On 13th July 2022, the CEO and Managing Director of Dredging Corporation of India (DCIL), GYV Victor was suspended pending disciplinary proceedings against him on allegations of forgery. Upon investigation, it was discovered that Victor had suppressed facts (including material misrepresentation of facts) and made false claims in support of his experience in his application to the role advertised by DCIL.
In another incident around the end of last year, IT major Accenture reportedly terminated a number of employees over submission of fraudulent documents. This was followed by Cognizant, which reported high involuntary attrition due to failed background checks.
Most recently, the High Court of Delhi in the case of Kiran Thakur vs. Resident Commissioner Bihar Bhavan held,
“Employees who are guilty of submitting forged documents to their employer, have to be dealt with in a strict manner. If a person submits forged and fabricated documents, then such a person is certainly unfit to be employed. No sympathy or compassion can be shown to such an employee”.
The rise in cases as noted has caused a corresponding rise in requirements for Background Verification (BGV) of job candidates before they are hired.
Does India have a dedicated law governing BGV?
Currently, there is no law in India which requires or regulates BGVs. While ISO-27001 certified companies are required to conduct background checks as per the compliance requirements of ISO’s Information Security Management Standards, it would be good for companies to take a holistic view and consider the privacy and proportionality of the information being requested before seeking such information from the candidate during the BGV process.
What is Background Verification?
Broadly speaking, Background Verification is the process of verifying and validating a candidate’s identity, academic records and employment history, and in specific situations or conditions, criminal and legal records as well. Majority of data and information that needs to be validated in a BGV process consists of personal and private information.
In the Indian context, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’) framed under the Information Technology Act, 2000 (‘IT Act’) broadly attempt to cover some aspects of data protection and privacy. These rules, however, do not cover most of the data and documents that companies seek from candidates, such as educational and professional qualifications.
Rule 3 of the SPDI Rules defines ‘sensitive personal data or information’ as personal information which consists of information relating to passwords, financial information, health conditions (physical, physiological and mental), medical records (including history), sexual orientation, biometric information and any detail relating to the aforementioned for providing service and any of the information received under aforementioned for processing, stored or processed under lawful contract or otherwise. The SPDI Rules broadly require the following:
Collection and transfer of sensitive personal data or information can be done only with the prior consent of the information provider (Rules 6 & 7)
Regulation of the collection and storage of personal data of candidates, which also covers the means the companies employ to store and transmit data
The body corporate holding the data or information may do so for as long as it is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force (Rule 5). Consent is a non-negotiable requirement under the SPDI Rules. The information provider’s consent is required for the collection, transfer and disclosure of any sensitive and personal data or information.
In the absence of any other law, it is advisable that companies employ the same principles as set out in the SPDI Rules for all data that they collect.
It therefore necessary for the company to clearly communicate to the candidate the purpose for which such personal and sensitive information is sought from them, and how it will be handled.
Apart from sharing personal data with the BGV agency, many companies transfer employee data to their counterparts for employment purposes. Our industry knowledge shows that many companies are not aware of the SPDI Rules, specifically on the requirement of obtaining prior consent from the candidate in respect of personal or sensitive data. This is also the case with some candidates, who are not aware and end up sharing any and all information as required by the company. In the event this process is questioned by the candidate, the company’s representatives need to be well versed with SPDI rules to explain the organizational and legal context regarding BGVs and data privacy. It is therefore essential that the communication to the candidate covers all aspects pertaining to the collection, transfer, storage and disclosure of their information.
Further, Sections 43A and 72A of the IT Act provide for the protection of sensitive or personal data and punishment for disclosure of sensitive or personal data without consent. Therefore, there must be consensus between the company and the candidate on what data and documents will be gathered and why they will be collected.
This will ensure adequate safeguards in place, along with clarity and transparency in the event of potential disagreements or conflicts with handling of the candidate’s data and information.
“Nothing is more deleterious to a man's physical happiness and health than a calculated interference with his privacy.” A nine-judge bench of the Supreme Court of India, in the case Justice KS Puttaswamy vs. Union of India (2017), affirmed the right to privacy as a fundamental right. While presently there is no dedicated law apart from SPDI Rules which regulates data privacy, The Personal Data Protection Bill, 2022 has been in the making since 2018 and has undergone several iterations. Although India’s proposed data protection law is not yet in force, the Bill attempts to devise a comprehensive legal framework for regulating digital personal space. The Bill has requirements similar to those set out above in the SPDI Rules, allowing for data collection subject to the consent of the Data Principal or the Information Holder. Section 2(13) defines ‘personal data’, the equivalent of ‘sensitive personal data or information’ under Rule 3 of the SPDI Rules, more broadly - “as any data about an individual who is identifiable by or in relation to such data”. Therefore, entering into appropriate contractual arrangements in line with the SPDI Rules and the Bill is likely to benefit companies in the long run, as they may not need to change their arrangements over time. It is advisable that companies create a comprehensive, legally compliant BGV framework to ensure candidates go through a seamless process during the selection and onboarding phases, while ensuring that any potential data privacy issues or risks remain mitigated. On the flip side, companies must also come up with a fool proof mechanism to detect failed BGVs.
The strategy in response to a failed BGV is something that a company may carefully consider. It would be good for the company to have the BGV process built in from the outset and that its onboarding documentation and processes, as well as other policies and processes such as the disciplinary policy, are in line with it and each other.
The companies must be able to strike a balance between being compliant and process-oriented while navigating through the BGV process.
Every organisation’s most precious asset is their people. As organisations grow, comprehensive processes and policies become more vital. Over the recent past, companies are becoming increasingly aware of the need for a systematised and secure hiring and onboarding process, especially given the rising cost of resources, the necessity and criticality of legal compliances, data protection and the requirement to attract capable and skilled applicants. Such frameworks and automations are tailored to their needs and philosophy, while protecting applicants' rights and providing visibility to stakeholders, all the while guaranteeing adherence to any applicable legal compliances. The companies must determine whether their existing BGV processes are legally sustainable, as well as describe the scope and purpose of the information sought.
While evaluating their existing BGV process, specifically on personal data, the companies may keep in mind the following aspects:
Documents sought from the candidate during the BGV process is specific, relevant, and clear.
Consent obtained from the candidate covers all the aspects such as transfer, collection, storage and disclosure. The company may also consider extending the coverage of consent to non-personal information if it deems it necessary, and this would promote transparency and build trust between the parties.
Contractual arrangement with a BGV service provider covers the existing requirements and is likely to cover future requirements. The contractual arrangement also addresses the purging of data on completion of the period of data usage. It is also critical that the data privacy obligations of the company are passed on to the BGV company as well.
In today’s fast changing environment, companies should continue to periodically review their BGV and data policies, process and contracts to ensure they are in line with prevailing law and industry practices, and that all parties comply with their contractual or legal obligations. Exercising utmost caution and thoughtfulness while handling personal data and ensuring that there is no data leakage is of utmost importance.
All in all, companies would greatly benefit if they adopt a privacy conscious mindset and consider data privacy from the outset when designing systems, processes, or services, be it the BGV process or any processes where data or information is collected from candidates, employees, clients or partners.
Arvind Moorchung is an Associate Partner and Amrutha Ananth is a Principal Associate at BCP Associates LLP.