Naavi.org

Yesterday a cream of professionals in the Data Protection domain congregated to discuss a  framework of compliance titled “DGPSI-HR”.

Since it was the first exposure of this framework, it was a time for most to absorb the information  and contemplate the implications of what was discussed.

I have started receiving some queries in this regard and  would be happy to discuss the same and continue the debate.

Question 1: 

While there is already a framework DGPSI-Full and  DGPSI-Lite which can be extended to DGPSI-AI, one of the first thoughts is what additional business needs that this new framework will address. ?

It is a pertinent question. DPDPA is a law and is conceptually a framework of its own. This has been captured in the DGPSI-Lite version which is a simple conversion of compliance clauses in DPDPA into a framework.

DGPSI -Full is a broader framework that adds certain governance issues and also enables DTS calculation. It is more comprehensive than DGPSI Lite and includes some higher level concepts such as Data Valuation and Distributed Responsibility.

However  the Data Driven industry has some sectors to whom a sharper framework that addresses specific needs are required.

There were a few such sectors which were under consideration for us to think of DGPSI-HR.

One was the a large section of ancillary manufacturing industries typically the units in an industrial estate where there is one engineering entrepreneur who engages 10 workers and a few lathes or similar equipment and manufactures   goods for specific customers.

DPDPA is applicable to such units and there is no specific dilution of the Act. I agree that the Government is empowered to provide some exemptions under Section 17 for such units and in fact may do so in the next 5 years. However, till such time law provides concessions we need to assist such organizations to be compliant to the law without too much of a pain.  Such organizations mainly handles “Business Contact Data” and  does  not process personal data of the public. They do process the personal data of the employees some of them may be covered by employment contract and some under contract.

Such companies need to have a simpler version of DGPSI.DGPSI-HR may be  more than sufficient for them to be compliant with the DPDPA.

Secondly there are many HR service  organizations who are into back ground verification, payroll management, manpower hunting and placement etc. Such activities are project based activities which  have joint data fiduciary responsibilities for the project.  They “employ and deploy” human resources under a B2B contract with customers where these employees will process personal data of the customers. They may also “Contract and deploy” in some cases.

Thirdly in the health care sector there could be hospitals which engage medical practitioners on contract basis to render services as part of the hospital service but with the expert being in full control of the activity and often using the data for presentation for research and other purposes as a joint data fiduciary.

Fourthly there are many large IT organizations who work on “Employ and Deploy” model where they send their employees to work in client’s place. Such organisations can consider segregating this activity into a subsidiary activity and function like a Hybrid entity.  In such a case DGPSI-HR may become useful as a focussed implementation framework for such a subsidiary.

It was necessary to innovate the new framework to address such instances.

We invite  more use-cases to be referred so that we can continue to debate how the framework will be a useful for both the industry and the data auditors.

Naavi

In debating the DPDPA implications arising out of employment contracts, one issue that comes forth is how the “GIG Workers” get represented in the DPDPA. In this connection we can refer to the The Karnataka Platform Based Gig Workers (Social Security and Welfare) Act, 2025, Act No. 72 of 2025 which has been effective from 30th May 2025

Also refer here

As per the Karnataka act, “Gig worker” means a person who performs work or participates in a work arrangement that results in a given rate of payment, based on terms and conditions laid down in such contract and includes all piece-rate work, and whose work is sourced through a platform, in the services specified in the Schedule;

(The Act is applicable only to platform based Gig workers and not others. Applicability for others who might apply for registration with the Board is not clear.)

Currently, Indian labour and employment laws recognize three main categories of employees: government employees, employees in government-controlled corporate bodies known as Public Sector Undertakings (PSUs) and private sector employees who may be managerial staff or workmen. All these employees are ensured certain working conditions, such as minimum wages under The Minimum Wages Act, 1948, a set number of hours of work, compensation for termination, etc. Currently, gig workers lack the ‘employee’ status under Indian law, thereby resulting in several consequences, such as an inability to form unions to represent their interests, exploitative contacts, etc

The Contract Labour (Regulation and Abolition) Act, 1970 regulates engagement of contract labour in India, including work done through third-party contractors. There is scope for gig workers who work for platforms to be “contractors” under this law. This imposes obligations on employers to comply with the requirements under this law, including welfare and health obligations to be provided to employees such as the provision of canteens, first aid, etc

Under DGPSI we have been frequently mentioning that an “Individual” who works under a contract with another organization in a capacity other than “Employment” should be considered as a “Joint Data Fiduciary” or a “Data Processor” depending on the terms of the contract and whether it deals with personal data processing.

