HR functions sit on a deep reservoir of personal data — applications, identity documents, salary and bank details, performance records, health and leave information. Under the DPDP Act, all of this is personal data, and the employer is a data fiduciary, so HR is squarely in scope and often handling some of the most sensitive information an organisation holds.
Employee data raises distinctive questions. Consent is complicated by the power imbalance between employer and employee, much processing is necessary simply to run the employment relationship, and retention is shaped by labour and tax law.
This guide explains the lawful bases for workforce processing, how to handle recruitment and monitoring, how retention works for employee data, and how to honour employees' rights under the Act.
The sections below cover the lawful bases for workforce processing, recruitment and monitoring, retention shaped by labour and tax law, and how to honour employees' rights — so HR can hold sensitive people-data lawfully and respectfully.
Employees and candidates are data principals
Every employee, contractor and job applicant whose data you process is a data principal, and your organisation is the fiduciary. This means the Act's obligations — notice, lawful basis, security, rights, retention — all apply to HR data.
HR data is often more sensitive than customer data, including identity documents, financial details and sometimes health information, which raises the real-world stakes even though the Act has no separate sensitive category.
Treating workforce data with at least the same care as customer data is the right baseline for any HR function.
Because HR data breaches expose employees to identity theft and financial fraud, and because they damage internal trust acutely, the case for treating workforce data with first-class security is as strong as for any customer-facing system.
Consider the breadth of what HR holds on a single employee: identity and tax documents, bank details for payroll, emergency contacts, performance reviews, disciplinary records and sometimes medical or accessibility information. Concentrated in HR systems, this is among the richest personal-data profiles an organisation maintains, and it deserves protection to match.
Lawful basis for workforce processing
Much HR processing — running payroll, administering benefits, ensuring workplace safety, meeting statutory obligations — can rely on the Act's employment-related legitimate uses or on compliance with legal obligations, rather than on consent.
This matters because consent in the employment context is fraught: the power imbalance means an employee may not feel free to refuse, so relying on consent for core HR processing is both impractical and legally weak.
The discipline is to identify, for each HR activity, whether it is necessary employment processing, legally required, or something optional that genuinely needs consent.
Relying on legitimate uses and legal obligations rather than consent for core HR processing is not a loophole but the correct, more honest basis, since pretending employees freely consent to processing they cannot realistically refuse is legally weak.
Recruitment and candidate data
Recruitment generates personal data from people who may never become employees. Candidates are data principals too, and you should be transparent about what you collect, why, and how long you keep it.
Holding rejected candidates' data indefinitely 'in case a role comes up' is exactly the kind of open-ended retention the Act discourages without a clear basis and a defined period.
A clear recruitment privacy notice and a sensible retention period for candidate data address most of the risk here.
A defined candidate-data retention period — deleting unsuccessful applicants' data after a sensible window unless they agree to be kept on file — resolves most recruitment-data risk with a single, simple policy.
A sensible default is to publish a recruitment privacy notice on your careers page explaining what candidate data you collect, why, how long you keep it and how candidates can exercise their rights. This single document resolves much of the transparency obligation for recruitment and signals professionalism to prospective hires.
Monitoring and surveillance
Workplace monitoring — of devices, communications, location or productivity — processes employee personal data and must be handled carefully. While some monitoring may be justified to safeguard the employer from loss or to run the business, it must be proportionate and transparent.
Excessive or covert monitoring is hard to justify and corrosive to trust. Employees should generally be informed about monitoring, its purpose and its limits.
The test is necessity and proportionality: monitor what you genuinely need to, for a clear purpose, and no more, with appropriate transparency.
Documenting the purpose and limits of any monitoring, and informing employees, transforms a potential trust and compliance problem into a transparent, defensible practice that employees can understand even if they do not love it.
Retention shaped by law
Employee data retention is heavily influenced by labour, tax and other laws that require records to be kept for defined periods. The Act's erasure expectations operate within these legal retention requirements.
The practical approach is a retention schedule that reflects the statutory periods for different categories of HR record, deleting data once both the employment purpose and any legal retention period have passed.
This gives you a defensible basis for what you keep and for how long, rather than holding everything forever by default. Capturing these periods in your dpdp compliance documentation keeps HR aligned with the rest of the programme.
Separating statutorily required records from discretionary HR data in your systems makes it possible to delete the latter on schedule while preserving the former, avoiding both unlawful retention and accidental loss of mandated records.
In practice this means tagging HR records by the law that governs their retention — payroll and tax records to fiscal requirements, certain employment records to labour law — and scheduling deletion when both the operational need and the legal period have lapsed, so the organisation neither over-retains nor destroys records it is bound to keep.
Free resource
Free DPDP Policy Templates
Privacy notice, consent and core DPDP policy documents you can adapt to your business.
Employee rights and grievances
Employees can exercise data principal rights — access, correction, erasure within legal limits — and raise grievances about how their data is handled. HR must be able to respond within the prescribed time.
This requires a process for handling employee data requests, with sensible identity verification and the ability to locate and act on data across HR systems.
Handling these requests respectfully is also good employee relations: people who trust how their data is treated are more engaged, and a clear, fair process reduces friction.
Handling employee data requests through a clear, respectful process is also a quiet driver of engagement: people who see their personal data treated carefully extend more trust to the employer in other areas too.
Securing the HR data estate
HR systems — payroll, HRIS, benefits portals — hold concentrated, sensitive data and must be secured accordingly, with encryption, strict access control and logging. Access should be limited to those who genuinely need it.
HR data is also a common target for social engineering and insider misuse, so access controls and monitoring are particularly important here.
Because much HR processing runs through third-party providers, choosing secure vendors and contracting properly with them is a major part of protecting workforce data.
Done thoughtfully, strong HR data practice signals to employees that the organisation is trustworthy with what matters to them most, which pays back in engagement and retention well beyond the narrow question of legal compliance.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.