The Digital Workplace and HR Accountability Part 1, Data Protection - Employee Data Protection, Privacy, and Conduct under the DPDP Act
HR Accountability in a Digital Workplace Has Quietly Changed
As HR functions have become increasingly digital, most organisations have focused their attention on systems, platforms, and compliance documentation. What has received from IT. However, the way personal data is actually handled is shaped by HR workflows, recruitment pipelines, onboarding documentation, HRMS configuration, performance records, investigation files, engagement communications, and post employment archives.As HR functions have become increasingly digital, most organisations have focused their attention on systems, platforms, and compliance documentation. What has received far less attention is how deeply everyday HR judgement has been reshaped by digital personal data laws.
This is why data protection responsibility does not remain confined to notices or policies. It directly reshapes HR process design and behaviour. If HR does not understand where personal data flows within these processes, it cannot claim real control over compliance or employee trust.
Understanding Personal Data Beyond Obvious Identifiers
A foundational insight for HR practitioners is that personal data is far broader than commonly assumed. While names, contact details, PAN, Aadhaar, and bank information are clearly personal data, identification does not require a person’s name to be present.
In HR contexts, individuals can often be identified indirectly, through role descriptions, unique designations, niche skill sets, reporting relationships, assessment narratives, performance reviews, or internal codes that HR teams can easily map back to specific employees or candidates. If HR can reasonably identify the individual, the data is personal data.
This has important implications for how HR shares information internally, prepares reports, circulates resumes, documents investigations, and stores historical records.
Employment Purpose Versus Consent: The Core HR Judgement Call
One of the most critical distinctions HR must now apply is between data use that qualifies as being “for employment purposes” and data use that requires explicit consent.
Personal data may be used without consent when it is reasonably necessary for entering into an employment relationship, administering that relationship across its lifecycle, or meeting statutory, contractual, or risk management obligations arising from employment. This includes recruitment decisions, payroll processing, attendance tracking, performance management, statutory reporting, benefits administration, disciplinary processes, investigations, and lawful record retention.
However, many HR practices that have traditionally been treated as routine, often driven by convenience, culture, or goodwill, do not automatically fall within employment purpose. When data collected for one purpose is reused for another, HR must pause and reassess whether consent is required.
Everyday HR Examples That Illustrate the Risk
Consider the common practice of collecting an employee’s date of birth. This is legitimately required for age verification, statutory thresholds, and benefits eligibility. However, using the same data to circulate birthday announcements, publish calendars, or conduct engagement activities is a different purpose altogether.
Similarly, resumes enter the organisation for recruitment purposes. Yet in many organisations they move freely across inboxes, are forwarded multiple times, downloaded locally, stored in personal folders, and retained beyond hiring decisions. Even when the intent remains recruitment, uncontrolled circulation creates governance and erasure challenges.
These examples do not suggest that HR initiatives must stop. They highlight the need for clearer governance logic, transparent purpose definition, and informed judgement at the point of use.
When Employees and Candidates Start Exercising Data Rights
As awareness increases, HR teams are increasingly asked practical questions, What personal data do you hold about me? Why is it being retained? Who can access it? How can I withdraw consent? Can my data be erased?
Responding to these questions requires more than good intent. HR must be able to explain retention logic, consent scope, erasure decisions, and lawful limitations, consistently and defensibly. Informal explanations or ad‑hoc responses are no longer sufficient in a digital workplace.
Erasure, Retention, and Purpose Based Decision Making
The right to request erasure introduces another area where HR judgement is tested. If personal data is still required for lawful employment or statutory purposes, it may be retained, but that decision must be clearly explainable. Where the purpose no longer exists, data must be erased, and HR must be able to confirm that erasure.
This distinction becomes particularly important in recruitment, where candidate expectations vary significantly depending on whether hiring processes progressed or concluded.
Special Scenarios HR Cannot Ignore
The report also addresses situations HR teams may encounter less frequently but which carry higher risk, such as handling personal data of children in internship programmes, educational collaborations, CSR initiatives, or dependent related benefits. In these situations, consent, verification, and usage restrictions require additional care.
It further introduces governance concepts such as nomination of a Data Principal in case of death or incapacity, underscoring that responsible data stewardship must anticipate complexity rather than react to crises.
What More the Complete Report Covers
This article deliberately covers only part of the practitioner thinking required. The complete report goes further translating these principles into structured frameworks, internal controls, training foundations, and HR specific checklists that teams can actually use.
It is designed to help HR move from good intent to defensible practice, reduce avoidable people‑data risk, and operate with clarity and confidence in a data‑driven workplace.
Download the complete HR practitioner playbook (Report 19) to access the full framework.
