NOTE: This article is not intended to replace official legal counsel. We are not legal experts. Please consult your lawyer. We exist to help customers improve their businesses. It’s important for us to show how they can maintain responsible control over the data collected and protect it in accordance with India’s DPDP (Digital Personal Data Protection) Act requirements.
What is the Digital Personal Data Protection Act (DPDP)?
On August 11, 2023, India passed expansive data privacy rights for employees via the DPDP (Digital Personal Data Protection) Act. The new regulation likely will come into force at a future, unannounced date anticipated within the next two years.
The law’s privacy requirements are generally aligned with the EU’s GDPR and with California’s CCPA and also provide some additional rights and requirements. In addition, privacy rights will apply to personal information collected in the context of a business “providing or receiving a product or service to or from'' another business. Organizations that process digital personal data within India, or process digital personal data of employees working in India where processing occurs outside of India will likely be required to comply.
The DPDP Act will impose limited obligations on employers with respect to employee data if they qualify as “organizations” subject to the law. The DPDP Act applies to the personal information of “data principals”, but defines that term so broadly that it would include employees, job applicants, officers, directors, and independent contractors even if they are not citizens of India.
DPDP Act Compliance & ActivTrak
ActivTrak respects data privacy laws in our data-driven approach to analyzing productivity. Our commitment to data privacy and security helps businesses comply with the DPDP Act while achieving business productivity goals.
In this article, we outline compliance recommendations and specific account configuration steps you can take so your use of ActivTrak complies with DPDP Act regulations.
5 Key Recommendations
1. Tell employees you want to collect employee data
Under this legislation, employees will have the right to know about the personal information that your business collects about them. While there are a few exceptions, you’ll be safer if you inform your employees that you want to gather employee data. Being transparent is a great place to start, and it opens the door to a relationship built on trust. Additionally, we recommend spelling out the data elements being captured in your particular configuration to avoid misconceptions about the information gathered.
2. Explain why you want to collect employee data
Even though it’s not part of the DPDP Act, it is recommended to explain why activity information is being collected. Whether it is to identify workload balance issues, burnout risks, increase efficiency or improve the work habits of employees, sharing the goals behind your workforce analytics initiative and who will benefit from them will go a long way in obtaining buy-in.
It boils down to this: Have a specific reason or reasons for using ActivTrak and ensure your team understands those reasons. If your mission changes and your purposes for collecting data stray from your original intent, inform your team that you’ve made the change.
3. Get consent to gather employee data
For organizations gathering data on employees in India, you’ll have to provide documentation so that they understand how you plan to collect data and that they consent to it. You can do this in written form. It should be very clear in the form what the employee is agreeing to. You can’t hide the text in a paragraph of a 100-page document and then ask them to sign page 100.
The law also requires parental or guardian consent for persons under 18 and persons with a disability. When teams are informed of the steps taken to protect and maintain control over their information, it can help alleviate some concerns with using workforce analytics software.
4. Be ready to provide the collected employee data
If you’re upfront about what you capture, this shouldn’t be an issue. We’ve made it easy for employees to access a summary of data being processed or details of their own data via features like Personal Insights. You can also expose productivity data via ActivConnect and export reports to let them see their information.
5. Be ready to delete the collected data
The DPDP Act outlines conditions for the deletion of employee information. This means that if a person decides they want their information deleted, then in most circumstances, it needs to be erased. In addition, the DPDP Act contains requirements for the deletion of data when the specified purpose of collection (e.g. employment) is no longer being fulfilled.
ActivTrak provides a way for you to meet this need. An Administrator can delete a user’s information without losing the data from the entire team through the ActivTrak application.
Configuring Your ActivTrak Account for DPDP Act Compliance
The table below provides a high-level overview of individual DPDP Act requirements as well as specific steps your organization can take to ensure your processes and procedures related to your ActivTrak usage are compliant.
|DPDP Act Requirement||Recommended Actions||ActivTrak Capabilities|
|Process data for proper purposes||Ensure that the data collected is only for employment-related purposes.||ActivTrak's capabilities are solely for workforce analytics purposes.|
|Right of Notice||
Communicate to your employees that you will be deploying ActivTrak and explain how the data will be used. Learn more→
Share with employees the list of data elements captured by ActivTrak. Learn more→
Share ActivTrak data or summaries with employees via the Personal Insights Dashboard. Learn more→
You can also leverage custom-built report templates using BI tools like Power BI, Tableau, etc. Learn more→
|Right to Erasure||
This applies when the employee is not employed with the company or when the employer doesn’t need the employee’s data.
Establish a process to capture and process requests from employees to delete their data.
ActivTrak user delete functionality allows you to delete all data associated with a given employee. Learn more→
ActivTrak can process a request to delete your account. Learn more→
|Right to Opt-Out of Sale or Sharing||Communicate to your employees that either a) None of their information is shared with third parties for advertising or sales purposes or b) Their information will be shared unless they opt out.||Not applicable to ActivTrak.|
|Right to Opt-Out of Automated Decision-Making Technology||
Employees can object if the data processing is not for employment reasons.
Establish a process to capture and process requests from employees to opt-out if data is not used for employment reasons.
ActivTrak user delete functionality allows you to delete all data associated with a given employee Learn more→
Allow employees to install the ActivTrak Agent on their computers as a way to explicitly opt-in. Learn more→
|Right to Correct Inaccurate Personal Information||
Provide employees access to their own data.
Establish a process where employees can file a report of incomplete or inaccurate data
Share ActivTrak data or summaries with employees via the Personal Insights Dashboard or via custom-built reports using BI tools like Power BI, Tableau, etc. so they can identify and report inaccurate information.
ActivTrak allows corrections to information like activity classification, productivity status, passive time settings, etc. via multiple administrative screens. Learn more→
|Right to Limit Use and Disclosure of Sensitive Personal Information||
This only applies to the use of sensitive personal information other than what would be used for “employment purposes” by an organization.
Collection of sensitive personal information by an employer outside of ActivTrak, such as racial or ethnic origin for diversity and inclusion purposes, may therefore be permitted as an exception.
|Not applicable to ActivTrak.|
Being Prepared for Audits
ActivTrak has resources you can leverage in the event of a data privacy compliance audit. They include:
- Data Retention and History: As an extra level of protection, our system does not retain data beyond an account’s set limits. Admins can also restrict date filters for user roles. Learn more here.
- Security Alarms: Alarms can be configured to alert you in real-time of any potential data privacy or security risks such as when users export data, change access levels, and more. Learn more here.
- Security Audit Log: Our Security Audit Log provides a detailed record of changes or logins made to the account. Learn more here.
Data Privacy & Compliance
- Data Privacy Controls within the ActivTrak Platform
- FAQ: ActivTrak’s Data Retention Policy & Data History
- What Data Does ActivTrak Collect?
- How to Configure ActivTrak for GDPR Compliance
- How to Configure ActivTrak for HIPAA Compliance
- How to Configure ActivTrak for CCPA Compliance
- FAQ: ActivTrak’s SOC 2 Compliance
Best Practices & Support
Was this article helpful?
0 out of 0 found this helpful