Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
In India, the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 contain specific regulations that apply to corporate entities when handling personal information (PI) and sensitive personal information (SPI). Corporate entities must comply with obligations relating to collection, storage, retention, transfer and disclosure when handling SPI.
In addition, India is a signatory of the Universal Declaration of Human Rights, 1948 and International Covenant on Civil and Political Rights, 1966.
SPI is defined in the Data Protection Rules as personal data that contains information relating to financials, passwords, health (physical, physiological and mental), sexual orientation, medical history/records and biometrics. There are no rules specific to employers in the Information Technology Act. Businesses are expected to follow the same rules regardless of whether they are processing sensitive employee or sensitive customer data.
Companies that process personal data must publish a privacy policy on their website, request written consent prior to the collection, and allow individuals to review and correct their PI and SPI. Disclosing sensitive or personal data to third parties requires prior permission from individuals unless the disclosure has been previously agreed to in a contract or when the disclosure is necessary to comply with a legal obligation.
There may be revisions to India’s privacy laws in the near future due to the Supreme Court’s 2017 ruling that the right to privacy is fundamental. One open question is whether it’s a violation of an individual’s right to privacy for the government to collect biometric information and incorporate it into government-issued unique identification numbers (Aadhaar).1 As this I.D. number is sometimes used to verify e-signatures, changes may impact employers who use Aadhaar-based e-signatures.
_____________________________________
India has no central authority responsible for enforcement of data privacy law and regulations. The Indian Computer Emergency Response Team (CERT-In) handles cyber security incidents:
1 Choudhary, Dhananjay Mahapatra and Amit Anand. 2017. "Right to Privacy is a fundamental right, it is intrinsic to right to life: Supreme Court." The Times of India. August 24.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.
