INDIA Law and Practice Contributed by: Preetha Soman, Madhur Khandelwal, Aishwarya Maria Manjooran and Rebecca Thomas, JSA Advocates & Solicitors
become applicable from 13 May 2027. Until then, the SPDI Rules will govern the handling of personal data
that any personal information or SPDI found to be inaccurate or deficient is corrected or amended, as feasible. However, given that SPDI cannot be collected, stored or shared beyond the extent to which the employees have consented, parties other than the investigators or allied agencies should not be provided access to an employee’s personal data unless specific consent has been obtained in this respect. If access to such information is necessary for the respondent to mount a proper defence, the princi - ples of natural justice may require that the respondent be granted access to such information; however, the consent of the data holder shall be obtained before disclosing any such information. 7.4 AI Use of AI in Internal Investigations Adoption of AI in investigations is an emerging and evolving area. While many organisations continue to rely on traditional, manual approaches for review - ing evidence and conducting fact-finding exercises, where AI is used, it is being adopted to enhance effi - ciency, objectivity, and data analysis in various stages of HR investigations. While the law does not specifically regulate AI, any use of AI tools that involve the handling of personal data must still comply with general data protection obligations (such as requiring the data processor to erase data after the specified purpose for which it was collected is no longer being served).
in HR investigations. 7.2 Specific Rules
The collection of data must be based on the principles of proportionality and necessity, ensuring that only relevant data is gathered. Employers must also safe - guard the data against unauthorised access, besides following the necessary confidentiality and security norms. Violating such requirements could lead to pen - alties under the SPDI Rules, Indian Data Protection Rules, and the PoSH Act (for breach of confidentiality in PoSH matters). In a scenario wherein the SPDI may have to be trans - ferred to any other “body corporate”, for example, to any third-party agency or a group entity assisting the employer with the investigation, the transferee will also need to ensure the same level of data protection that is adhered to by the transferor. In contrast, under the Indian Data Protection Rules, the transfer of personal data outside India is permit - ted, subject to the data fiduciary complying with any conditions that the central government may prescribe, through general or special orders, regarding the trans - fer of such data to a foreign state or to any person, entity, or agency under the control of such state. Further, with respect to data retention under the Indian Data Protection Rules, a data fiduciary (such as an employer) is required to erase personal data once it is reasonable to conclude that the specified purpose for which it was collected is no longer being served, and must also ensure that any data processor engaged by it deletes all personal data provided to it for pro - cessing. Refer to 7.1 Collecting Personal Data for further details. 7.3 Access Access to Personal Data The SPDI Rules specify that a body corporate or any person acting on its behalf shall permit the providers of information, as and when requested by them, to review the information they had provided and ensure
8. Special Cases 8.1 Whistle-Blowing Whistle-Blower Protections
Under the Companies Act, there is a requirement to set up a formal vigil mechanism or whistle-blower policy for public companies and certain other entities. Any concerns raised must be directed to the Audit Committee or the Board of Directors, as the case may be. A similar requirement also exists under the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015.
211 CHAMBERS.COM
Powered by FlippingBook