The Ministry of Corporate Affairs, Government of India, recently issued a notification to bring about amendments to the Companies (Accounts) Second Amendment Rules, 2025 ("Amendments") which have come into force from 14 July 2025.
While the Amendments change prescribed forms under the Companies Act, 2013, a particularly notable provision within them calls for information on the number of transgender persons employed by a company as of the date of closure of a financial year (31 March of each year).
For some time, every establishment has been required to maintain an equal opportunity policy in respect of transgender persons under the Transgender Persons (Protection of Rights) Act, 2019 ("TP Act"). Some of the requirements under the TP Act are non-discrimination in employment; an appointed officer to handle complaints; access to unisex washrooms and confidentiality of gender identity. This would also mean maintaining records of persons of transgender status who have declared their gender identity to the employer. While labour law registers such as muster rolls usually only mention 'male' or 'female' in the gender details of employees, this disclosure in the board report is a seen as a move towards transparency and ensuring equal opportunity is being provided to transgender persons in a company's annual filings. With that being said, it is important to understand that a person cannot be compelled to disclose their real gender identity. Therefore, employers should use data as voluntarily provided by the employees in their employment documents.
The current amendment could be seen as a means for the Government to keep a track of how inclusive the workforce in companies really are and how far the provisions of the TP Act have actually been adopted by companies in India.
In light of India's current data privacy law regime, employers should proceed cautiously while collating employee information for undertaking compliance. Until the Digital Personal Data Protection Act 2023 is brought into effect, consent remains the sole justification for the processing of 'Sensitive Personal Information', as the currently applicable Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules), 2011 ("SPDI Rules"), do not provide any exemptions from the consent requirement to employers.
Gender identity potentially classifies as Sensitive Personal Information1 (particularly if the same is a result of a medical procedure), consequently requiring employers to obtain consent of employees before seeking this information. This consent may not merely be established on the basis of information being voluntarily provided by employees, but must be specifically obtained for processing this personal information. This may be achieved by way of a specific consent notice and by making reference to the same in an employee privacy notice (a statutory requirement).
While the current regime requires consent for the processing of sensitive personal information, the upcoming Digital Personal Data Protection Act, 2023 ("DPDP Act") – which has been passed into law but is pending enforcement – requires consent for the processing of all categories of personal data. However, the DPDP Act does provide for certain exceptions to the consent requirement, referred to as 'legitimate uses' in the legislation, including where the processing is necessary to comply with an applicable law in India. Additionally, consent under the DPDP Act is required to be, among other things, free and unconditional. By the very nature of their unequal bargaining power, consent obtained by an employer from an employee may not classify as 'free', potentially making such consent invalid as a basis for processing employee personal data, and causing employers to rely on the aforementioned 'legitimate' uses or the exemption to employers (the full width of operation of which is still to be made clear). Employers would be best advised to ensure the mention of both justifications through appropriate language in employee privacy notices and their employment agreements.
Given the requirements of processing employee personal data under various laws (such as the Amendments), employers must take care to proactively comply with the country's data privacy regime while processing personal data of their employees, both current and upcoming. Internal data privacy practices and procedures must be reviewed and updated (if necessary) to ensure compliance, especially with regard to the upcoming sea change in India's data privacy legislation.
Footnote
1. Sensitive personal information includes passwords, financial information (like bank account details), physical, physiological, and mental health conditions, sexual orientation, medical records and history, and biometric information
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
