The One DPDP Rule HR Cannot Ignore
The DPDP Act, 2023 has changed one uncomfortable truth for HR teams:
Storing employee data “just in case” is no longer allowed.
If your HR systems, shared drives, emails or vendors are still holding old resumes, Aadhaar copies, medical records or exit documents without a defined reason – you are already exposed.
This is not about intent.
It’s about retention discipline.
Under DPDP, HR can retain personal data only if:
- There is a clear, specific purpose
- The data is still required for that purpose
- The retention period is defined
- The data is deleted once the purpose ends
Indefinite retention = non-compliance, even if the data is “secure”.
Where HR Retention Violations Happen the Most
These are not edge cases – they are everyday HR practices.
Hiring & Candidate Data
- Rejected resumes stored for years
- Interview notes never deleted
- Offer letters of candidates who didn’t join
Fix: Hiring data must expire once the hiring purpose ends.
Aadhaar, PAN & ID Proofs
- Stored in emails
- Uploaded to HRMS permanently
- Kept “for audit safety”
Fix:
Verify → Record verification outcome → Delete the document
You do not need to retain the ID to prove verification.
Medical & Sensitive Personal Data
- Insurance forms
- Health declarations
- Mental health disclosures
Fix:
Shorter retention, stricter access, faster deletion.
Sensitive data needs more protection, not longer storage.
Ex-Employee Data
- Old performance reviews
- Personal documents
- Exit paperwork with no end date
Fix:
Retain only what is legally required. Everything else must go on a defined timeline.
DPDP-Ready HR Data Retention Table
Rule of thumb: If the purpose is over and there’s no legal obligation, the data must be deleted.
| HR Data Type | Why It’s Collected | How Long to Retain | What HR Should Do |
| Rejected candidate resumes | Hiring evaluation | 6–12 months | Auto-delete after hiring cycle |
| Offer letters (no-shows / declines) | Hiring records | 6 months | Delete if candidate doesn’t join |
| Interview notes & assessments | Selection decision | 6 months | Retain only final decision summary |
| Aadhaar / PAN / Passport copies | Identity verification | Till verification completes | Verify → log status → delete document |
| Background verification reports | Employment risk check | Employment + limited post-exit | Keep summary, delete raw docs |
| Employee personal details | Payroll & communication | Active employment only | Review & purge post-exit |
| Payroll & tax records | Statutory compliance | As per law (7–8 yrs typically) | Secure storage, restricted access |
| Medical & health records | Insurance / accommodation | Minimum required period | Short retention, high controls |
| Performance reviews | Talent development | Defined review cycle | Delete old cycles post-exit |
| Exit forms & clearance docs | Employment closure | 2–3 years | Retain only legally necessary data |
| Employee emails / chats | Business continuity | As per IT & legal policy | Avoid blanket retention |
| Consent records | Compliance proof | As long as data exists | Delete consent when data is deleted |
“We Might Need It Later” Is NOT Allowed
DPDP is explicit in spirit: Data cannot be retained simply because it might be useful in the future.
HR must move from:
❌ “Let’s keep it”
to
✅ “Why are we keeping this – and till when?”
If there is no clear answer, retention is illegal.
What HR Should Fix Immediately (No Delays)
✔ Create a written HR data retention policy
✔ Define retention timelines for every data type
✔ Audit HRMS, email inboxes, shared drives & vendors
✔ Delete legacy and unused data
✔ Push retention rules down to BGV and HR tech vendors
✔ Build automatic deletion into workflows
Manual reminders don’t scale. Systems must enforce deletion.
Final Thought
DPDP is not about collecting less data.
It’s about keeping data only for as long as it serves a valid purpose.
The safest HR teams are not the ones with more backups —
They are the ones with less, cleaner, intentional data.
If HR cannot confidently answer:
- Why are we storing this?
- Till when?
- Who can access it?
That data is already a liability.
