Legal And Compliance Aspects Of Employee Health Screening In India

Health screening at the workplace is becoming more common. The legal framework around it is less understood than it should be. Here is what every HR leader in India needs to know.

Corporate health screening has grown significantly in India over the past decade. Annual health camps, Health Risk Assessments, biometric screenings, mental health surveys and condition management programs are now standard features of many corporate wellness programs. Most organisations running these programs are doing so with good intentions and genuine care for their employees.

What many of them are doing without is a clear understanding of the legal and compliance framework that governs how employee health data can be collected, stored, used and shared.

This is not a niche legal concern. It is a practical operational risk that is growing more significant as India's data protection landscape evolves and as employee awareness of their health data rights increases.

Here is what HR leaders and corporate wellness professionals need to understand.

The Legal Landscape: Key Frameworks Governing Employee Health Data in India

India does not have a single, unified health data protection law equivalent to GDPR in Europe. Instead, the framework is assembled from several overlapping pieces of legislation and regulation that together define employer obligations around employee health information.

1) The Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act, or DPDPA, is India's primary personal data protection legislation. It came into force in 2023 and establishes the foundational framework for how personal data, including health data, can be collected, processed and stored in India.

Key provisions relevant to employee health screening:

• Health data is classified as sensitive personal data under the DPDPA framework
• Collection of health data requires explicit, informed consent from the individual
• The purpose of collection must be clearly stated and the data used only for that stated purpose
• Individuals have the right to know what data is held about them, to correct inaccurate data and to withdraw consent
• Data must be retained only for as long as necessary for the stated purpose and then deleted
• Organisations must implement appropriate security measures to protect sensitive personal data
• Data breaches must be reported to the relevant authority and affected individuals

For corporate health screening programs, this means that the casual approach of running a health camp, collecting biometric and blood data and filing the results without a clear consent framework and data governance policy is not compliant with the DPDPA.

How Employers Can Use OPD Data To Spot Health Trends? (Without Breaching Privacy)

2) The Factories Act 1948 and Related State Rules

For manufacturing and industrial employers, the Factories Act mandates specific health and medical examination requirements for workers. These include pre-employment medical examinations, periodic health checks for workers in hazardous processes and maintenance of health records.

The Factories Act also establishes obligations around health record confidentiality and limits on how medical examination results can influence employment decisions.

3) The Mines Act 1952

Similar to the Factories Act, the Mines Act mandates periodic medical examinations for mine workers and establishes requirements around the confidentiality and use of those medical records.

4) The Employees State Insurance Act 1948

The ESIC framework includes provisions relevant to employee health data in the context of insurance claims and medical benefit administration. Employers participating in the ESIC scheme have specific obligations around health data sharing with ESIC authorities that override standard confidentiality protections.

5) The Information Technology Act 2000 and IT Rules 2011

The IT Act and its associated rules established the original framework for sensitive personal data protection in India, including health data. While partially superseded by the DPDPA, certain provisions remain relevant, particularly around security practices for storing sensitive personal information digitally.

6) The Epidemic Diseases Act and COVID-Era Frameworks

The pandemic created a set of workplace health monitoring obligations and permissions that temporarily expanded the scope of permissible health data collection in employment contexts. While most of these temporary provisions have lapsed, they established precedents around workplace health monitoring that continue to inform organisational practice.

The Role of Confidentiality for Successful EAP

Confidentiality is a critical element of the EAP, as it allows employees to feel comfortable sharing their issues without fear of judgment.......

Truworth Wellness - India’s Leading Health & Wellness Engagement CompanyTruworth Wellness

What Employers Can and Cannot Do: The Consent and Purpose Framework?

The most important practical principle for HR leaders to understand is the consent and purpose limitation framework. In simple terms:

You can collect employee health data if:

• The employee has given explicit, informed consent
• The purpose of collection is clearly communicated before consent is sought
• The data collected is limited to what is necessary for that stated purpose
• The data is used only for the stated purpose and not repurposed without fresh consent
• Appropriate security measures are in place to protect the data
• The employee can withdraw consent and have their data deleted

You cannot:

• Collect health data without explicit consent
• Use health screening data to make employment decisions including hiring, promotion or termination without specific legal basis
• Share individual health data with managers or other employees without the employee's consent
• Retain health data indefinitely without a justification linked to the original purpose
• Use aggregate health data in a way that allows individuals to be identified
• Require employees to undergo health screening as a condition of employment without legal basis for doing so

GDPR And Wellness Programs: Personalization & Privacy

The same data that helps reduce burnout can feel like surveillance if handled poorly. What feels like “support” can also feel like “monitoring”

Truworth Wellness - India’s Leading Health & Wellness Engagement CompanyTruworth Wellness

The Consent Mechanism: What Actually Constitutes Valid Consent?

The word consent is used frequently in wellness program design and frequently misunderstood. Valid consent under the DPDPA and related frameworks requires:

• Freely given: The employee must not face negative consequences for declining. Consent obtained under coercion or with implied career risk attached to refusal is not valid consent.
• Specific: Consent for a blood test is not consent for psychological screening. Each type of data collection requires specific consent.
• Informed: The employee must understand what is being collected, why, how it will be stored, who will have access to it and for how long it will be retained.
• Unambiguous: A pre-ticked box in an onboarding form is not valid consent. Consent must be an active, deliberate act.
• Withdrawable: The employee must be able to withdraw consent at any time without facing professional consequences.

In practical terms, this means that the standard approach of including health screening consent in the employment contract or general onboarding paperwork is almost certainly not creating valid consent under current frameworks. A separate, standalone consent process with clear information about each type of screening is required.

