DPDPA for HR Departments: Employee Data Protection

DPDPA for HR Departments: Employee Data Protection

Author: Advocate (Dr.) Prashant Mali Published: February 01, 2026

DPDPA for HR Departments: Employee Data Protection & Workplace Privacy

Human Resources departments manage sensitive employee personal data—from background checks and biometric attendance to performance evaluations and health information. The Digital Personal Data Protection Act (DPDPA) 2023 introduces comprehensive requirements for employee data protection, consent, and privacy rights that fundamentally change workplace data management practices.

Employee Data Under DPDPA: Employee data is treated as personal data subject to full DPDPA protection. Employers cannot unilaterally collect and process employee data—explicit consent is required even for routine HR functions like background verification and CCTV monitoring.

Understanding Employee Consent Requirements

Traditional HR practices assume employer authority to collect employee data. Under DPDPA, even employment relationships require explicit, documented consent for data processing:

Employee Consent Form for Data Processing

MODEL EMPLOYEE CONSENT FORM FOR DATA PROCESSING

Employee Name: _________________________ Employee ID: _____________
Department: _________________ Position: _________________ Date of Joining: _________

EMPLOYMENT DATA PROCESSING CONSENT

I hereby consent to the collection and processing of my personal data for employment-related purposes:

1. Background Verification: I consent to background checks including criminal record verification, educational credential verification, and employment history verification. ☐ Yes ☐ No

2. Attendance and Access Control: I consent to collection of my attendance data, badge entry logs, and physical access records for workplace management. ☐ Yes ☐ No

3. Biometric Data (if applicable): I consent to collection and processing of my fingerprints/iris scans for biometric attendance and access control systems. ☐ Yes ☐ No

4. Performance Monitoring: I consent to collection of data about my job performance including work hours, task completion, and productivity metrics through HR systems. ☐ Yes ☐ No

5. Health and Safety Data: I consent to collection of occupational health data including medical check-up results for workplace safety purposes. ☐ Yes ☐ No

6. CCTV Monitoring: I acknowledge that CCTV monitoring is used in common areas (foyer, parking, cafeteria, not in restrooms/changing areas) and I consent to being recorded. ☐ Yes ☐ No

7. Communication Monitoring: I consent to monitoring of company-provided email and communication systems for security and policy compliance purposes. ☐ Yes ☐ No

8. Personnel File: I consent to maintaining a personnel file containing employment records, performance reviews, salary information. ☐ Yes ☐ No

9. Background Verification Updates: I consent to periodic background verification checks during my employment tenure. ☐ Yes ☐ No

Right to Withdrawal: I understand I can withdraw this consent anytime by written request to the HR department. However, withdrawal of background verification consent may affect my continued employment.

Data Security: I understand that all my data will be protected with encryption, access controls, and is accessible only to authorized HR personnel.

Employee Signature: _________________ Date: _________ HR Witness: _________________

Background Verification Under DPDPA

Background verification is routine in HR but requires careful DPDPA compliance:

Case Law Reference: While no specific DPDPA case law exists yet, courts have recognized employee privacy rights in background checks. Excessive investigation (monitoring social media, investigating family members) without proper consent violates fundamental rights. DPDPA operationalizes this principle through Section 5(1)—purpose limitation restricts background checks to job-relevant information only.

Compliant Background Verification Process

  • Scope Limitation: Verify only job-relevant information (criminal history, educational credentials, employment history)
  • Prohibited Investigations: No social media monitoring, no investigation of family members, no caste/religion verification
  • Verification Methods: Use authorized verification agencies only; do not conduct informal neighbor/references checks
  • Candidate Notification: Inform candidate exactly what information will be verified
  • Result Confidentiality: Verification reports not shared with colleagues, kept secure in HR files
  • Retention Period: Keep background check reports for employment period + 3 years, then delete

CCTV Monitoring Policies and Privacy

Many companies use CCTV for security. Under DPDPA, CCTV constitutes surveillance and requires strict compliance:

Philosophical Perspective: Jeremy Bentham's concept of the "Panopticon" describes how constant surveillance changes behavior—individuals modify actions when they believe they are being watched, even if not actually observed. Modern workplace surveillance through CCTV, email monitoring, and keystroke logging mirrors the Panopticon principle. DPDPA operationalizes privacy protections recognizing that unchecked workplace surveillance violates employee dignity and autonomy, even in employment context.

