Data Protection Law in India that HR Leaders Should Know

June 25, 20202:55 pm443 views
Data Protection Law in India that HR Leaders Should Know
Data Protection Law in India that HR Leaders Should Know

While data can be put to beneficial uses for individuals and companies, unregulated and arbitrary use of data, especially personal data, has raised concerns regarding the privacy and autonomy of an individual. This is also a subject matter of the landmark judgment of the Supreme Court, which recognises the right to privacy as a fundamental right. 

Under the GDPR and United Nations Convention clause, privacy is a fundamental human right, enshrined in numerous international human rights instruments. It is central to the protection of human dignity and forms the basis of any democratic society. It also supports and reinforces other rights, such as freedom of expression, information and association. Therefore, any organisation, company, even government could not manage human’s data without complying with the privacy law. 

See also: Brief Review on Singapore PDPA

India Privacy Protection

India is not a party to any convention on protection of personal data which is equivalent to the GDPR or the Data Protection Directive. Yet, the country has adopted other international declarations and conventions such as the Universal Declaration of Human Rights to Political Rights which recognises the right to privacy. 

The main enactment of the above Privacy Rights is the IT Act and the Information Technology Rules. Under the IT Act and the IT Rules, what is primarily sought to be protected is personal information and sensitive personal data or information, for example, the information related to: 

  • Password
  • Financial information such as bank account or credit card or debit card or other payment instrument details 
  • physical, psychological and mental health condition 
  • Sexual orientation 
  • Medical records and history 
  • Biometric information 

In addition to the above points, respective sectoral regulators prescribe data privacy measures required to be undertaken by these sectors, including but not limited to the telecommunication companies, the banking companies, the medical practitioners, and the insurance companies for protecting the privacy of data collected from the users and to avoid any unauthorised disclosures to third parties. 

What HR leaders should pay attention to 

In response to employers obligation regarding employees, clients and/or consumers personal data, if employers store such personal information on a computer resource, it is highly required to have in place a comprehensively documented information security programme and information security control measures that are commensurate with the information assets being protected. Alternatively, employers can implement the International Standard IS/ISO/IEC 27001 on Information Technology – Security Techniques – Information Security Management System – Requirements. 

Further, employers who collect, receive, possess, store, information of its employees and clients, are required to have in place privacy policy for handling of or dealing in such personal information. Employers are required to make the privacy policy available for the employees and clients for their review and publish the same on its website. Employers and employees are also restricted to furnish personal information of anyone and employers cannot use or ask for bank statements of an ex-employee. 

Sanctions 

Employers should also protect the data against data theft (IT Act Section 66). Failed to comply with this law, employers could receive a penalty that includes imprisonment, as stated in the IT Act Section 72A: the punishment for disclosure of information in breach of a lawful contract could lead to a penalty that includes imprisonment of up to three years or fine of up to Rs5 lakh or both. 

Read also: Protecting Employees’ Data Privacy: Q&A with Thomas Matecki, Founder and CEO at Emotional Vector Analytics