Most DPDP confusion in HR does not come from intent, it comes from habit.
For years, HR teams have collected documents “just in case”. The DPDP Act flips that logic completely. Under DPDP, collecting less data is safer than collecting more.
This guide breaks DPDP down at the document level so HR teams know exactly what is acceptable, what is risky, and what should be avoided.
Quick Summary
Under DPDP, HR can collect only purpose-specific, minimum documents required for hiring, onboarding, payroll, and legally mandated checks.
Anything extra increases compliance and breach risk.
The Core DPDP Rule HR Must Remember
Before collecting any document, ask:
- Why do we need this?
- Is it legally required or operationally essential?
- Can we justify this if questioned later?
If the answer is unclear, do not collect it.
HR Document Collection Under DPDP (Quick Reference Table)
| Document | Can HR Collect? | Conditions Under DPDP |
| Resume / CV | Yes | For hiring and evaluation only |
| PAN Card | Yes | Payroll, taxation, BGV |
| Aadhaar | Rarely | Only if legally mandated, avoid storage |
| Passport | Depends | Role-specific or travel requirement |
| Address Proof | Yes | When required for verification |
| Academic Certificates | Yes | Only relevant qualifications |
| Medical Records | No | Unless legally mandated |
| Family Member IDs | No | Avoid unless benefit-related |
| Bank Details | Yes | Salary processing |
| Biometric Data | No | High-risk, avoid unless mandated |
High-Risk Documents Under DPDP (Handle With Caution)
These documents attract higher scrutiny and risk under DPDP:
- Aadhaar
- Biometric data
- Medical records
- Family member personal data
If collected without clear legal justification, these can trigger penalties and breach obligations.
What HR Can Collect (Safely)
HR teams may collect documents that are:
- Directly required for hiring decisions
- Mandatory for payroll or statutory compliance
- Essential for background verification
Examples:
- Resume and interview notes
- PAN card for salary processing
- Offer letter and employment contracts
- Educational certificates relevant to the role
What HR Should Avoid Collecting
Avoid collecting documents that:
- Are not tied to a specific purpose
- Are collected out of habit
- Belong to family members without necessity
Examples to avoid:
- Aadhaar when PAN suffices
- Multiple IDs without justification
- Medical history without legal requirement
- Spouse or parent documents for non-benefit reasons
Background Verification: Where Most Mistakes Happen
BGV processes traditionally over-collect.
Under DPDP:
- Collect only documents required for that specific check
- Avoid storing copies indefinitely
- Do not reuse BGV documents for unrelated purposes
If a document is not required for that check, do not ask for it.
Data Retention: How Long Can HR Keep Documents?
DPDP expects organisations to:
- Define retention periods
- Delete data once the purpose is complete
Examples:
- Rejected candidate data: delete within a defined window
- BGV documents: delete post-verification
- Payroll records: retain only as long as legally required
No purpose means no storage.
Vendor Responsibility: HR Is Still Accountable
Even if vendors collect or store data:
- Your organisation remains responsible
- Vendors must follow DPDP standards
- Contracts must include DPDP clauses
Vendor compliance is not optional, it is your responsibility.
Simple Decision Rule for HR Teams
Before collecting any document, ask:
Would we be comfortable justifying this to an auditor, regulator, or the employee?
If not, do not collect it.
Why This Matters
Correct document collection under DPDP:
- Reduces compliance risk
- Builds employee and candidate trust
- Minimises breach exposure
- Future-proofs HR operations
DPDP compliance starts with asking fewer questions, not more.
What’s Coming Next
Playbook: DPDP Document Collection Checklist for HR & BGV Teams
A step-by-step guide with templates and do’s & don’ts to fix document collection practices fast.
