming Digital Personal Data Protection Act, 2023 (“DPDP Act”), which will soon be brought into force, all require that an employer collect/process certain employee-related data only with the employee’s consent. Employee-related data includes both personal data (by which an individual may be identified) and sensitive personal data or information (relating to a person’s passwords, finances, health, etc.).  The DPDP Act affords leeway in some scenarios; for instance, the consent requirement can be waived for “legitimate uses” such as for “purposes of employment” or to safeguard employer from loss/liability,  and similarly, consent is not required for processing personal data in the interest of an investigation. However, collecting data that helps prove an employee misconduct allegation could remain tricky, because if an employee is able to show that their data was collected improperly in the course of the disciplinary process, it could lead to a potential claim of wrongful termination.

It is, therefore, important that an employer abides by the steps of a disciplinary process in good faith, and avoids cutting corners to obtain the personal data of the employees while examining or cross-examining witnesses, or while providing documents it relies on during the process, to the employee for examination.

Use of AI in Investigations

AI tools can indeed be useful as an aid to the disciplinary process/investigation, to rapidly process and analyse emails, financial transactions, and other digital footprints, identifying patterns and anomalies that might elude human investigators. For instance, Natural Language Processing tools possess the ability to scan thousands of emails to detect suspicious communications, which may indicate fraudulent activities or compliance breaches.

AI can also assist with correlating disparate data sources to provide comprehensive insights. In an internal investigation, this means AI can integrate information from various departments – HR records, financial data, IT logs – to construct a holistic view of an incident. This multifaceted analysis is crucial in understanding the context and nuances of complex cases.

However, utilising AI in a disciplinary process also has significant pitfalls. Given that these are complex tools whose mechanisms the users do not always fully understand, there is a risk of breach of confidentiality obligations or of errors caused by the improper use of the tools by a party  not familiar with its functionality. Thus, the role of AI has to be tailored carefully to protect the interests of all parties in a disciplinary process.

Striking a Balance and Adopting Best Practices

As is the case for other areas of the law, the usage of AI in the conduct of disciplinary proceedings for employee misconduct is bound to become more common with time. This can significantly help reduce costs and the time associated with each individual investigation. However, employers must bear in mind that India is still largely an employee-friendly jurisdiction, and any errors in judgment by the employer could have financial ramifications (in case of wrongful termination of a workman, one of the reliefs that can be claimed under the ID Act is reinstatement with up to 100 per cent of back wages). Similarly, it is also important for employers to ensure that they are compliant with data protection law while accessing any employee data during the disciplinary process.

In the absence of enhanced regulations addressing AI in an investigative setting, and until jurisprudence on data protection develops, employers can strive to adopt best practices while spearheading a disciplinary process to prove an allegation of misconduct against an employee. These include:

  • The use of AI tools should be limited to non-adjudicatory functions, such as segregating or summarising data or collating information from different sources. Any adjudicatory functions should be reserved with the persons appointed to do so (such as the inquiry officer responsible for conducting the disciplinary procedure). Similarly, adversarial functions (such as presenting evidence, making arguments, and cross-examination of witnesses) should also be kept out of the purview of AI tools, as these elements of the disciplinary process require human judgment, a commitment to non-bias, and absence of prejudice.
  • Regarding data protection during the disciplinary process, employers should err on the side of caution and obtain consent of employees for any internal investigations/disciplinary procedures upfront, by including relevant clauses in the employment agreements themselves.
  • Relevant clauses should be included in internal disciplinary policies drafted by the employer, to permit activities that form part of internal investigations (especially at the fact-finding stage), such as monitoring of work systems used by employees, which can then be used as evidence during the disciplinary process.
  • Employers should ensure that internal policies and practices comply with confidentiality obligations during the disciplinary process, particularly because third-party agencies are commonly engaged to assist in or conduct investigations.