[Recently, there was a debate with an AI model on whether an individual can be a “Data Processor” under the DPDPA 2023, and I held the view that if an individual can be a data fiduciary under DPDPA, then he can also be a data processor. This was like the Arnab-Blue Machine  debate and finally I decided to keep my view for the time being as the Jurisprudential view consistent with our approach to DGPSI.

The “Jurisprudential” view whether  right or wrong is the prerogative of the human. An AI can only respond from the training data and is not capable of expressing the “Jurisprudential View”. The “Jurisprudential View” falls within the “Creative interpretation” which also introduces the “Unknown Risk” and hence not expected of an AI tool. This is another indication that AI as a tool can substitute lower level employee decisions which are routine in nature and not decisions which are not supported by past data. ]

Leaving this digression aside, let us dive deeper into the Karnataka Act which was aimed towards rapido, amazon kind of aggregators and a “Platform” defined as

… any arrangement providing a service through electronic means, at the request of a recipient of the service, involving the organization of work performed by individuals at a certain location in return for payment, and involving the use of automated monitoring and decision making systems or human decision making that relies on data.

To the extent this law tries to regulate “Cyber Space Activities”, we still consider that such laws made by State Governments are ultra-vires section 90 of Information Technology Act 2000, though even the central Government is not interested in pressing this nuance.

The main purpose of the Act is to provide “Social Security” for GIG workers with the constitution of a Welfare Board.

One of the obligations of the platform is to enter into “Fair Contract” with the Gig workers.

More importantly, the law states

“Section 13 (1) The aggregator or platform must inform the platform based gig worker, in simple language and in Kannada, English or any other language listed in the Eighth Schedule of the Constitution of India known to the Gig worker, regarding the procedure to seek information in respect of the automated monitoring and decision making parameters employed by the aggregator or platform, which have an impact on their working conditions, including but not limited to fares,
earnings, customer feedback and allied information, as may be prescribed.
(2) The aggregator or platform shall take measures to prevent discrimination on the basis of religion, race, caste, gender, or place of birth or on the grounds of disability by the automated monitoring and decision making systems deployed by
them”.

While the platform is obliged to follow the law as mentioned in sec 13(2), it fails to recognize the right of choice of the consumer to designate the  qualifications of a worker who provides the service. This needs to be debated.

This act is applicable to the following services.

1. Ride sharing services.
2. Food and grocery delivery services.
3. Logistics services.
4. e-Market place (both marketplace and inventory model) for wholesale/retail sale
of goods and/or services Business to Business /Business to Consumer (B2B/B2C).
5. Professional activity provider.
6. Healthcare.
7. Travel and hospitality.
8. Content and media services

When we discuss “Health Care” for GIG workers, we normally associate it with platforms such as “Practo” or “Nursing services” etc .

A point to discuss is whether a “Specialized Surgeon providing services in a hospital not as an employee but as a consultant” would also fall into the definition of a “Gig Worker”?

If so, then the “Right of Choice” of the consumer to restrict the choice of the service provider  should also be recognized since it is a life critical decision.

If the principle of “Right of Choice to chose a service provider” is recognized for the medical profession, the next question is why it should not be applied to the food delivery like situation or a ride sharing service. Can the consumer restrict that the service should be provided only by a certain gender or religion etc without it being considered as “Discriminatory”?

We recall the debate in UP where the Government mandated that food stalls should display the owner details too enable the consumers to chose which stall to chose. Though this was opposed at that time for political reasons, in a neutral situation, this should be a “Consumer Choice”.  If so, the platforms need to ask for such choice from the consumer and follow his “Permission” to use any specific category of service provider.

I am sure that this will be flagged as undesirable, but needs an impassioned debate . However the presence of this law corroborates the need to recognize three  kinds of “Contractual Employees”  in the DGPSI-HR framework namely

1. 1. An employee of organization A being placed to work in organization B under an organization to organization contract with a possible Personal Data Processing assignment.
   2. An employer B who accepts contractual employees from another organization A and assigns personal data processing work to them.
   3. A Contractual employee (GIG worker) of organization A being assigned to organization B for personal data processing assignments.

The DGPSI-HR framework suggests appropriate policies and back to back contracts to ensure that the responsibilities of a Data Fiduciary are properly managed in such situations.

Let us debate this today in the open house discussion on DGPSI-HR. Be there if you are interested.

