Implications of the DPDP Act: Checklist for Drafting BGV Clauses in Employment Contracts

With the Digital Personal Data Protection Act, 2023 [hereinafter “the Act”] in place, employers have to comply with certain privacy obligations. The Act, imposes the duty on all Data Fiduciaries to adopt such technical safeguards as to prevent data breach and seeks to protect all kinds of digital data, regardless of whether it is sensitive or not. It also provides for certain rights to a Data Principal. This framework shall also apply in the scenario of employee data being collected, managed, stored and processed by an employer. It is to be noted that employee data may be collected at different stages for different purposes i.e., during the employment say for performance assessment, provision of benefits, updation etc, at the termination of employment or even during the interview and selection process for background verification. The focus of this current piece rests on the last of the categories mentioned i.e., background verification. This piece explores the implications of the DPDP Act on drafting such Background Verification Clauses in employment contracts.

Given this factual matrix, the primary question that may arise in the minds of readers is with respect to the grounds of processing personal data and as to whether such a processing would constitute a legitimate purpose not needing the explicit consent of the employee. This question warrants us to look at the wordings of the Act. Section 7 of the Act enables the processing of personal data for “certain legitimate purposes”. It notes the data can be processed without explicit consent “for the purposes of employment”. However, the same does not imply that such pre-employment processing as that of conducting background verification would constitute a legitimate purpose.[1] Even if the obligation of seeking consent does not apply to employers for such background verification, other obligations would continue to apply. Therefore, it is important for us to recognize the obligations listed in the Act so as to draft DPDP-compliant clauses in employment contracts.

Important Factors in Drafting a Comprehensive BGV Clause

Employing a Data Processor: More often than not, employers authorise another company i.e, data processor to conduct such search and background verification checks on its behalf. It is thus important for the employer to mention the same explicitly in  the contract, letting the employer know of such a data processor being employed of the possibility of it, based on a valid contract in compliance with Section 8(2) of the Act.

Extent of Background Verification: It is advisable to elaborately describe the extent of such a background verification check i.e., the kinds of personal data collected during the process as well as the sources of information. It is advisable to seek consent from the employee to authorise any such external agency, government agency or such other organisation to furnish the details sought in the process.

Purpose Limitation: It is essential to clearly mention the purpose of conducting such checks. For instance, such a clause in an employment contract would usually read as follows:

By signing the present Agreement, the Employee consents to and understands that the Company or its agent/ Data Processor will only use the information collected for the purposes of (if and as applicable) establishing or continuing his/her employment, including without limitation, evaluating his/her employment application, determining employment eligibility under the Company’s employment policies, assessing property and business risks to the Company, and otherwise as may be permitted or required by law.”

[Image Sources: Shutterstock]

Digital Data Protection DPDA

Obligations under the DPDP Act: An ideal clause should elaborately describe the obligations of the employer with regards to the safety of such personal data, including limiting the collection of personal data to what is necessary (i.e., Data Minimisation)[2], responding to Employee’s requests to access, correct, complete or update their personal data collected during the Background Verification process (i.e., Right to Access and Correction)[3], implementing appropriate technical security safeguards to protect Employee’s personal data from unauthorised access, disclosure, alteration, or destruction (i.e., obligation under Section 8(5) of the Act). It is also advisable to specify the Company’s Data Retention Policy and the periods of retention and purpose, (Right to erasure and Data Retention). The Right access and correction is also related to ensuring the accuracy and completeness of the information processed, the duty of maintaining which is upon the Data Fiduciary, here the Employer.[4] Hence, the Employer is advised to verify such information. The clause in addition could mention that “the Company may also conduct or initiate further verification inquiries with the Employee to ensure the completeness and accuracy of the collected data”.

Release and Sharing of Records: It is advisable to seek consent from the employee to the release of records obtained through such checks to authorised representatives or agents, and to affiliates, for the purposes described above including for regulatory/legal compliance.

International Transfers: It could be possible for the Employer to be a multinational corporation or having operations in multiple countries, which may warrant the employee data to be routed, stored, or transferred internationally throughout the worldwide organisation or their vendors. It may also be necessary to share such data to contracted service providers and advisors (qualifying to be Data Processors) who may be located globally. In such a scenario, it is advisable for the Employer to have a detailed policy for international transfers of data in compliance with the applicable data protection laws ensuring adequate protection for the same. For instance, the Kingdom of Saudi Arabia released a set of Standard Contractual Clauses in compliance with its law, similar to that of the European Commission’s Standard Contractual Clauses for transfers under the GDPR.[5]

Withdrawal of Consent: The Employer may include the right to withdraw consent, however stating that such a withdrawal form processing data by the Employee shall impact their eligibility for employment.

Grievance Redressal: The Employer may also mention the contact details of [Data Protection Officer, if applicable] or such other person in the event of any grievance relating to data retention, processing, storage or breach of personal data, pursuant to which the matter shall be dealt with as per the Company’s Grievance Redressal Mechanism in compliance with obligation under Section 8(9) and 8(10) of the Act.

False Information: The Employer must mention that the Employment is contingent upon a satisfactory Verification Report. In addition, it must also be stated that in case of any false or inaccurate information provided by the Employee, non-disclosure of relevant and material information or unsatisfactory reference/Background Verification report, Employee’s employment/services shall stand terminated

Additional Considerations

The above mentioned clauses form an indispensable part of drafting a comprehensive Background Verification Clause. That apart, there are certain other considerations that the Employer may include depending upon the internal policies of the Employer and its requirements.

Some of such additional considerations may include:

  1. Regulatory Reporting: The Clause can acknowledge the Employer’s obligation to report any data breaches or security incidents related to personal data collected during Background Verifications, as mandated by the DPDP Act.
  2. Duty to Update Information: The Clause can encourage Employees to keep the Company or the Employer informed of any changes to their personal information relevant for future Background Verifications.
  3. Transparency in AI-based Decisions: If the Employer uses AI or automated tools to analyse data collected during the Background Verification, the Clause can explain this practice in a transparent manner. It can specify the types of decisions made by AI and the human oversight involved.

These points offer additional options to tailor the Background Verification Clause to Employer specific needs and industry practices. As stated, the specific points included in the Clause will depend on the Employer’s practices, industry regulations, and local data protection laws., hence have not been added to the important factors above.

Author: Vaibavi S G, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.

[1] Sammer Avasarala, Kumar Panda, Impact of DPDP Act on Employee Data, Lakshmikumaran Sridharan Attorneys (November, 03, 2023), https://www.lakshmisri.com/insights/articles/impact-of-dpdp-act-on-employee-data/#.

[2] One can find the principle of Data Minimisation embedded in Section 6 of the DPDP Act, relating to seeking consent be limited to such personal data as is necessary for such specified purpose.

[3] In compliance with Section 11 and 12 of the DPDP Act.

[4] The Digital Personal Data Protection Act, 2023, Section 8(3).

[5] Personal Data Transfers Outside the Kingdom and Standard Contractual Clauses, K&A, (August 26, 2024), https://www.khoshaim.com/blog/personal-data-transfer-outside-the-kingdom-and-the-standard-contractual-clauses-the-scc.

Leave a Reply

Categories

Archives

  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010