Leading office building operators in India have been asking for visitors’ government identification cards, making the process of visiting multinational company offices quite lengthy. This has raised concerns about the safety of personal data.
There aren’t clear guidelines on this yet, so while it’s not illegal, legal experts suggest questioning why these IDs are being demanded.
Companies like DLF, Embassy, Brookfield, and Mindspace, which manage most Grade A office buildings, insist on taking a picture of a government ID card. They specifically ask for an ID showing proof of residence and don’t accept PAN cards.
However, most visitor management software providers recommend only collecting essential information like names and phone numbers for security purposes and regularly deleting this data.
The Digital Personal Data Protection Act (DPDP Act), passed in August, states that any entity dealing with personal data must first get explicit consent from individuals, explaining the purpose of data collection and deleting it afterward.
NS Nappinai, a Supreme Court advocate and founder of Cyber Saathi, says that provisions like purpose limitation in the DPDP Act will become effective once the rules are finalized. This will allow individuals to request the deletion of their data after its intended use is fulfilled.
During busy times, the entire process of data collection at the security point and office can take around 45 minutes to an hour.
Sandeep Kaul, CEO of Hipla Technologies, believes that the DPDP Act will help regulate personally identifiable information (PII) and acknowledges the growing awareness among users regarding data protection.
Kazim Rizvi, founding director at The Dialogue, suggests that while the DPDP Act mainly applies to digital data, it’s important to follow data protection principles when handling sensitive information like government IDs. This includes using such data only for specific purposes with informed consent, ensuring secure storage, and deleting it safely when no longer needed.
Some facility management companies mention that while operators have the discretion to collect visitor data, simple identity verification through checking IDs without storing the data could suffice for security purposes.
In 2018, the Supreme Court recognized the right to privacy and invalidated Section 57 of the Aadhaar Act, leading companies to stop requesting Aadhaar for identity verification.
The DPDP Act mandates companies to strictly adhere to the intended purposes outlined during data consent collection. This act aims to establish a comprehensive privacy law after five years of development. However, the release of executive rules by the government to define its implementation is still pending.
(Source: ET Realty)