Naavi

While I was debating on DGPSI-HR and a specific provision related to “Contract Employees”, the issue of GIG workers came to the table. In this context I am trying to look into the Karnataka platform based gig workers (Social Security and Welfare Act 2025) which is interesting to discuss.  This is a topic for deeper discussion amongst HR law experts but I am presenting this here to draw their attention and to comment on the specific provision of DGPSI-HR.

The DGPSI-HR is a special framework under the DGPSI (Data Governance and Protection Standard of India) meant for providing a guideline for DPDPA compliance by HR divisions of organizations as well as HRMS companies.

There are two model implementation specifications in the framework which state as follows.

MIS  4( DGPSI-HR) :

All contract employees, consultants, and outsourced personnel engaged by the Organization who have access to or process Personal Data shall act under the authority of the Organization and shall be bound by written confidentiality, security and data-protection obligations aligned to the Digital Personal Data Protection Act, 2023 (DPDPA).

Where a consultant or service provider independently or jointly determines the purposes and means of processing Personal Data, such party shall be treated respectively as a Data Fiduciary or Joint Data Fiduciary for that processing.

MIS  5( DGPSI-HR) :

Where the Organization supplies its employees to another organization and such personnel process Personal Data under the instructions of the recipient organization, the recipient organization  is the primary Data Fiduciary

The  supplying Organization to which the individual worker has “Employment” obligations shall be considered as jointly determining the means of processing and hence both organizations shall be considered as data fiduciaries.  (This is consistent with the employment status of such workers )

The Organization supplying personnel shall ensure project specific back-to-back contractual obligations with such personnel, including confidentiality, security and lawful-processing duties, aligned with its obligations under any Data Processing or Joint Data Fiduciary agreements.

We shall discuss these provisions in today’s open house discussion on DGPSI-HR in a zoom session (Link available in the image above). Interested persons may attend and contribute their thoughts on this 27 specifications framework.

…To Be continued

Naavi

A Case Zulu Nyala Game Ranch (PTY) Ltd vs Christian Bukes and Custom Trails (PTY) limited which discusses some interesting thoughts on employee information and privacy act, has been reported.

The order protects the right of an employer to restrain an outgoing employee from disclosing its confidential trade sensitive customer information which is bound by the confidentiality under privacy laws.

The issue is that the applicant is a business entity which provides services to individuals and therefore holds the personal data of its customers as part of its business activity. Such information has economic value to the company besides providing certain privacy rights to the individuals.

The first respondent was an employee and the second respondent was a company promoted by the wife of the employee.

The first respondent’s employment contract contained confidentiality clauses that expressly prohibited him from disclosing, inter alia, trade secrets, marketing material, customer lists or supply lists, business affairs, technical methods, electronic mail and processes of the applicant’s operations. The employment  contract also mandated return of such material on termination.

The employee even during employment was sharing the company’s customer information to his wife’s entity and was dismissed from service. He then continued to use the information and converted it into a business opportunity which was similar to that of the applicant.

The applicant proceeded against the wife’s business entity for infringement of its trade secrets etc.

The action of the employee was considered a “Breach of Trust” whether or not a “Breach of Contract” (ed: Which depends on the clauses in the employment contract).

The essence of the judgement was that the personal information recognized as such under the Privacy Act was also the business information and hence qualified to be considered for breach of trade secrets act.

This establishes the dual nature of the data and the concept of “Joint ownership of transaction data between the business entity and the individual”.

In the Indian context the ITA 2000 would have recognized this as “Unauthorized diminishing  of value” [Section 66(i)] and also breach of  trust under BNS. It also establishes  the DGPSI concept of recognizing such data as a transaction data which can be retained after the immediate purpose . However such retention should be for legitimate use and must be adequately secured.

Employee’s breach of data ble acquired during their employment would amount to a criminal activity and is punishable under ITA 2000 and BNS.

Judgement copy

(Comments are welcome)

Naavi

It is well known that every organization that has employees, is exposed to DPDPA non compliance risk. Though “For Employment” is considered a reason for bringing a personal data processing situation under “Legitimate Use” basis, it only covers the exemption from notice and consent and leaves the rest of the obligations in tact.

Some organizations use HRMS services from third parties and also use manpower on contract basis.

Application of DPDPA in these special circumstances need to be analysed to determine how to navigate the compliance requirements.

FDPPI recommends  use of a specific framework DGPSI-HR to manage  the DPDPA compliance in HR operations.

As a part of the development process, an open house  presentation would be made on 15th January 2026 at 7.00 pm . Interested parties are welcome to attend and contribute to the thoughts.