Health Screening and Employment Decisions: The Discrimination Risk

One of the most significant legal risks in corporate health screening programs is the use of screening data, directly or indirectly, in employment decisions.

Using health data to inform decisions about hiring, promotion, role allocation, performance management or termination creates liability under multiple frameworks:

• The Rights of Persons with Disabilities Act 2016 prohibits discrimination against persons with disabilities, including those with chronic health conditions
• The Maternity Benefit Act protections extend to decisions influenced by reproductive health information
• The DPDPA's purpose limitation principle prohibits using data collected for one purpose for another purpose without fresh consent
• General employment law principles around unfair dismissal and constructive dismissal are engaged where health data influences employment decisions

The practical implication is that the results of a corporate health screening program must be structurally separated from the HR and management functions that make employment decisions. This is both a legal requirement and a trust requirement. If employees believe that their health screening results could affect their performance reviews or promotion prospects, they will not participate honestly in screening programs and the clinical value of those programs is destroyed.

Organisational design of health screening programs should include:

• Clear, documented separation between health data and HR management systems
• Explicit communication to employees that screening results are not shared with managers or used in employment decisions
• Data access controls that prevent HR and management functions from accessing individual screening results
• Audit trails that demonstrate the separation has been maintained

Mental Health Data: Higher Sensitivity, Higher Obligations

Mental health data carries additional sensitivity and requires additional care within the broader health data framework.

Specific considerations for mental health screening and EAP data:

• EAP data is among the most strictly protected: The confidentiality of EAP usage and content is both legally protected and foundational to the program's effectiveness. Employer access to information about which employees are using the EAP or what issues they are discussing is not permissible. EAP providers should operate with complete data separation from the employer, with aggregated, anonymised utilisation reporting being the only data shared with the organisation.
• Mental health survey data requires careful design: Wellness pulse surveys and mental health screening tools that ask employees about stress levels, mood, anxiety or burnout must be designed to collect only aggregate, anonymised data at the organisational level. Any design that allows individual employees to be identified from survey responses creates both legal risk and a chilling effect on honest participation.
• Psychological assessments require specialist governance: Where employers commission psychological assessments for development or wellness purposes, the assessment data must be held by qualified professionals subject to professional confidentiality obligations rather than by the employer directly.

Mandatory Versus Voluntary Screening: Getting the Distinction Right

Indian workplace law creates a specific set of mandatory health screening obligations for certain categories of workers, primarily in hazardous industries regulated by the Factories Act. Outside these mandatory categories, health screening in corporate environments is voluntary and must be treated as such.

The distinction matters because:

• Mandatory screening that does not have a legal basis creates consent validity problems
• Mandatory screening can create discrimination claims if employees with certain conditions are disadvantaged by results that they were compelled to produce
• Voluntary screening with high participation rates is legally safer and often produces better quality data than mandatory screening with resentful participation

Making screening genuinely voluntary while designing it to achieve high participation rates is a program design challenge rather than a legal one. The most effective approach is to make the benefits of participation clear and individual rather than organisational. Employees who understand that the health screening is for their benefit, that the results are theirs to keep and act on, and that participation has no career implications are far more likely to participate fully and honestly.

Data Retention and Deletion: The Obligation Most Companies Ignore

Health data collected during wellness programs has a defined useful life. After that life, it must be deleted. This obligation is widely understood in principle and widely ignored in practice.

Practical data retention and deletion requirements for corporate health screening programs:

• Define a retention period for each type of health data at the point of collection and communicate it to employees in the consent process
• Implement technical controls that automatically flag data for deletion at the end of its retention period
• Document the deletion process so that it can be demonstrated to regulators or employees who request it
• Ensure that health data is not retained in backup systems beyond the stated retention period
• Review retention periods regularly as the legal framework evolves

What a Compliant Corporate Health Screening Program Looks Like?

Pulling together the legal requirements above, a compliant corporate health screening program in India has the following characteristics:

Governance:

• A documented health data governance policy that addresses collection, storage, access, retention and deletion
• Designated responsibility for health data compliance within the organisation
• Regular review of the governance framework as legislation evolves
• Third-party wellness providers contractually bound to the same data protection standards

Consent:

• A standalone, specific consent process for each type of health screening
• Plain language explanation of what is collected, why, who accesses it and for how long
• No career consequences attached to declining consent
• A documented process for withdrawing consent and having data deleted

Data separation:

• Technical and procedural separation of health data from HR management systems
• Access controls limiting health data access to qualified health professionals and the individual employee
• Aggregated, anonymised data the only format shared with organisational leadership

Employee communication:

• Clear, ongoing communication that health screening results are confidential, individual and not shared with managers
• A mechanism for employees to access their own data, correct inaccuracies and request deletion
• Regular reinforcement of these protections to maintain the trust that makes voluntary participation viable

The Compliance Investment Is a Trust Investment

Legal compliance in corporate health screening is not just about avoiding regulatory risk. It is about building the trust that makes health screening programs clinically valuable.

Employees who trust that their health data is safe, confidential and genuinely not connected to employment decisions participate honestly in health screening. Honest participation produces accurate data. Accurate data enables meaningful clinical intervention. Meaningful clinical intervention improves health outcomes.

The compliance framework is the foundation of the trust. And the trust is the foundation of the program's value.

Getting the legal framework right is not a legal department concern that sits separately from the wellness strategy. It is the prerequisite for everything the wellness strategy is trying to achieve.

Truworth Wellness designs corporate health screening and wellness programs with data governance, consent management and compliance built into the architecture from the beginning rather than added as an afterthought. Our programs are designed to be both clinically effective and legally compliant in the evolving Indian regulatory environment. Talk to us about building a health screening program that is both effective and compliant.