- AI
- Arbitration
- Asia
- Automobile
- Bangladesh
- Banking
- Biodiversity
- Biological Inventions
- bLAWgathon
- Brand Valuation
- Business
- Celebrity Rights
- Company Act
- Company Law
- Competition Law
- Constitutional Law
- Consumer Law
- Consumer Protection Authority
- Copyright
- Copyright Infringement
- Copyright Litigation
- Corporate Law
- Counterfeiting
- Covid
- Design
- Digital Media
- Digital Right Management
- Dispute
- Educational Conferences/ Seminar
- Environment Law Practice
- ESIC Act
- EX-Parte
- Farmer Right
- Fashion Law
- FDI
- FERs
- Foreign filing license
- Foreign Law
- Gaming Industry
- GDPR
- Geographical Indication (GI)
- GIg Economy
- Hi Tech Patent Commercialisation
- Hi Tech Patent Litigation
- IBC
- India
- Indonesia
- Intellectual Property
- Intellectual Property Protection
- IP Commercialization
- IP Licensing
- IP Litigation
- IP Practice in India
- IPAB
- IPAB Decisions
- IT Act
- IVF technique
- Judiciary
- Khadi Industries
- labour Law
- Legal Case
- Legal Issues
- Lex Causae
- Licensing
- Live-in relationships
- Lok Sabha Bill
- Marriage Act
- Maternity Benefit Act
- Media & Entertainment Law
- Mediation Act
- Member of Parliament
- Mergers & Acquisition
- Myanmar
- NCLT
- NEPAL
- News & Updates
- Non-Disclosure Agreement
- Online Gaming
- Patent Act
- Patent Commercialisation
- Patent Fess
- Patent Filing
- patent infringement
- Patent Licensing
- Patent Litigation
- Patent Marketing
- Patent Opposition
- Patent Rule Amendment
- Patents
- Personality rights
- pharma
- Pharma- biotech- Patent Commercialisation
- Pharma/Biotech Patent Litigations
- Pollution
- Posh Act
- Protection of SMEs
- RERA
- Section 3(D)
- Signapore
- Social Media
- Sports Law
- Stamp Duty
- Stock Exchange
- Surrogacy in India
- TAX
- Technology
- Telecom Law
- Telecommunications
- Thailand
- Trademark
- Trademark Infringement
- Trademark Litigation
- Traditional Knowledge
- UAE
- Uncategorized
- USPTO
- Vietnam
- WIPO
With the Digital Personal Data Protection Act, 2023 [hereinafter “the Act”] in place, employers have to comply with certain privacy obligations. The Act, imposes the duty on all Data Fiduciaries to adopt such technical safeguards as to prevent data breach and seeks to protect all kinds of digital data, regardless of whether it is sensitive or not. It also provides for certain rights to a Data Principal. This framework shall also apply in the scenario of employee data being collected, managed, stored and processed by an employer. It is to be noted that employee data may be collected at different stages for different purposes i.e., during the employment say for performance assessment, provision of benefits, updation etc, at the termination of employment or even during the interview and selection process for background verification. The focus of this current piece rests on the last of the categories mentioned i.e., background verification. This piece explores the implications of the DPDP Act on drafting such Background Verification Clauses in employment contracts.
Given this factual matrix, the primary question that may arise in the minds of readers is with respect to the grounds of processing personal data and as to whether such a processing would constitute a legitimate purpose not needing the explicit consent of the employee. This question warrants us to look at the wordings of the Act. Section 7 of the Act enables the processing of personal data for “certain legitimate purposes”. It notes the data can be processed without explicit consent “for the purposes of employment”. However, the same does not imply that such pre-employment processing as that of conducting background verification would constitute a legitimate purpose.[1] Even if the obligation of seeking consent does not apply to employers for such background verification, other obligations would continue to apply. Therefore, it is important for us to recognize the obligations listed in the Act so as to draft DPDP-compliant clauses in employment contracts.
Important Factors in Drafting a Comprehensive BGV Clause
Employing a Data Processor: More often than not, employers authorise another company i.e, data processor to conduct such search and background verification checks on its behalf. It is thus important for the employer to mention the same explicitly in the contract, letting the employer know of such a data processor being employed of the possibility of it, based on a valid contract in compliance with Section 8(2) of the Act.
Extent of Background Verification: It is advisable to elaborately describe the extent of such a background verification check i.e., the kinds of personal data collected during the process as well as the sources of information. It is advisable to seek consent from the employee to authorise any such external agency, government agency or such other organisation to furnish the details sought in the process.
