Data Privacy Newsletter – Privacy in Recruitment Process: Complying with Indian Data Privacy Laws : August 2024
Recruitment is an essential process in any organization and involves the collection and processing of significant amounts of personal data from candidates. As recruitment practices increasingly go digital, safeguarding this data becomes ever more crucial.
In India, any kind of personal data processing in recruitment processes is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”), and the Digital Personal Data Protection Act, 2023 (the “DPDPA”). The DPDPA while enacted is not yet effective.
This newsletter explores privacy considerations in the recruitment process, detailing legal requirements and offering good practices for Human Resource (“HR”) departments in India.
1. Indian Privacy Laws and Recruitment Data and Processes
- Sensitive Personal Data under SPDI Rules: During recruitment, HR departments often collect such personal data such as names, contact details, resumes, educational details, etc., further sensitive personal data is also collected for background checks, medical examinations, and other purposes. Under the SPDI “sensitive personal data or information” (“SPDI”) also includes details such as passwords, financial information, health conditions, sexual orientation, and biometric data. Organizations must obtain explicit consent before collecting such Personal Data as well as SPDI. Further, ensure this personal data is used only for the intended purpose and secured against unauthorized access.
- Consent and Transparency under DPDPA 2023: The DPDPA emphasizes the need for clear and informed consent. Every data request made to a candidate (Data Principal) by an employer (Data Fiduciary) must include a privacy notice that transparently provides the details of personal data being collected, the purpose of processing, and the rights of the candidate. Consent under the DPDPA must be “freely given, specific, informed, and unambiguous”, and candidates must be informed about their rights to withdraw consent and how to exercise them. Further, the DPDPA also requires the Privacy Notice and Consent to be made available and translated into the local Indian language (over 22 local languages are identified in India).
2. Privacy Considerations in the Recruitment Process
- Data Collection and Minimization: Data minimization is a key principle under both the SPDI Rules and the DPDPA. Organizations are required to collect only the personal data necessary for the recruitment process. This ensures that candidates’ personal data is not excessively collected and is only used for specified legitimate purposes.
Illustration: An HR team hiring for a customer service role collects only relevant data such as communication skills and past job experience, avoiding unnecessary details like marital status. - Using Applicant Tracking Systems: Applicant Tracking Systems (“ATS”) are widely used in recruitment to manage tasks digitally, such as job postings, application management, and candidate screening. The use of ATS must comply with data protection obligations as per the DPDPA and SPDI Rules, particularly in managing consent and ensuring candidates can exercise their data rights.
Illustration: An ATS used by an organization ensures that candidates can easily provide, withdraw, or modify their consent, ensuring that only authorized data is processed.
- Managing Third-Party Service Providers: Employers often engage third-party service providers for tasks like background checks. Under the DPDPA, these providers are classified as ‘data processors’, and while they do not have direct statutory obligations, the employer must ensure that these third parties adhere to strict data protection standards. The best practice is to sign contracts in the form of robust data processing agreements with third parties/vendors/service providers.
Illustration: An organization engages a background verification agency, ensuring the contract specifies the limited scope of data processing, data protection measures, and compliance with the DPDPA. The HR department conducts regular audits of third-party processors to ensure compliance with data protection standards and identify any risks.
- Pre-Employment Screening: Pre-employment screening processes, such as background checks, often require processing sensitive personal data. Explicit consent must be obtained from the candidate before any screening is conducted to comply with data privacy laws.
Illustration: Before a background check, HR informs the candidate of the process, its purpose, and the data involved, securing explicit consent to proceed. For a position requiring high security, only necessary screenings, such as criminal checks, are performed, and candidates are informed of the specifics.
- Data Storage and Retention Policies: The DPDPA mandates that personal data should not be retained longer than necessary. This means that once the recruitment process is complete, candidate data should be deleted unless there is a legal or operational need to retain it, and this must be clearly communicated to the candidate.
Illustration: An organization sets a policy to retain unsuccessful candidate data for six months post-recruitment, after which the data is automatically deleted unless the candidate consents to longer retention. If a candidate requests the deletion of their data, the organization promptly complies, ensuring that unnecessary data is not retained. - Security Measures: Both the SPDI Rules and the DPDPA require organizations to implement robust security measures to protect candidate data from unauthorized access and breaches. This includes encryption, access control, and regular audits.
