India - A Guide To Conducting Internal Investigations In India

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


Internal investigations into corporate compliance issues have become commonplace for global companies with a presence in India. Such internal investigations usually follow complaints pertaining to accounting irregularities, improper payments or benefits to customers or government employees, allegations of bribery of public officials in order to conduct or enhance business, employee misconduct or any activity in the course of business which may bring disrepute to the company’s name or cause financial harm to the company, etc. Investigations have become indispensable as they serve as a handy tool for strengthening compliance programmes, keeping a check on vendors and determining their performance. The findings in an investigation can also be utilised to improve training of employees and vendors on an ongoing basis.

This chapter aims to provide a basic overview of the process of conducting internal investigations in India and the precautions to be taken by companies when collating information and disseminating such information to third parties. It also aims to throw some light on the aspect of privileged communications with attorneys during the investigation process, the remedial steps usually opted for by companies after completion of investigation, and the issue of disclosure requirements existing in the country.

Triggers for an internal investigation

Internal investigations are usually launched pursuant to complaints being lodged by whistleblowers on the company’s anonymous reporting hotline, a red flag in acquisition due diligence, or information provided by a company employee. In India, the most common complaints relate to kickbacks being taken by company employees while allotting tenders or favouring a family member’s enterprise to the detriment of the employer company.

It is pertinent to note that while India does have a legislation to prevent victimisation of whistleblowers, namely, the Whistle Blowers Protection Act, 2011, the legislation is meant to establish a mechanism to receive complaints relating to disclosure on any allegation of corruption or wilful misuse of power or wilful misuse of discretion against any public servant and the protection of such whistleblowers. However, the protection afforded to whistleblowers is not applicable to information provided within a private organisation.

Collection of information

One of the first issues that an investigation must address is the collection of information such as emails and documents for ascertaining the veracity of complaints and taking appropriate action based on the data collected. In the course of collection of such information, the company is bound to also take into account personal data of employees that may be disclosed during the course of employment.

The company needs to exercise extreme caution when processing such personal information because sections 43-A and 72-A of the Information Technology Act, 2000 (the IT Act) penalise companies for (i) negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information, and (ii) disclosure of information in breach of a lawful contract, or without obtaining the information provider’s consent.

Further, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the Data Protection Rules) framed under the IT Act prescribe reasonable security practices and procedures that must be adopted by companies. The collection, use and transfer of sensitive personal data or information or personal information during an internal investigation would trigger a range of data protection requirements for a company under the Data Protection Rules.

These requirements include obligations to: (i) ensure that there is a legitimate purpose to collect and use such data, (ii) provide sufficient privacy notice to the affected employees, (iii) obtain prior consent of the affected employees (assuming data is either sensitive personal data or information or personal information (defined below), and (iv) maintain reasonable measures to protect the security and confidentiality of such data.

Data and information that is protected under the Data Protection Rules

The Data Protection Rules protect and prescribe certain obligations in respect of two classes of information: (i) personal information, which includes any information that relates to a natural person, which directly or indirectly, is capable of identifying a person; and (ii) a smaller subset of personal information known as sensitive personal data or information, which is information relating to passwords, financial information, health information, sexual orientation, medical records and biometric information.

Legal obligations to be followed for collection and use of sensitive personal data or information and personal information during an internal investigation

The company must ensure the following:

  • Prior consent: the company must obtain the prior consent of the employee regarding purpose of usage of the employee’s sensitive personal data or information. Consent may be obtained in writing by letter, fax, email or by any other mode of electronic communication.
  • Lawful purpose: sensitive personal data or information or personal information should be collected only if required for a lawful purpose, and if collection of such information is necessary. An internal company investigation satisfies this condition.
  • Other obligations: the company must (i) take reasonable steps to ensure that its employee knows that his or her sensitive personal data or information is being collected, (ii) inform the employee of the purpose of collecting such information, including the fact that such information may be transferred to the company’s outside counsel and accounting firm, and (iii) use sensitive personal data or information only for the purpose of the investigation, and must not retain the information for a longer period than is required.

Typically, companies either incorporate a provision in the employment agreement or employee handbooks which states that employees should keep their personal use of computer, telephone, fax, copying, and mail services to a minimum and that the company cannot guarantee the privacy of documents and messages stored in company-owned files, desks, storage areas, or electronic media.

Requirements that must be followed by company under the Data Protection Rules

A company handling sensitive personal data or information is required to provide a privacy policy. The privacy policy must, among other things, outline the type of information collected, purpose for collection of information, disclosure policy and security practices and procedures followed. The privacy policy must be made available to information providers such as employees, and is required to be published on company’s website.

