Accessibility to personal data by employees of data fiduciary, and the Digital Personal Data Protection Bill

The data fiduciary has to value the interest of clients, and in order to secure the interests of clients, the data of clients needs to be shared with the fiduciary’s employees, but the access to client data by an employee should be restricted to the subject of its relevance.

—–

CUSTOMERS expect privacy from banks regarding their personal and financial information. It remains the commitment of the bank to the customer to protect their information. Personal information such as name, contact number, email address, income details, Aadhaar details, Permanent Account Number, details of nominees, among others, are collected by banks for providing services to customers.

The employees of a bank who have access to all such information cannot disclose such confidential information to any person outside the organisation. On the other hand, the employees should understand how to identify and handle third-party confidential information. Such confidential information is known to an employee as a result of the employee’s employment with the company.

Also read: Data Protection Bill, 2022: A brief explainer to the consent and rights framework within the Bill

Duty of data fiduciary under Digital Personal Data Protection Bill, 2022

The personal data of individuals is processed by data fiduciaries to a required extent. Clause 12 of the Digital Personal Data Protection Bill, 2022 states that the data principal, that is, the individual, holds the right to know the summary of their data being processed by the data fiduciary, that is, the entity that decides the “purpose and means of the processing of an individual’s personal data”.

The major concern is about holding the information, and who shall hold the personal data of individuals. The law is ambiguous on this point by not specifying who shall hold the information for processing. It implies that a clerk of a bank may also require personal data for processing and might hold the personal data of the data principal, that is, the client.

In order to create a balance between access to information and restricting access to information, the best possible way out is to have a cross-check by creating a compliance obligation on the part of the employee that they have accessed such information for business purpose, and further, if any information is found to be disclosed outside the organisation, the concerned employee shall be held accountable as such information was accessed by him.

Considering certain practical experiences, it is pertinent to mention that a customer call from any bank wherein the bank executive states that the customer is eligible for certain benefits like a loan with subsidised rates/offers and other facilities because of their adequate maintenance of funds in bank account clearly indicates that the bank account details and the available balance in the account can be easily accessed by the employee of that bank, on the ground that the same is required for processing. Such processing is nothing but the use of marketing strategies to increase market share by knowing the personal data of customers on the privileged basis of being an employee of a data fiduciary.

For example, if an individual is working in a bank as an employee, and their neighbours hold a bank account in a similar bank and branch where they are working, then it is probably that the employee can access the financial data of their neighbours through a single click by virtue of being an employee of the bank. It is equally impossible to restrict access to such data by the employees as the same will hamper their business.

Also read: The Digital Personal Data Protection Bill, 2022 may further delay the realisation of the right to dignity

Suggestions for harmonious balance

In order to create a balance between access to information and restricting access to information, the best possible way out is to have a cross-check by creating a compliance obligation on the part of the employee that they have accessed such information for business purpose, and further, if any information is found to be disclosed outside the organisation, the concerned employee shall be held accountable as such information was accessed by him. This would also help in compliance with Clause 12(2) of the Personal Data Protection Bill, 2022 which states that “the individual i.e., data principal shall have the right to obtain the summary of personal data processed by the entity i.e., data fiduciary”.

Entities do enter into a confidentiality agreement with their employees. The confidentiality clause in the agreement nowhere states that the employee shall not have access to all the information. It only reads that “The parties to this agreement agree that each shall treat as confidential all information provided by the party to the others regarding such party’s business and operations”. Similarly, a new clause called the “accessibility clause” can also be introduced in addition to the existing confidentiality clause. The accessibility clause should be drafted differently for different employees by clearly mentioning the accessibility to the kind of data that the employee shall have access to. To ensure privacy, it is pertinent to state that there should be restrictions on the accessibility of confidential information by employees, despite the execution of a confidentiality agreement.

The need for an accessibility clause is because the employer has to value the interest of clients, and in order to secure the interests of clients, the data of clients needs to be shared with the employee, but the access to client data by an employee should be restricted to the subject of its relevance. Most importantly, few employees apart from the human resource department and the tele-calling department should have access to client data. Accessibility of personal data to all will never ensure its confidentiality.

The Leaflet