Purpose Limitation: It is essential to clearly mention the purpose of conducting such checks. For instance, such a clause in an employment contract would usually read as follows:
“By signing the present Agreement, the Employee consents to and understands that the Company or its agent/ Data Processor will only use the information collected for the purposes of (if and as applicable) establishing or continuing his/her employment, including without limitation, evaluating his/her employment application, determining employment eligibility under the Company’s employment policies, assessing property and business risks to the Company, and otherwise as may be permitted or required by law.”
[Image Sources: Shutterstock]
Obligations under the DPDP Act: An ideal clause should elaborately describe the obligations of the employer with regards to the safety of such personal data, including limiting the collection of personal data to what is necessary (i.e., Data Minimisation)[2], responding to Employee’s requests to access, correct, complete or update their personal data collected during the Background Verification process (i.e., Right to Access and Correction)[3], implementing appropriate technical security safeguards to protect Employee’s personal data from unauthorised access, disclosure, alteration, or destruction (i.e., obligation under Section 8(5) of the Act). It is also advisable to specify the Company’s Data Retention Policy and the periods of retention and purpose, (Right to erasure and Data Retention). The Right access and correction is also related to ensuring the accuracy and completeness of the information processed, the duty of maintaining which is upon the Data Fiduciary, here the Employer.[4] Hence, the Employer is advised to verify such information. The clause in addition could mention that “the Company may also conduct or initiate further verification inquiries with the Employee to ensure the completeness and accuracy of the collected data”.
Release and Sharing of Records: It is advisable to seek consent from the employee to the release of records obtained through such checks to authorised representatives or agents, and to affiliates, for the purposes described above including for regulatory/legal compliance.
International Transfers: It could be possible for the Employer to be a multinational corporation or having operations in multiple countries, which may warrant the employee data to be routed, stored, or transferred internationally throughout the worldwide organisation or their vendors. It may also be necessary to share such data to contracted service providers and advisors (qualifying to be Data Processors) who may be located globally. In such a scenario, it is advisable for the Employer to have a detailed policy for international transfers of data in compliance with the applicable data protection laws ensuring adequate protection for the same. For instance, the Kingdom of Saudi Arabia released a set of Standard Contractual Clauses in compliance with its law, similar to that of the European Commission’s Standard Contractual Clauses for transfers under the GDPR.[5]
Withdrawal of Consent: The Employer may include the right to withdraw consent, however stating that such a withdrawal form processing data by the Employee shall impact their eligibility for employment.
Grievance Redressal: The Employer may also mention the contact details of [Data Protection Officer, if applicable] or such other person in the event of any grievance relating to data retention, processing, storage or breach of personal data, pursuant to which the matter shall be dealt with as per the Company’s Grievance Redressal Mechanism in compliance with obligation under Section 8(9) and 8(10) of the Act.
False Information: The Employer must mention that the Employment is contingent upon a satisfactory Verification Report. In addition, it must also be stated that in case of any false or inaccurate information provided by the Employee, non-disclosure of relevant and material information or unsatisfactory reference/Background Verification report, Employee’s employment/services shall stand terminated
Additional Considerations
The above mentioned clauses form an indispensable part of drafting a comprehensive Background Verification Clause. That apart, there are certain other considerations that the Employer may include depending upon the internal policies of the Employer and its requirements.
Some of such additional considerations may include:
- Regulatory Reporting: The Clause can acknowledge the Employer’s obligation to report any data breaches or security incidents related to personal data collected during Background Verifications, as mandated by the DPDP Act.
- Duty to Update Information: The Clause can encourage Employees to keep the Company or the Employer informed of any changes to their personal information relevant for future Background Verifications.
- Transparency in AI-based Decisions: If the Employer uses AI or automated tools to analyse data collected during the Background Verification, the Clause can explain this practice in a transparent manner. It can specify the types of decisions made by AI and the human oversight involved.
These points offer additional options to tailor the Background Verification Clause to Employer specific needs and industry practices. As stated, the specific points included in the Clause will depend on the Employer’s practices, industry regulations, and local data protection laws., hence have not been added to the important factors above.
Author: Vaibavi S G, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at Khurana & Khurana, Advocates and IP Attorney.
[1] Sammer Avasarala, Kumar Panda, Impact of DPDP Act on Employee Data, Lakshmikumaran Sridharan Attorneys (November, 03, 2023), https://www.lakshmisri.com/insights/articles/impact-of-dpdp-act-on-employee-data/#.
[2] One can find the principle of Data Minimisation embedded in Section 6 of the DPDP Act, relating to seeking consent be limited to such personal data as is necessary for such specified purpose.
[3] In compliance with Section 11 and 12 of the DPDP Act.
[4] The Digital Personal Data Protection Act, 2023, Section 8(3).
[5] Personal Data Transfers Outside the Kingdom and Standard Contractual Clauses, K&A, (August 26, 2024), https://www.khoshaim.com/blog/personal-data-transfer-outside-the-kingdom-and-the-standard-contractual-clauses-the-scc.