Employee document collection checklist (for HR under DPDP)
At a glance
HR collects more documents per person than any other function — and most of it happens over email and chat, unscoped and unscheduled. This checklist runs the whole arc under India’s DPDP Act: scope the ask to each purpose (statutory, payroll, role-specific), take consent where the employment ground doesn’t reach (candidates, background checks), collect through one controlled channel, store with restricted access, and delete on schedule — including after rejection and after exit. Run it per hire, and once as an audit of your standing process.
Educational resource only. This provides a checklist for collecting employee and candidate documents in line with India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.
The situation
Onboarding paperwork is a ritual nobody redesigned for the DPDP era: “send your documents” goes out on WhatsApp, everything from Aadhaar to marksheets comes back, and the folder lives forever on a shared drive. Each step of that ritual now has a legal dimension — what you may ask for, on what basis, through what channel, and for how long. A checklist is the right tool because the process is genuinely the same every hire; it just needs running properly.
Who this checklist is for (and when to run it)
HR, founders and office managers who collect candidate and employee documents — run it per hire, and once against your standing process. The legal spine underneath: ordinary employment administration runs on the DPDP Act’s employment ground (Section 7(i)) without fresh consent, but candidates sit outside its clear scope — recruitment and background checks belong on notice-and-consent — and the security, retention and breach duties apply to everything you hold either way. The checklist sequences all of that into the workflow you already run.
The checklist
Before you ask
- List the documents this role actually requires, each tied to its purpose — statutory (PAN for tax; Aadhaar where EPF enrolment requires it; bank details for salary), benefits (nominee details, insurance forms), and role-specific extras (licences, certifications) — and nothing “for the file.”
- Split candidate from employee collection — CVs, assessments and background-verification (BGV) consents are pre-employment: cover them with a notice-and-consent step at application, not the employment ground.
- Set the channel — one controlled intake (HR system upload, or at minimum protected files to a designated address), stated in the ask; no personal WhatsApp, no open email thread.
- Write the ask properly — documents named, purpose per document, channel stated, retention answered.
When collecting
- Take consent where it’s the basis — BGV, reference checks, holding a rejected candidate’s CV for future roles: each gets its own clear, unticked opt-in.
- Accept the minimal version — masked Aadhaar where full isn’t statutorily needed; the requested months of statements, not more; copies, never original certificates.
- Verify, don’t hoard — where seeing a document suffices (original certificates, prior offer letters), record the verification and return/decline the copy.
Storing
- One secured location with role-based access — not the shared drive’s “HR” folder open to all; personal folders and chat threads emptied of stray copies after filing.
- Vendors covered — payroll bureau, HR system, BGV agency each under a contract that binds security, breach notice and deletion.
- Log what was collected from whom — the row that later answers rights requests and breach scoping.
Retention & exit
- Rejected candidates — recruitment file deleted once the role closes (or the consented CV-retention period ends).
- Statutory records mapped to their own laws’ periods (payroll, PF/ESI, tax) — each hold traceable to the law requiring it.
- Everything else on a schedule — BGV reports, medical certificates, expired IDs: deleted once their purpose is served, not archived by default.
- Exit runs the schedule in reverse — statutory records held for their periods; the rest of the ex-employee file cleared, including vendor copies.
Notes on the load-bearing items
The candidate/employee split is the one that changes your legal footing. The employment ground covers employees’ ordinary administration; a candidate isn’t your employee yet, so recruitment data — especially BGV, which pulls in third parties — is safest on explicit consent. One consent step at application covers it cleanly.
“Verify, don’t hoard” is where over-collection actually dies. Most onboarding files hold documents nobody will ever open again — collected because the form had a slot. Recording “verified against original, [date]” keeps the assurance and drops the liability. Never hold original certificates at all — that’s leverage, not process.
The exit item is the one nobody runs. Ex-employee files accumulate precisely because departure is when attention moves on. Wiring the retention schedule into the exit workflow — one recurring task per leaver — is the difference between a policy and a folder of forever-files.
FAQ
Do we need employees’ consent to collect payroll and statutory documents?
No — ordinary employment administration (payroll, PF, tax) runs on the employment ground. The consent step belongs earlier, with candidates: applications, assessments and background checks.
Can we keep a rejected candidate’s CV for future openings?
Only as its own stated, consented purpose with a retention period — “we’d like to keep your CV for [period] for future roles” and a real deletion when it lapses. Silent forever-retention is the default this checklist replaces.
Should HR collect Aadhaar from every new hire?
Collect it where a statutory process genuinely requires it (EPF enrolment being the common case), and accept masked versions wherever full details aren’t needed. “Standard onboarding pack” isn’t a purpose.
What happens to an ex-employee’s documents?
Split the file: statutory records stay for their legally mandated periods; everything without a statutory hold — BGV reports, medical certificates, copies of IDs — gets deleted on your schedule, at your vendors too.
Collecting personal data from your own customers?
These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.
Run the compliance self-check →