94. Digital Personal Data Protection Act (DPDP) – Data Security, Accountability & HR Carelessness

Data Security in HR: Where Responsibility Actually Lies

In most organisations, data security is something we instinctively associate with technology teams. We assume that if firewalls are in place, passwords are strong, and systems are secured, then data protection is being handled. But from a HR practitioner’s perspective, this assumption is incomplete.

The responsibility for protecting personal data does not end at systems being created. It continues through how that data is handled every single day. And this is where HR becomes central to data protection.

If we step back and look at how organisations function, HR is one of the primary functions dealing with personal data on an ongoing basis. Employee records, salary information, identity documents, and personal details are all handled repeatedly as part of HR processes. Which means that while the organisation may be the data fiduciary, the day-to-day accountability often sits with HR.

Data as an Asset: Why It Needs Structured Protection

We already recognise the importance of protecting assets such as money, insurance coverage, and intellectual property. Personal data belongs in the same category. It is not administrative information that can be handled casually. It is an asset that requires deliberate protection.

One practical way to think about this is through the idea of nomination. Organisations already implement nominations for gratuity and insurance benefits. Extending a similar approach to personal data creates foresight. Identifying nominees who can act on data rights in situations such as death or incapacity ensures that personal data remains governed even when the individual is not able to act.

This is not about adding another layer of compliance. It is about recognising that personal data, like other critical assets, requires continuity and accountability beyond regular operations.

The Data Fiduciary Principle and HR Accountability

At a broader level, the principle is straightforward: the data fiduciary is responsible for protecting personal data at all times. In the context of organisations, this means that the organisation is accountable for any data that it collects, stores, or uses.

However, when this principle is translated into day-to-day functioning, HR becomes the function through which much of this responsibility is operationalised. Data is not just stored in systems; it is accessed, shared, processed, and used by HR teams on a daily basis.

This also means that in the event of a data breach, employees can point to the organisation and state that the breach occurred due to negligence or carelessness in handling personal data. The implications of such situations are not minor. The exposure can be significant both in terms of accountability and financial penalties.

Why Systems Alone Do Not Prevent Data Breaches

It is common to believe that strong IT systems are enough to ensure data security. Organisations invest in firewalls, password protocols, surveillance systems, and access controls. While these are necessary, they are not sufficient.

Data breaches do not always happen because systems fail. In many cases, they happen because individuals do not follow basic practices.

For example, leaving a computer unlocked when stepping away from a desk creates an immediate risk. Anyone with access to that screen can view, copy, or transmit data. The system itself may be secure, but the behaviour surrounding it creates vulnerability.

This is where HR practitioners need to internalise that data protection is not just about infrastructure. It is about how that infrastructure is used.

Everyday Actions That Create Data Risk

Many data breaches originate from routine HR activities that are performed without sufficient attention.

Consider the handling of salary files. These are among the most sensitive sets of information within an organisation. Sharing these files over email without password protection creates a direct risk. If such a file reaches an unintended recipient, the breach is not due to system failure, but due to handling practices.

Similarly, sending emails without any delay mechanism increases the chances of accidental disclosure. A simple error in selecting the wrong email address can result in confidential data being sent outside the intended audience. Introducing a brief delay before emails are sent provides an opportunity to correct such mistakes.

The broader question HR practitioners must ask themselves is: is email the only way to transfer data? Can internal systems like HRMS, shared drives, or controlled access platforms be used instead?

These are not technology questions. They are judgement calls made by HR in everyday work.

Managing Physical and Digital Data Traces

Data exposure does not always happen through active sharing. Often, it is the result of traces left behind.

Photocopies left near printers, scanned documents stored in shared drives, and files retained in recycle bins are all examples of how data can remain accessible without intent. Each of these represents a potential access point for unauthorised use.

The responsibility of an HR practitioner extends to ensuring that these traces are properly cleared. Documents should be shredded, files deleted from storage, and residual data removed completely.

This requires a shift in mindset. Instead of focusing only on how data is collected and stored, HR must also focus on how data is disposed of and whether any unintended access points are being created.

Carelessness, Negligence, and Consequences

When a data breach occurs due to carelessness or negligence, the implications extend beyond internal process failures. Employees have the right to seek accountability for how their data has been handled.

This makes individual accountability within the HR function a critical consideration. A data breach is not always viewed as an organisational abstraction. It can be traced back to specific handling decisions and behaviours.

From a practitioner’s perspective, this also raises an important question: how can one ensure that their own actions do not become the source of organisational exposure?

The answer lies in discipline. Carefulness in handling, awareness of processes, and deliberate decision-making around data use are essential.

Using Personal Data Only for Its Intended Purpose

Another critical aspect of data protection is ensuring that personal data is used only for the purpose for which it was collected.

HR often has access to personal information such as dates of birth, anniversaries, and personal milestones. While it may be tempting to use this information for engagement activities, such use may not always be appropriate.

Using personal data beyond its original purpose can lead to privacy concerns. What may appear as a positive initiative from an HR perspective can be perceived as an invasion of privacy.

The key principle is simple: the purpose of data collection and the purpose of its usage must align. Where they do not align, consent becomes critical.

Building Data Discipline into HR Practice

The central message for HR practitioners is not to approach data protection as an external requirement, but to embed it within everyday HR work.

This requires conscious integration of data awareness into processes, systems, and behaviours. HR teams must ensure that their approaches to handling, sharing, storing, and disposing of data are aligned with the expectations of a digital workplace.

The objective is not to react to incidents, but to prevent them through structured thinking and consistent practice.

In a workplace where personal data is central to operations, HR has a critical role in ensuring that this data is not only used effectively, but also protected responsibly.