We value your privacy & take necessary steps to protect your information.
REQUEST A CALLBACK
We value your privacy & take necessary steps to protect your information.
These FAQs on Data Protection of Employees covers relevant checklist which should be followed by the companies including how to store and handle the information and communication with the employees about Data Protection.
There are no specific laws governing data privacy in India and the statutory provisions regarding the protection of employees’ data are however found in the Information Technology Act, 2000. The Information Technology Act, provide for security practices and procedures that must be followed by companies that collect, receive, possess, store, deal, or handle any “information,” “personal
information” (PI), or “sensitive personal data or information” (SPDI), which is maintained in a computer resource that is owned, controlled, or operated by the company.
There are no specific laws governing data privacy exist in India as of now. The statutory provisions regarding the protection of employees’ data are however found in the Information Technology Act, 2000. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Information Technology Rules), which were ratified on April 4, 2011 under Section 43A of the Information Technology Act, provide for security practices and procedures that must be followed by companies that collect, receive, possess, store, deal, or handle any “information,” “personal information” (PI), or “sensitive personal data or information” (SPDI), which is maintained in a computer resource that is owned, controlled, or operated by the company.
For purposes of the Information Technology Act, 2000 and the Information Technology Rules, the following definitions apply:
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing services; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”
When collecting information directly from the person concerned, a company or any person acting on its behalf must take such steps as are, in the circumstances, reasonable to ensure that the person concerned has knowledge of the following:
The company must ensure that the information collected is used for the purposes for which it has been collected.
With respect to SDPI, a company or any person collecting information on its behalf must obtain written consent, through letter, fax, or e-mail, from the provider of that data or information, regarding the purpose of its use before collecting SPDI. Further, a company or any person collecting information on its behalf may not collect SPDI except under the following circumstances:
Prior to collecting any SPDI, the company or any person acting on its behalf must provide an option to the provider not to supply the data for information. A provider of SPDI also has an option to withdraw an earlier consent by sending written notice to the company. In case a provider chooses not to supply SPDI or later withdraws his or her consent, the company has the option not to provide goods or services for which the information was sought.
No company or any other person who is holding SPDI on its behalf is allowed to retain it longer than is required for the purposes for which the SPDI may lawfully be used or is otherwise required under any other law.
The Information Technology Rules also establish the following conditions for the disclosure of SPDI:
The Information Technology Rules also provide that a company or other person acting on its behalf may transfer SPDI to any other company or person in India, or located in any other country, that ensures the same level of data protection adhered to by the transferring company and as prescribed by the Information Technology Rules. However, a transfer may be allowed only if it is necessary for the performance of a lawful contract between the company or other person acting on its behalf and the provider, or where the provider has consented to the transfer.
A company or any person acting on its behalf must permit providers of information, as and when they request, to review the information provided and ensure that any PI or SPDI that is found to be inaccurate or deficient is corrected or amended, to the extent feasible. However, a company will not be held responsible for the authenticity of the PI or SPDI supplied by a provider to the company or other person acting on its behalf.
A company or other person acting on its behalf must adopt and implement reasonable security practices and standards and maintain a comprehensive documented information security program and information security policies that contain managerial, technical, operational, and physical security control measures that are commensurate with the information being protected and the nature of the business. In the event of an information security breach, the company must be required to demonstrate that it has implemented security control measures as per their documented information security program and information security policies. The Information Technology Rules recognize two means by which a company can implement reasonable security practices and procedures, as follows:
All companies or persons acting on their behalf also must ensure an audit of their security practices and procedures, which must be carried out by a government-approved independent auditor at least once a year or as and when a company undertakes a significant upgrade of its process or computer resources.
Companies must address any discrepancies and grievances of providers, with respect to the processing of information, in a timely manner. For this purpose, the company must designate a grievance officer, who must expeditiously, i.e., within one month from the date of receipt of grievance, redress any discrepancies and grievances. The name and contact details of the appointed grievance officer must be published on the company’s website.
The government has introduced the Personal Data Protection Bill, 2018 and 2019 which aims to regulate the processing of personal data of individuals (known as data principals) by the government and private entities (data fiduciaries) incorporated in or outside India. Once enacted, this legislation will supersede Section 43A of the Information Technology Act, 2000 and the Information Technology Rules.
The client’s satisfaction is evident from years of their association with us, more than a decade for a lot of them. We act as an extension of in-house legal teams and act as External Legal Counsel to you. Our efforts are towards being strategic partners in your growth and not to be just a law firm.
We value your privacy & take necessary steps to protect your information. Read More