Protecting Employees’ Personal Data

The draft Digital Data Protection (DDP) Bill, 2022¹ was released on 18 November 2022 along with an explanatory note² for comments and suggestions. It seeks to provide an overarching framework for formulating clear and transparent rules and regulations regarding when and how personal data can be accessed and processed by various entities, including the government. The bill has received enough criticism for diluting the provisions and safeguards in the 2019 draft bill and the subsequent 2021 joint parliamentary committee (JPC) report on it (Mathi 2022). This article analyses the bill from an employment and employee data perspective. First, it discusses the implications of Section 8(7), deemed consent, for emp­loyment purposes, especially for workers in the platform economy. Then, taking the example of two government agency websites containing employee data, it discusses the importance of imp­roving privacy provisions and safeguards.

As per the DDP Bill, 2022, “personal data” encompasses any information that can be used to identify an individual. The person with whom personal data is ass­ociated has been referred to as the “data principal.” The “data fiduciary” is the ­entity (individual, company, firm, state, etc,) that determines the purpose and methods of processing an individual’s personal data. Section 7 of the bill mandates data fiduciaries to seek consent, “agreement to the processing of her personal data for the specified purpose.” It gives the data principal the right to choose any language specified by the Eighth Schedule of the Indian Constitution for the consent request. The bill also provides a right to withdraw consent at any time.