DPDP Compliance for HR AI: Employee Data and Automated Decisions

Are Employees Data Principals Under DPDP?

Yes. DPDP Section 2(j) defines 'data principal' as 'the individual to whom the personal data relates'. Employees are individuals — their personal data is covered by the Act regardless of the employment relationship. The SPDI Rules 2011 already covered employee data; DPDP extends and strengthens those protections.

Key implication: you need a lawful basis for each category of employee personal data you process. Consent is one basis, but for many HR processes, 'compliance with applicable laws' or 'legitimate use' under Section 7 may be more appropriate (you can't make employment conditional on consent to non-essential processing).

AI Resume Screening and DPDP

AI resume screening processes candidate personal data — often at scale. DPDP obligations: (1) Notice — candidates must be told AI is used in the screening process, (2) Purpose limitation — resume data collected for this role cannot be used to train your AI screening model without separate consent, (3) Accuracy — Section 8 requires accurate data; if your screening AI has demographic biases, candidates can argue the screening decision was based on inaccurate processing.

Best practice: disclose AI screening in job postings, don't retain rejected candidate data beyond 90 days, don't train screening AI on candidate data without explicit opt-in, and audit your screening model for bias before deployment.

Employee Monitoring AI

Productivity monitoring, attendance tracking, and performance analytics using AI are subject to DPDP. For remote work monitoring: inform employees clearly what is being monitored (keystrokes? screen? location?), the legal basis for monitoring, and how long data is retained. Covert monitoring without consent or a clear legal basis is a DPDP violation.

For AI performance scoring: if an AI model produces performance ratings that affect compensation, promotion, or termination, employees have rights under Section 11(1) to information about this processing. The algorithm may also be subject to challenge if it produces biased outcomes.

Compliance operational checklist

DPDP Compliance for HR AI: Employee Data and Automated Decisions should be reviewed as an operating control, not only as a reference article. The minimum checklist is a data inventory, a stated processing purpose, owner approval, PII detection at the AI boundary, redaction or tokenisation where possible, retention limits, vendor transfer records, and a tested user-rights workflow. This checklist gives engineering and compliance teams a shared language for deciding what must be blocked, what can be allowed in shadow mode, and what needs human review before production release.

For AI systems, the review should include prompts, retrieved context, tool call arguments, model responses, logs, traces, analytics events, exports, and support attachments. Many incidents happen because teams scan only the visible form field while sensitive data moves through background context or observability tooling. CrewCheck's recommended pattern is to place the scanner at the request boundary, record the policy version, and keep audit evidence that shows which identifiers were detected and what action was taken.

A practical rollout starts with representative samples from production-like traffic. Run a DPDP scan, sort findings by identifier sensitivity and blast radius, fix Aadhaar, PAN, financial, health, children's, and precise-location exposure first, then move to consent wording, retention, deletion, and vendor review. Use shadow mode when false positives could disrupt users, and promote to enforcement only after the exceptions have owners and expiry dates.

This page is educational and should be paired with legal review for final policy interpretation. The operational proof should still come from repeatable evidence: scanner results, audit exports, pull-request checks, policy configuration, and a documented owner for the workflow. That combination is what makes the content useful during buyer diligence, board review, regulatory questions, or an incident investigation.