India’s leading office building operators’ insistence on taking government identification cards of visitors for verification has made visiting MNC offices a lengthy process and raises concern over personal data safety.
In the absence of any clear guidelines, it is not illegal yet, but legal experts say one must question the intent behind demanding government ID.
DLF, Embassy, Brookfield and Mindspace, which operate the majority of the country’s grade A office buildings, insist on taking a snap of a government ID card. They even insist on an ID that has proof of residence and refuse to take the PAN card.
This is when a majority of visitor management software providers advise only to take limited information such as name and phone number needed for security of the building and regularly purge (delete) the data.
Experts pointed out that the Digital Personal Data Protection Act (DPDP Act), ratified in August this year, mandates that any company or individual collecting, managing or working with personal data of people must obtain explicit consent from them by telling them the purpose for which the said data is being obtained and delete them once the purpose is served.
“After the Puttaswamy judgment (on right to privacy), companies do not insist only on Aadhar. Under the DPDP Act, the construct of purpose limitation is captured but these provisions will become effective (only) once the rules are framed thereon,” said NS Nappinai, a Supreme Court advocate and founder of Cyber Saathi, a not-for-profit initiative focused on safety in digital spaces.
“Once that is done, a person can ask for their data to be deleted once the purpose is completed. How such a process will work is contingent on how the rules will be framed under the DPDP Act,” he said.
Most of the office parks have one common security point where the data is taken and then data is collected again in the office.
The entire process takes almost 45 minutes to an hour during busy days.
“We see an increased number of end users getting cognizant about data protection and are more aware,” said Sandeep Kaul, CEO of Hipla Technologies, a workplace management solutions provider headquartered in Singapore with a prominent presence in India. “The move by the Indian government on the DPDP Act will help to regulate PII (personally identifiable information),” he said.
Hipla manages 25,000 check-ins a day and has customers spread across India, the UK, and West Asia.
“The office parks mostly seek government identification information for security and verification purposes, which they may store for a few days for law enforcement purposes,” said Kazim Rizvi, founding director at policy think tank The Dialogue. “While they may be allowed to collect government ID information, and the Digital Personal Data Protection Act 2023 only applies to data in digital form, it is still important to follow some of the key principles of data protection while handling sensitive information like government ID information,” he said.
The purpose limitation is essential where the collected government ID information must only be used for stipulated purposes, which is security and verification.
“Moreover, such data must be collected from individuals after getting their informed consent,” Rizvi said. “Moving toward data storage, the systems used for storing such data must have integrity and confidentiality to safeguard the data. Finally, when the government ID information is no longer needed, or its purpose has been fulfilled, it must be expunged safely.”
According to facility management companies that manage office parks for developers, it is up to the operator how much data they want from a visitor.
“If security is the prime concern, frisking of everyone entering is sufficient,” said an executive of a global facility management firm, requesting anonymity. “Even if they want to establish the identity, they can just check the ID instead of storing the data,” the person said.
The Supreme Court in a 2018 judgement had held that Aadhaar could be used for welfare, but it recognised a fundamental right to privacy and struck down Section 57 of the Aadhar Act that enabled private entities to use Aadhaar authentication to establish identity for delivering services.
Following this, companies stopped asking for Aadhar for establishing the identity of a person.
The DPDP Act mandates that companies that collect, manage or process data, must not go beyond the mandate for which the consent was obtained.
The Act had received the President’s assent in August this year, making a privacy law a reality after five years in the making. The government is yet to release the executive rules which will define the rules and regulations of how the law will be implemented.
(With input from Aashish Aryan)