Illustration: All candidate data stored in the company’s database is encrypted, ensuring that even in the event of unauthorized access, the data remains protected. Only HR personnel involved in the recruitment process have access to sensitive candidate data, and access logs are regularly reviewed. - Rights of Candidates under DPDPA: The DPDPA grants several rights to candidates regarding their personal data, including the right to access, the right to rectification, the right to erasure, and the right to nominate. HR departments must ensure they have processes in place to respond promptly to these requests.
Illustration: A candidate requests access to their personal data stored by the organization, and the HR team provides this promptly, as required by the DPDPA. A candidate identifies an error in their personal data and requests a correction, which the HR department swiftly makes to ensure accuracy.
- Training and Awareness for HR Teams: To ensure compliance with the DPDPA and SPDI Rules, all staff involved in recruitment should receive adequate training on data privacy practices, including how to obtain and manage consent, handle data subject rights, and maintain data security.
Illustration: HR staff participate in quarterly training sessions focused on the latest developments in data protection and best practices for handling candidate data securely. HR teams attend workshops to deepen their understanding of specific aspects of the DPDPA and how they apply them to daily recruitment tasks.
3. Key Takeaways and Good Practices
- Obtain explicit consent: Always obtain explicit, informed consent accompanied by privacy notices from candidates before collecting or processing their personal data, as required by the DPDPA and SPDI Rules.
- Provide clear privacy notices covering recruitment-related personal data or candidate privacy policy: Ensure that privacy notices are detailed and accessible, outlining the purpose of data collection and candidates’ rights under the DPDPA.
- Collect only necessary data: Adhere to the principles of data minimization by collecting only the data necessary for the recruitment process.
- Use DPDPA-Compliant Applicant Tracking Systems: Ensure that any Applicant Tracking System used is compliant with the DPDPA, particularly in managing consent and data subject rights.
- Vendor Management and Vendor Data Processing Agreements: Establish comprehensive contracts such as ‘Data Processing Agreements’ with third-party service providers, ensuring they comply with data protection standards as outlined in the DPDPA. It is also important to undertake prior screening and periodic audits of the critical vendors.
- Implement Data Retention Policies: Define and enforce data retention periods for candidate data, ensuring compliance with the DPDPA.
- Enhance Data Security: Implement robust data security measures, such as encryption and access control, to protect candidate data.
- Respect Candidate Privacy Rights: Be prepared to respond to candidate requests for accessing, rectifying, or deleting their data.
- Provide Regular Training: Conduct regular training sessions for HR staff on data privacy best practices and compliance with the DPDPA and SPDI Rules.
- Designate a Grievance Officer or a Data Protection Officer for Privacy
By adhering to these guidelines, HR departments can effectively navigate the complexities of data privacy in recruitment, ensuring compliance with Indian laws while fostering a responsible and ethical hiring process.
Data Privacy in the Recruitment Process
Steps in Recruitment Process | Data Flows | Privacy Issues | Good Practices |
Job Posting & Application Collection | – Collect name, contact info, resume, cover letter – Store data in ATS |
– Risk of collecting excessive data – Need for clear privacy notice |
– Provide a privacy notice at the application – Collect only necessary data – Obtain explicit consent |
Screening & Shortlisting | – Review resumes, assessment scores – Evaluate candidate fit |
– Unauthorized data access – Handling sensitive data |
– Limit access to authorized personnel – Obtain specific consent for additional data |
Background Verification | – Collect criminal records, employment history – Share with third-party agencies |
– Data breaches – Unauthorized data sharing |
– Provide detailed privacy notice – Obtain explicit consent – Sign Data Processing Agreements with vendors |
Interview Process | – Record interview sessions (if applicable) – Capture feedback, store evaluations |
– Privacy concerns with recording – Security of interview data |
– Inform candidates of recording – Securely store notes/recordings – Delete when no longer needed |
Offer & Onboarding | – Collect bank details, ID numbers, health records – Finalize employment contract |
– Mishandling sensitive data – Need for fresh consent |
– Provide onboarding privacy notice – Obtain fresh explicit consent – Use strong encryption and access control |
Data Retention & Deletion | – Store candidate data for future openings – Comply with legal retention requirements |
– Non-compliance with retention limits – Obligation to delete data upon request |
– Create a data retention policy, define retention periods – Regularly review and delete data – Inform candidates of their right to deletion |