Aparna Gaur
Trilegal, Delhi
aparna.gaur@trilegal.com

Archita Mohapatra
Trilegal, Delhi
archita.mohapatra@trilegal.com

Mohtashim Shariff
Trilegal, Delhi
mohtashim.shariff@trilegal.com
 

Introduction

In an employment scenario, background checks are essential for verifying the credentials of candidates to safeguard the interests of the employer. Background checks typically include verification of a person’s identity, employment history, educational qualifications, any criminal records and financial background assessments, etc, based on disclosures made by the candidate, as well as data extracted from other sources.

Such checks raise certain legal concerns from a data protection perspective, especially when third-party tools are used for these purposes, including for collecting data about an individual from various sources. While the current Indian data privacy regime allows the processing of personal information without consent, so long as such information does not contain ‘sensitive personal data or information’, employers will need to think through the implications and review their data processing practices in light of India’s new data protection regime, which broadly applies to all forms of ‘personal data’. This article discusses the relevant considerations when conducting background verification checks on prospective employees from a data protection perspective.

Considerations under Indian privacy laws

India enacted the Digital Personal Data Protection Act 2023 (the ‘DPDP Act’) in August 2023. The DPDP Act has not been brought into force yet, but aims to replace the existing data privacy regime, namely the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the ‘Privacy Rules’), issued under the Information Technology Act 2000 (the ‘IT Act’). The DPDP Act poses significant monetary penalties in cases of ‘significant’ non-compliance of up to INR 250 crore (approximately $30m). The necessary considerations from the perspective of both regimes are discussed below.

The Privacy Rules

A primary concern involving the processing of a candidate’s information for the purpose of carrying out background checks is whether appropriate consent is in place. The Privacy Rules distinguish between personal information (PI) and sensitive personal information (SPI). SPI is defined to include inter alia sexual orientation and financial and medical information. Consent is the primary ground for the processing of SPI under the Privacy Rules. If carrying out background checks is likely to involve the processing of SPI, employers should obtain consent and comply with the other relevant obligations set out in the Privacy Rules.

DPDP Act

The DPDP Act does not distinguish between personal data and sensitive personal data. Obligations under the DPDP Act are applicable to all ‘personal data’ which is collected in digital form or collected in non-digital form and subsequently converted into digital form. Personal data has been broadly defined to include any data about an individual who is identifiable by or in relation to such data. The DPDP Act does not apply to data which is made publicly available either by the data principal (data subject) or another person as the result of a legal obligation. However, the contours of ‘publicly available’ data remain unclear. Currently, there is no guidance on whether personal data sourced from online platforms, such as social media, would constitute the public domain. Therefore, when data is collected from online platforms, the obligations under the DPDP Act may remain applicable.

There are two grounds for processing data under the DPDP Act, namely in situations where consent has been given by the data subject and for certain specifically identified ‘legitimate uses’. Consent is not required for processing personal data in regard to any of the legitimate use grounds. Pertinently, the specific grounds listed as ‘legitimate uses’ in the DPDP ACT are narrower than the ‘legitimate interest’ ground pursuant to the General Data Protection Regulation (GDPR) as applicable in the European Union. While the latter is non-exhaustive in regard to what would qualify as a legitimate interest, the DPDP Act provides for an exhaustive list of nine limited legitimate uses for which personal data may be processed without consent.

One of the legitimate uses under the DPDP Act is the processing of personal data for the ‘purposes of employment’ or to safeguard the employer from any loss or liability, such as the prevention of corporate espionage. It is unclear whether the employment purpose legitimate use covers the processing of the data of prospective employees as the language in the law appears to envisage an existing employer–employee relationship. Accordingly, employers should consider relying on consent for such data processing activities.

Background checks by third-party service providers

The data fiduciary is responsible for ensuring compliance with the DPDP Act with respect to any processing it carries out itself or through any data processors (persons processing data on behalf of the data fiduciary) engaged by it. With respect to the engagement of third-party service providers for background verification purposes, whether such third parties act as mere data processors or as independent data fiduciaries will be a functional classification that depends on the nature of their processing activities. Typically, such third-party service providers act purely as data processors when their processing of the personal data is solely on behalf of the employer. In such cases, the obligation to comply with the DPDP Act, including the obligation to obtain consent, rests with the employer. That said, employers should pass down certain obligations as per the DPDP Act to such service providers to ensure adequate compliance with the DPDP Act, including the obligation to have reasonable security standards in place, the reporting of personal data breaches and assistance with the exercise of data principal rights, etc.

The way forward

While background verification is essential at the time of hiring employees, employers need to strike a balance between this need and protecting individual data privacy rights. Some key practices that may be adopted by employers to ensure compliance with the relevant data privacy laws include:

• the adoption of a clear and transparent background verification policy: employers should implement a clear policy detailing the scope, limited purpose and procedure for conducting background checks. The policy should outline the types of data collected, how it is processed, stored and transferred, whether the data will be shared with a third-party service provider and whether they act as a data fiduciary or data processor for the employer. This would help in mitigating risks related to data misuse, security breaches and unauthorised access;

• ensuring compliance with the obligations in the DPDP Act: employers, as data fiduciaries, must ensure that prior to the collection of any personal data, all the relevant obligations are complied with for the purpose of the collection, processing and storage of personal data, including obtaining explicit consent from the data subject, in accordance with the DPDP Act; and

• reviewing engagement with third-party service providers: if third-party service providers are conducting background checks on behalf of employers, the relevant obligations will need to be passed down contractually. Accordingly, employers should review their contracts with any agencies conducting such checks to ensure that they are bound by the obligations as per the DPDP Act.

With India’s data protection landscape evolving rapidly, employers should stay updated in regard to the ensuing regulatory developments and adopt a proactive approach to safeguarding employee privacy, while maintaining an efficient and lawful hiring process.