While it will be interesting to see how jurisprudence and the legal framework governing employee misconduct investigations respond to changing trends, adopting suitable best practices during the course of a disciplinary process will help reduce the possibility of successful claims for wrongful termination, and any other forms of liability that may be incurred by employers.


[1] Nawal Kisohore Bansilal v. Empress Mills Ltd. 1962 ICR 831 (IC Bom)

[2] Union of India v. Rajan Kumar Mohalik, (2000) 3 Cur LR 117 (Bom)

Listen to this post
“Voluntary Provision” under the DPA: Too Good to be True?

This article examines some pitfalls around the processing of “voluntarily provided” personal data under India’s Digital Personal Data Protection Act, 2023 (“DPA”), and it is the second of a three-part series. The first, focussing on “employment purposes” can be accessed here.

Continue Reading “Voluntary Provision” under the DPA: Too Good to be True?
Listen to this post
Need for Syncing Sectoral Regulations with Data Protection Law

Cutting across sectors and borders, the Digital Personal Data Protection Act, 2023 (DPDPA or Act), a lean, principles-based, horizontal legislation was enacted in August 2023 (yet to come into effect). Given the substantive procedural aspects under the Act being left for delegated legislation, the first set of rules is expected to be released for public consultation within 100 (hundred days) of the end of the ongoing General Elections,[1] if the incumbent government is re-elected.

Continue Reading Need for Syncing Sectoral Regulations with Data Protection Law
Listen to this post
Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

India has been preparing for the Digital Personal Data Protection Act, 2023 (“DPA”), for almost a year now. During this time, companies have realised that relying on consent as a long-term basis for processing may be difficult, and instead, using ‘legitimate uses’[1], as the bases for processing may be a better alternative.

Continue Reading Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data
Listen to this post

Background

The European Court of Justice (“CJEU”) in mid-2023 passed a landmark judgment in Meta Platforms Inc. v. Bundeskartellamt[1], by imposing strict restrictions on social media entities using personal data of consumer’s for targeting them with personalised advertisements through their platforms. This ruling struck at the core revenue model of many big technology organisations.   

Continue Reading The Great Reset: What Lies in Store for Targeted Advertising?  
Listen to this post
FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs

Background

Indian regulators in recent times have shown a keen interest in monitoring the intersection between data, information technology, and cybersecurity with regulated entities—more so in relation to Non-Banking Financial Companies (“NBFCs”) and ‘fintechs’. With the expected enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the promulgation of its rules, it becomes imperative for NBFCs and fintechs to map their journey of compliance from legal and regulatory perspectives.

Continue Reading FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs
Listen to this post
FIG Paper No. [29], Data Law Series [3]: Implications of Digital Personal Data Protection Act, 2023 for Foreign Banks in India

Introduction:

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India’s foray into the global regulatory movement on personal data rights. In designing the DPDP Act, there has been a strong focus on simplicity, brevity, and standardisation. We note a marked effort to align with data regulation across the world, most significantly, the European Union’s General Data Protection Regulation (GDPR”). While principally similar, the Indian regime has peculiarities for which financial services entities will have to prepare themselves. 

Continue Reading FIG Paper No. 30, Data Law Series 4: Implications of Digital Personal Data Protection Act, 2023 for Foreign Banks in India
Listen to this post
Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.

Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws
Listen to this post
Primer on IRDAI Information and Cyber Security Guidelines 2023

Introduction

On September 14, 2023, the Insurance Regulatory and Development Authority of India (“IRDAI”) set up an inter-disciplinary standing committee on cyber security, tasked with regularly reviewing the threats inherent in the existing or emerging technologies and suggest appropriate changes to the IRDAI Information and Cyber Security framework to further strengthen the insurance industry’s cyber security posture and resilience.[1] This is in furtherance to the IRDAI having notified the Information and Cyber Security Guidelines on April 24, 2023 (“CS Guidelines 2023”).

Continue Reading Primer on IRDAI Information and Cyber Security Guidelines 2023