CCTV Compliance Framework

Permissible CCTV Use:

  • Common areas (foyer, parking, cafeteria, corridors)
  • Restricted areas with valuables or sensitive equipment
  • Perimeter security and entry points

Prohibited CCTV Placement:

  • Restrooms, changing rooms, showers
  • Private employee offices without disclosure
  • Medical examination areas
  • Areas where employees expect privacy

CCTV Data Management:

  • Retention Limit: Keep CCTV footage maximum 3 months, then delete
  • Access Control: Only authorized security personnel access footage
  • Purpose Limitation: Footage used only for security purposes, not performance evaluation or discipline
  • Notice Requirement: Clear signage indicating CCTV monitoring in operation
  • Transparency: Employees can request whether they appear in CCTV footage

Biometric Attendance Systems and DPDPA

Biometric data (fingerprints, iris scans) is highly sensitive under DPDPA Section 3(d). When companies use biometric attendance:

  • Explicit, Separate Consent: Specific consent required for biometric collection
  • Purpose Limitation: Biometric data used only for attendance verification, not identification of employee for other purposes
  • Secure Storage: Biometric templates encrypted with access limited to biometric system only
  • No Cross-Use: Cannot use attendance biometrics for identification in CCTV footage analysis
  • Deletion on Exit: Delete biometric data when employee leaves company
  • Alternative Provision: Employees objecting to biometrics must be provided alternative attendance method (card, password)

Example: IT Company with 5,000 Employees

A major IT company implemented DPDPA-compliant biometric systems with the following approach:

  • Separate Consent: Biometric consent form signed separately from other HR consents
  • Optional Nature: Employees objecting to biometrics offered card-based access alternative
  • Encryption: All biometric templates encrypted end-to-end
  • Audit Trail: Maintain logs of who accessed biometric system and when
  • Vendor Management: Ensure biometric vendor (system provider) implements DPDPA compliance
  • Data Deletion: Automated deletion of biometric data 3 months post-termination

Health and Medical Data of Employees

Occupational health data (medical examinations, fitness certificates) constitutes sensitive health data requiring heightened protection:

  • Separate Consent: Distinct consent for occupational health data collection
  • Medical Privacy: Medical examination results kept separate from personnel file
  • Doctor Confidentiality: Occupational health doctor maintains confidentiality—HR doesn't access raw medical data
  • Limited Sharing: Medical information shared only with relevant safety teams for job-specific accommodations
  • Prohibition: Cannot use occupational health data for performance evaluation or discrimination
  • Retention: Keep medical data only for occupational safety purposes, typically 5 years

Performance Evaluation and Monitoring

HR systems collect extensive performance data. DPDPA requires transparency about monitoring:

Compliant Performance Management

Example: Factory with Biometric Systems and Manual Labor Tracking

  • Transparent Metrics: Employees informed exactly what performance metrics are tracked
  • Appropriate Monitoring: Work output, quality metrics tracked—not keyboard monitoring or constant surveillance
  • Manual vs. Automated: If using automated monitoring tools (keystroke monitors, activity logging), explicit separate consent required
  • No Covert Monitoring: Cannot secretly monitor employees outside of disclosed systems
  • Data Retention: Performance data kept for employment period + 2-3 years
  • Aggregation vs. Individual: Can use aggregated performance data for process improvement—not individual profiling
Compliance Risk: Many companies use employee monitoring software (Teramind, ActivTrak) without explicit consent. Under DPDPA, covert monitoring software violates Section 5(1) (transparency) and Section 5(3) (proportionality). Consent must be affirmative and specific.

POSH Act Intersection with DPDPA

The Prevention of Sexual Harassment (POSH) Act requires handling employee complaints about sexual harassment. This creates intersection with DPDPA:

  • Confidentiality Duty: While POSH requires investigation, DPDPA requires confidentiality of complainant and accused data
  • Data Minimization: Only share harassment complaint data with individuals directly involved in investigation
  • Retention Limits: Keep complaint records for prescribed period (typically 5 years), then delete
  • No Secondary Use: Complaint data used only for POSH investigation, not for other HR decisions
  • Cross-Reporting Caution: Complaints should not automatically trigger performance file entries

Whistleblower Data Protection

Companies with whistleblower policies must protect whistleblower data under DPDPA:

  • Confidentiality: Whistleblower identity kept strictly confidential
  • Retaliation Protection: Company cannot retaliate against whistleblower for reporting
  • Data Access: Only authorized personnel (audit committee, legal counsel) access whistleblower reports
  • Secure Channels: Anonymous/confidential reporting channels (hotlines, encrypted platforms)
  • Retention Policy: Keep whistleblower data confidentially for investigation period + statutory requirements

Key Takeaways for HR Department Compliance

DPDPA Compliance Checklist for HR Departments:
  • ✓ Obtain explicit employee consent for all data processing activities
  • ✓ Provide employee consent forms covering background checks, biometrics, CCTV, monitoring
  • ✓ Limit background verification to job-relevant information
  • ✓ Implement CCTV only in non-private areas with clear notification
  • ✓ Provide biometric monitoring alternatives (card-based access)
  • ✓ Keep occupational health data separately from personnel files
  • ✓ Maintain performance monitoring transparency
  • ✓ Protect whistleblower and POSH complaint confidentiality
  • ✓ Establish clear data retention and deletion policies
  • ✓ Implement employee data access request mechanisms
  • ✓ Train HR staff on DPDPA obligations

Conclusion

DPDPA transforms HR from unilateral employer control over employee data to a consent-based, transparent model. HR departments that implement clear consent mechanisms, respect employee privacy rights, and maintain transparent data practices will build stronger employer-employee relationships while achieving legal compliance.

The future of Indian HR practices will increasingly depend on recognizing employees not just as human resources, but as individuals with fundamental privacy rights—a principle that DPDPA enshrines and enforces.

Related Articles You May Find Useful