India

Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.

Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.

A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its: purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.

The processing of personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.

Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.

Cross-border data transfer affects all organizations that engage online IT services, cloud-based services, remote access services and global HR databases.

Security requirements may not always be included in the data protection law, but are key to guaranteeing lawful processing of personal data. The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and prevent alteration, corruption or access by unauthorized third parties.

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.

Compliance with Data Privacy Laws and Data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing. 

Although some countries require certain types of documents to be kept and archived in their original paper form, for most categories of documents, including HR-related records, there is no such requirement, and it is generally acceptable to use electronic versions of paper records. In India, the burden of proof for electronic records is quite high, which means that from a practical perspective, courts often prefer paper originals. It may be good practice for employers to retain archives of paper originals in the event such originals would be requested by a specific investigator, auditor, judge or authority.

The majority of legislation generally recognizes the validity and probative value of documents that are natively electronic (i.e., created as electronic originals), subject to compliance requirements. In India, the burden of proof for electronic records is quite high, and courts often prefer paper originals. 

Generally speaking, an electronic signature (or e-signature) is a technical process logically associated with a document which two (or more) individuals or organizations (the signatories) agree to rely on in order to express their intent to sign such document. Three components are therefore necessary: a document, a signatory and an e-signature tool. While the tool most commonly used for handwritten signatures is a simple pen, electronic signature tools are typically more complex.

As most HR professionals know, document retention for employee-related records—such as personnel files, payroll information, benefits records, and background checks—is a particularly complicated process, required by law, with variations from country to country. Complicating the process further, each document in each country has its own individual retention requirements, and the financial penalties for noncompliance can be significant. A carefully designed and implemented HR record retention policy is a necessary step to support an employer’s robust compliance program.

Most countries have minimum and maximum retention periods for certain HR records.  Even if there is no statutory minimum retention period for a certain category of records in a particular country, it is often recommended to retain these records until the expiration of the relevant time limits for bringing legal actions or regulatory investigations (statutes of limitations).