INDIA Law and Practice Contributed by: Preetha Soman, Madhur Khandelwal, Aishwarya Maria Manjooran and Rebecca Thomas, JSA Advocates & Solicitors
For minor to mid-level offences, imposition of a fine, reduction in remuneration, demotion, withdrawal of incentives or other employee privileges, and/or issu - ance of a warning letter/official reprimand, and other measures, may be considered. In more serious cases or in the event of a gross mis - conduct, suspension or termination of employment may be considered. Before any disciplinary action is taken, the employ - er will need to ensure that the same aligns with the employer’s policies and applicable labour laws. The chosen disciplinary action must be proportionate, jus - Employers often adopt other measures, such as team- building activities, sensitivity training, offering support systems, and mediation, irrespective of whether or not the allegations are substantiated. Typically, such measures are adopted when there are broader work - place issues to address, such as workplace toxicity, insensitivity, or a lack of respect for personal bounda - ries, with the goal of identifying areas for improvement within the organisation, and designed to foster a posi - tive workplace culture. tified and documented. 6.9 Other Measures The Information Technology Act, 2000 and the Infor - mation Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Infor - mation) Rules, 2011 (collectively referred to as “SPDI Rules”) protect both the “personal data” and “sensi - tive personal data” (SPDI) pertaining to individuals. Having said that, under India’s new data protection regime – namely, the Digital Personal Data Protection Act, 2023, and the Digital Personal Data Protection Rules, 2025 (“Indian Data Protection Rules”), the latter having been proposed to be implemented in a phased manner – protects an individual’s “personal data”. While SPDI relates to an individual, which, either directly or indirectly in combination with other infor - 7. Data Protection 7.1 Collecting Personal Data Personal Data in HR Investigations
mation, may be capable of identifying a person such as a person’s name, contact details, address, and so on, it consists of specific items of data, namely pass - words, financial information, physical, physiological and mental health condition, sexual orientation, medi - cal records and history, and biometric information. While there are no specific compliances under the SPDI Rules for collection, handling or storage of an individual’s personal data, in the event of unauthorised sharing or misuse of such information causing harm to an individual, penalties may be imposed in the form of imprisonment and/or fine. On the other hand, there are certain compliances applicable to entities that collect, handle or store SPDI. Accordingly, organisations would need to adhere to such compliances when conducting internal investi - gations, such as providing employees with adequate notice and disclosure that their SPDI may be collected for the purpose of an employer-initiated investigation. In contrast, the Indian Data Protection Rules do not distinguish between personal data and SPDI. Instead, “personal data” is broadly defined as any data about an individual who is identifiable by or related to such data. Under this regime, personal data may be pro - cessed only with the consent of the data principal or for certain legitimate uses. Although the new frame - work requires notice and consent for processing per - sonal data, it also provides specific exemptions for legitimate use. One such exemption allows a Data Fiduciary (ie, an employer) to process an employ - ee’s personal data for legitimate purposes relating to employment, or for safeguarding the employer from loss or liability. This includes purposes such as preventing corporate espionage, maintaining the confidentiality of trade secrets, intellectual property or classified information, or providing any service or benefit requested by an employee who is a data prin - cipal. With respect to employer-initiated investigations that require the collection or processing of personal data, such investigations are expected to fall within the scope of the “legitimate use” exemption once it becomes effective. This exemption, along with the broader require - ments relating to consent and notice, is scheduled to
210 CHAMBERS.COM
Powered by FlippingBook