含羞草社区

Internal investigations are crucial to corporate governance, whether triggered by breaches of confidentiality, insider trading, misconduct or criminal activities such as fraud and corruption. These inquiries will also present new challenges when the Digital Personal Data Protection Act, 2023 (DPDPA), is in force. Such internal probes are usually personal data-intensive exercises, and businesses must be careful when navigating the attendant legal, operational, and reputational risks.

Internal investigations may require access to personal data, including sensitive information such as medical records, financial data, and CCTV footage. Under the DPDPA, personal data can primarily be processed on the grounds of consent. This means obtaining permission from the data principal, who will usually be the employee. However, consent as a legal basis for processing during investigations is often impractical because investigations may require confidentiality to be maintained at first. Employees may also withdraw consent at any time, which is likely to disrupt the inquiry.

These issues raise two critical considerations. First, consent-based processing may limit the effectiveness of internal investigations because employees being probed will have an opportunity to bring proceedings to a halt. Second, any consent obtained in the context of an investigation may be legally challenged as not freely given. It may be alleged that there was an inherent power imbalance between an employer and employee. This legal argument must be considered because it may have implications for the integrity of investigations.

To balance this obstacle, the DPDPA provides several alternative grounds for processing personal data without relying on consent. Businesses can justify data processing on grounds such as employment-related processing. This covers actions necessary to protect against liability or maintain the confidentiality of trade secrets and intellectual property. Businesses should assess whether an internal investigation can be undertaken using these grounds. This will ensure that the processing of personal data is legally defensible while maintaining the integrity of the investigation. It is, however, possible to argue that investigating an employee is not for an employment-related purpose.

The DPDPA also includes a number of exemptions from the more burdensome aspects of compliance, such as obtaining consent or providing notice. Businesses conducting investigations can leverage these exemptions if the processing is for the enforcement of a legal right or claim or to detect, prevent or investigate criminal offences. These exemptions give businesses flexibility, but they should not be treated as blanket permissions. Companies must continue to implement appropriate security safeguards and ensure that third-party processors comply with DPDPA requirements to avoid potential data breaches or legal non-compliance.

Balancing the need to conduct internal investigations with the requirements of the DPDPA entails businesses accepting certain risks. Mishandling personal data during investigations may lead to employee dissatisfaction, regulatory scrutiny and damage to the company’s public image. In addition, non-compliance with the DPDPA may result in fines and penalties, as well as legal challenges from employees whose data is mishandled.

To mitigate these risks, businesses should have clear policies in place to handle internal investigations and ensure that they align with DPDPA requirements. Investigations must be conducted in a manner that minimises data exposure while still uncovering necessary information. Companies should leverage legitimate uses under the DPDPA to process personal data without needing consent where possible, but they must ensure this is well-documented. In addition, training HR teams, legal departments and investigators about DPDPA compliance and implementing strong data protection measures are vital to safeguarding personal data.

By undertaking internal investigations carefully, businesses can protect themselves from regulatory and reputational risks while maintaining the effectiveness of their governance processes. When in force, the DPDPA will reshape the way businesses handle employee data. Being proactive in compliance will be the key to navigating this new era of data protection.

Ada Shaharbanu is a senior associate and Hamsadhwani Alagarsamy is an associate at Spice Route Legal.