top of page
Writer's pictureSudhakar Raja

How the DPDP Act Impacts HR and Background Verifications: Key Insights

Updated: Nov 11

The new DPDP Act is coming and coming soon. Are you equipped? In this newsletter we are going to focus on DPDP Act and its implication on the HR department with an added focus on background verification


About TRST Score:

TRST Score is the world’s only Human Risk Bureau (for employees, agents, gig workers etc. ), offering AI-driven solutions for background checks in 60 seconds. With our tools, you can ensure DPDP Act-compliant background verifications while safeguarding sensitive data and minimizing HR risks.



Introduction to DPDP Act 2023: 

The Digital Personal Data Protection (DPDP) Act is India's new law focused on safeguarding personal data in the digital space. The Act emphasizes user consent, transparency, and accountability in data processing, aiming to give individuals more control over their personal information and to strengthen privacy rights.

Non-compliance with the DPDP Act can result in hefty fines per incident. While the Act has been passed by Parliament, its official notification and implementation details are still pending.


What is PII Data?

Personally Identifiable Information (PII) refers to any data that can identify an individual, either directly or indirectly. This includes:

  • Basic Information: Names, contact details (address, email, phone), financial information (bank details, salary), and employment history.

  • Sensitive Data: Biometric data, racial/ethnic origin, sexual orientation, etc., which require stricter protection.



DPDP Act Top Frequently Asked Questions - ANSWERED.

1. Implications of Employees Vs Candidates on DPDP Act

  • Employees come under the ambit of implied consent that the company may process certain personal data relevant to employment. This includes collecting data related to their payroll, compliance (e.g., tax, insurance, and benefits processing), qualifications, work history, educational background, and often conducting a background verification.

  • Candidates, by submitting an application (whether via an online portal, email, or in person), the candidate is implicitly agreeing that their personal data will be processed for the purpose of evaluating their suitability for the role. This is typically understood as implied consent and may also be used for background verification purposes. However, there is a crucial caveat: If you acquire a resume from platforms like Naukri, Monster, or LinkedIn without the candidate’s direct application, you cannot claim implied consent for processing their data or conducting background verification. This could be seen as a breach of the DPDP Act unless explicit consent is obtained from the candidate.

  • While implied consent covers basic personal data (e.g., name, contact information, employment history), explicit consent is still be required if you use 3rd party background verification companies or check for sensitive personal data or , such as:

    • Health records, if applicable.

    • Criminal records (in certain jurisdictions).

    • Financial records (e.g., credit history or income).

  • Make sure your third-party services for background verification companies are also compliant with DPDP Act.

  • TRST Score recommends explicit consent preferably via eSign. TRST Score consent manager which help you manage consent with eSign and best practice consent template forms to reduce HR compliance risks.


2. Can you store PII data in Excel?

  • No, Excel is not secure enough for storing PII data. Consider using cloud-based tools like Microsoft Excel with access control or Google Sheets. If using Excel is necessary, make sure to password protect the file.


3. What about PDF Reports (e.g., Background Verification Reports)?

  • Always password-protect PDF reports containing PII. Make sure that your employees are trained on handling PII Data as transmission of this could be considered a violation. However, there are more secure alternatives than PDFs. Contact TRST Score to explore more robust solutions.


4. What is the Right to Information and Correction of Data?

  • Employees must be able to view and correct any inaccurate data collected about them. This is a key feature of the DPDP Act and should be reflected in your HR data practices. Does this mean that candidates and employees can view their background verification reports? Yes, they should be able to view the report BUT YOU MUST REDACT information about employers and other details.

  • NDA Vs PII : Companies sign NDAs with background verification companies so which takes precedence? Well, PII and right to information take precedence over NDA but at the same time redacting the employer and information relating to employer ensures compliance as they come under DPDP Act and NDA as well.

  • What about forced resignation? This is tricky. Contact TRST Score on how we can help you to be compliant and at the same time give the facts about case.


5. What is the Right to Be Forgotten, and what does it mean for HR?

  • Right to be forgotten is another key element of DPDP Act, does that mean that your employee can ask that their data be deleted from your HR records? Well the simple answer is NO. Employees come under the ambit of "implied consent". Even candidates come under implied consent. We need to wait for actual implementation of the act to have more clarity on "implied consent".


6. What are Data Storage (within India) implications on HR as per DPDP Act?

  • Data should be stored within India including Employee and Candidate data as per DPDP Act. Even your email providers come under this ambit so ensure you are compliant. Make sure PII data does not go outside India to be compliant with DPDP Act.


7. Is usage of WhatsApp considered kosher as per DPDP Act ?

  • This is tricky. You can't ask a person to signup to WhatsApp as User Data is not stored in India but if a user is already on WhatsApp and you engage with them, you are fine. It satisfies the condition of encryption and data once delivered is not stored in WhatsApp servers but on the local storage of the phone. Hence local storage requirements are satisfied. You should not send it someone outside India which will then violate the local storage requirement. So engaging via WhatsApp Chatbots is fine as per our understanding as long as you don't force signup on WhatsApp. 


8. What should an employee privacy notice include?

  • The privacy notice should inform employees about: 

    • The types of personal data being collected. 

    • The purposes for which the data will be used. 

    • How long the data will be retained. 

    • The rights of employees (e.g., to access, correct, or delete data). 

    • How the data will be protected. 

    • The details of any third parties with whom the data will be shared.


9. What is Limitation of Data Collection as per DPDP Act especially with respect to background verification?

  • The DPDP Act mandates the principle of data minimisation, which means that you should ONLY request and collect information from the ex-employer that is relevant and necessary for verifying the candidate’s work history or suitability for the new role. For example:

    • Valid Information: You can ask about the candidate's job title, dates of employment, performance, and work-related behavior that are directly relevant to the position they are applying for.

    • Restricted Information: Asking about personal issues, personal characteristics, or subjective opinions may be considered excessive and irrelevant for the background check unless explicitly required for the job role.


10. Can you look at financial stability or check ITR returns for background verification?

  • The simple answer is yes. There are many disclaimers to that simple answer. Reach out to TRST Score for more information.


TRST Score: Your Partner in DPDP Act-Compliant Background Verifications

As the world’s only Human Risk Bureau, TRST Score helps you implement secure, compliant, and efficient background verification processes. Let us guide you through the DPDP Act and provide you with the tools and resources necessary to safeguard your organization’s data and ensure compliance.


Hope you found this newsletter useful. Please feel free to forward this to your friends. 





Key words: DPDP Act, BGV, BGC, Background Verification, PII Data, Personally Identifiable Information


DPDP - Digital Personal Data Protection

BGV - Background Verification

BGC - Background Checks

PII - Personally Identifiable Information


50 views0 comments

Recent Posts

See All

Comments


bottom of page