When organisations think about privacy compliance, they almost always picture customer data. But the DPDPA protects every individual’s personal data — and few functions in any organisation hold as much sensitive personal information as HR. A privacy programme that covers customers but quietly forgets employees is only half a programme, and it is frequently the half that causes the most internal friction and the most avoidable complaints when it goes wrong.
Employees are Data Principals too
Recruitment records, payroll, performance reviews, health and background information, disciplinary records, biometric attendance data — HR processes some of the most sensitive personal information anywhere in the organisation, often more sensitive than what marketing holds about customers. Under the DPDPA, employees and candidates are Data Principals with the same core protections as anyone else: the right to be informed about how their data is used, and to seek access, correction and grievance redressal. The employment relationship does not exempt any of this data from the law, and treating it as if it does is a common and consequential blind spot.
What HR needs to get right
- Notice. Tell employees and candidates what personal data you collect and why — at recruitment and throughout the employment relationship, not just buried in an offer letter.
- Purpose and minimisation. Collect only what the employment relationship genuinely needs, rather than everything you conceivably could.
- Retention. Do not keep candidate and ex-employee data indefinitely. Define how long you keep each category and delete when the purpose is served — the CVs of unsuccessful candidates from years ago are a classic, entirely avoidable liability sitting in most organisations.
- Access and correction. Be ready to handle requests from staff about their own data, just as you would from customers, with a clear process and a realistic timeline.
- Security. HR systems and files hold concentrated sensitive data and deserve strong access controls, restricted strictly to those who genuinely need them for their role.
The monitoring question
Workplace monitoring — of devices, communications, internet use or location — needs particular care, because it sits directly at the intersection of privacy and trust. The two guiding principles are transparency and proportionality: be clear with staff about what you monitor and why, and keep it no more intrusive than the legitimate purpose genuinely requires. Covert or excessive monitoring is both a compliance risk and a corrosive one for the employment relationship, damaging morale and trust in ways that outlast any single incident. A useful practical test: if you would be uncomfortable explaining a monitoring practice openly to the staff subject to it, that discomfort is telling you something important about whether it is proportionate and defensible.
A privacy programme that covers customers but forgets employees is only half a programme. Bring HR data into scope from the start — it is often the most sensitive data you hold, and the most likely to generate internal complaints and grievances if mishandled.
Making it work in practice
The practical route is to treat HR as a full participant in your privacy programme rather than an afterthought. Include HR processes in your data mapping, extend your notice and retention discipline to employee and candidate data, give staff a clear channel for rights requests, and involve HR in decisions about monitoring so that proportionality is considered before a practice is introduced rather than defended after a complaint. None of this is onerous; it is simply applying the same disciplines you apply to customer data to the people who keep the organisation running.
The takeaway
HR is a privacy function whether or not it thinks of itself as one. Extend your notice, minimisation, retention, rights and security disciplines to employee and candidate data, handle monitoring transparently and proportionately, and you close a gap that many organisations leave wide open — while building trust with the very people the organisation depends on most.