Employee Data Privacy

India - Data Privacy Laws and Regulations

 Download as a PDF

What laws apply to the collection and use of individuals’ personal information?

 

Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.

 

India does not have an overarching data protection or privacy law. While that may be changing soon, privacy requirements are currently contained in India’s Information Technology Act, 2000 (IT Act). The IT ACT includes specific privacy provisions and requirements for personal Information (PI) and sensitive personal data or information (SPDI). PI is defined as information relating to a natural person, which in combination with other information can identify that person. SPDI, includes information relating to passwords, financials (i.e. payment information, including credit cards, bank accounts, etc.), medical records, biometric data (such as fingerprints), etc. There are no rules specific to employers in the Information Technology Act.


There is no statute requiring specific security practices. That said, the Information Technology Rules, 2011 on Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (“Privacy Rules”) include some very basic privacy rules relating to SPDI, such as notice, consent, collection, data transfers, etc.


Note that these rules only apply if the event that the employer, employee, and other concerned parties have not entered into a mutual agreement on reasonable security practices and procedures that will apply to SPDI or be excluded from applying to SPDI.


There may be revisions to India’s privacy laws in the near future. In July 2018, the Ministry of Electronic Information Technology released a draft Personal Data Protection Bill. The Bill, in it’s current form, has adopted much of the principles in the European Union’s General Data Protection Regulation. It’s not clear when the final draft of the Bill will be made available to the public or when it will be introduced to Parliament.

_____________________________________

India has no central authority responsible for enforcement of data privacy law and regulations. The Indian Computer Emergency Response Team (CERT-In) handles cyber security incidents:

http://www.cert-in.org.in/

 

Ultimate Software's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where Ultimate Software's customers have employees. HR Compliance Assist is a service exclusively available to Ultimate Software customers.

Share Your Feedback

Let's Talk