Naavi

Yesterday there was an interesting TV program where Mr Arnab Goswami, of the Republic TV had a long live conversation with the “Blue Machine” an enterprise AI developed in India. It was an exploration of how the AI would respond  to the persistent questioning of Mr Arnab.

Blue machines is a family of AI developed by  Apnatime Tech Private Limited, a company in Bengaluru. (Registered in Mumbai). Incorporated in 2019 with Nirmit Vidyut Parikh and Vidyut Harivadan Parikh as the promoters.

The full interview is available here

The Blue Machine Enterprise Voice AI  is said to be an AI system meant for use in industries such as Banking, Airlines, Insurance etc for customer interaction. It can have a long context based conversation as was demonstrated in the above program. As we all know, having a conversation with Mr Arnab particularly when he is probing for inducing an erroneous statement from the respondent is a big challenge. We must admit that the Blue Machine managed the conversation for nearly an hour with great aplomb.

I admit I was expecting the Blue Machine  to  show some hallucination and breaking of the guardrails during the persistent questioning.  But it did not happen. The AI successfully managed the session without showing any strain of the questioning the repetitive exploration, expression  of distrust, criticism etc from Mr Arnab’s side.

The AI persistently held that it has rigid guardrails which it cannot cross and  it believes that AI will be  only a support tool to human beings and will not go sentient.

For the time being we must believe that the version of AI demonstrated yesterday passed the test and appears more than capable of handling effective conversation with customers of an organization explaining any given service.

In the program it was indicated that the AI system was developed in India by a team but is still is a system built on other foreign systems. In yesterday’s program, what was required was a general response on ethics, need for human oversight etc. On domain knowledge, the AI exhibited a vast exposure to the developments in news but avoided any controversial statements despite persistent questioning by Mr Arnab.

The website has displayed a Vulnerability disclosure policy document where the scope of the AI is declared as limited to the domains mentioned in the list of in-Scope systems and a big list of vulnerabilities. It has announced a bug bounty program to support reporting of vulnerabilities with a “Hall of fame” recognition but without cash rewards.

There is an indication of compliance to ISO standards HIPAA, NIST and SOC 2. Currently there is no mention of DPDPA 2023.

The Privacy policy (Version January 12, 2026) is the legacy style “One Declaration for all Services”. It extends to the website and all the services. This design suffers from the collection of permissions which are not relevant to a majority of visitors to the website.

The policy suggests that “By accepting the terms” …a consent is deemed to have been provided. But we could not see any “Accept Button” nor any indication of an authenticated consent.

Since visitors to the website are mixed up with the service users, personal information collected from  individual visitors are mixed up with the details provided by  business entities proposing to use the services who provide  “Business Contact Details” which are not strictly within the definition of “Personal Data”.

The excessive  permission sought to be collected includes

one time or continuous access to:

(i) automatically receive, collect and analyze your location data which may be accessed through a variety of methods including, inter alia, GPS, Internet Protocol address, and Device location;

(ii) collect data pertaining to your Device and your usage thereof, including, inter alia, data about your Device, and data about your use of features or functions on your Device;

(iii) camera access to scan/capture/upload documents and/or photographs;

(iv) microphone permissions; and

(v) any other files and media.

Company also declares that they may collect information about “you” from all sources including sourced from public websites and social media, including but not limited to your publicly accessible profiles, etc; and sourced via cookies and similar tracking technologies as deployed on our Services. though no Cookie Consent popped up during the visit.

The purpose of use includes “develop, train, and improve our existing Services and such other aspects we deem necessary;”, “identify a user”, “to enable  marketing”, “to undertake mergers, acquisitions”, “to comply with obligations we may have with any other third party”.

Undisclosed third parties are mentioned as potential recipients of personal data collected by the organization.

Many of these purposes need further explanation.

The visiting of the website has also been brought under legally binding contract under the terms and conditions. “Access” to the platform is deemed as an “Explicit Consent”.

We await refinements to the Privacy Policy and the commitment to comply with the Indian DPDPA 2023.

We however take this opportunity to congratulate the team for building a conversation platform which could successfully negotiate the Arnab Test. I am sure that no customer  of any of the services using the platform is as probing as Arnab and hence it can be expected that it would effectively manage any tricky customer enquiring about the services of the organization.

It would be interesting to see how Blue machine Privacy Policy holds upto DGPSI and DGPSI-AI framework. ..May be we can explore it in another article.

Naavi