A company must also appoint a grievance officer to address grievances of its information providers, including employees and must publish the name and contact details of such grievance officer on its website. The grievance officer is duty bound to address grievances within one month.

Companies are required to implement reasonable security practices and procedures that are commensurate with the information assets being protected. Reasonable security practices and procedures are defined as standards that may be either: (i) agreed to between the parties (ie, between the data controller and data subject), or (ii) specified in a law.

Data Protection Rules prescribe International Standards (IS/ISO/IEC 27001) as one such standard, which could be implemented by a company. The standards must also be audited by independent auditors approved by the central government. An audit must be undertaken at least once a year, or as and when there is a significant upgrade of processes and computer resources.

Processing the information

Disclosure of sensitive personal data or information to third parties, including external legal counsel and accounting firm requires the employee’s prior consent, unless either: (i) disclosure has been already agreed to in the employee’s employment contract, or (ii) disclosure is necessary for compliance with the company’s legal obligation.

The exception to this rule is where either: (i) disclosure must be made to government agencies mandated under law to obtain information for certain purposes, or (ii) a court order requires such disclosure to be made.

Recipients of sensitive personal data or information, however, are prohibited from disclosing the information further, and must ensure the same level of data protection that is being followed by the disclosing company.

‘Privilege’ with respect to communications

Section 126 of the Evidence Act 1872, prohibits barristers or attorneys from disclosing to a third party (i) any communication made to them by clients, (ii) any documents they came upon for the purpose of their professional engagement, and (iii) any advice given to clients, unless clients expressly consent to the disclosure. Therefore, companies enjoy a right to privilege with respect to information disclosed or documents provided to external legal counsel for the purposes of an internal investigation.

However, this section also provides certain exceptional grounds when such privilege cannot be invoked. This would include any communication made in furtherance of any illegal purpose or facts coming to the knowledge of the attorney showing that either crime or fraud has been committed since the commencement of the attorney’s employment on the concerned matter. It is immaterial whether the attention of such attorney was or was not directed to such fact by or on behalf of his or her client.

Section 126, however, does not confer privilege on in-house lawyers. This stems from the fact that while the Advocates Act 1961 defines ‘advocate’ as an advocate entered in any roll under the provisions of that Act, Rule 49 (part VI, chapter II, section VII) of the Bar Council of India Rules, states that an advocate shall not be a full-time salaried employee of any person, government, firm, corporation or concern, so long as he or she continues to practise and shall, on taking up any such employment intimate the fact to the Bar Council on whose roll his or her name appears, and shall thereupon cease to practise as an advocate so long as he or she continues in such employment.

Owing to these Rules, in-house counsel are obligated to surrender their Bar Council registration once they become full-time salaried employees of an organisation and it could be argued that after such surrender, the right to privilege conferred on advocates by section 126 of the Evidence Act 1872 ceases to be applicable to them. The Supreme Court in the case of Satish Kumar Sharma v Bar Council of Himachal Pradesh touched upon this topic and held that if a full-time employee is not pleading on behalf of his or her employer, or if terms of employment are such that he or she does not have to act or plead but is required to do other kinds of functions, then he or she ceases to be an advocate. The latter is then a mere employee of the body corporate.

However, the Bombay High Court had, in the case of Municipal Corporation of Greater Bombay v Vijay Metal Works come to a contrary conclusion and held that salaried employees who advise their employers on legal matters would get the same protection as barristers or attorneys under the Indian Evidence Act, 1872, provided that the communication between them is not made in furtherance of any illegal purpose. While this judgment extends legal privilege to in-house lawyers, however, the law on this subject is far from being settled and it is likely that another court may, in future, take a different view.

Therefore, in order to ascertain whether any communication between client and in-house counsel is privileged, it would first have to be determined whether the in-house counsel is a full-time salaried employee and whether the advice sought from such counsel was in legal or executive capacity. Therefore, caution should be exercised when in-house lawyers exchange details of an investigation with other company employees.

From a practical perspective though, companies usually insert a confidentiality clause in the employment contract of an in-house counsel to afford protection to any information disclosed to such counsel during the course of his or her employment, which usually serves as an effective deterrent. Any disclosure made by in-house counsel in contravention of such a clause would amount to breach of contract, for which the company can claim damages.

Recognition of litigation hold notices under Indian law

Indian law is silent on this point and there is nothing in statute books or case law for or against this practice. Litigation hold notices, however, have been used in India-focused investigations, usually before commencement of the investigation to ensure the preservation of files and documents, including electronic records that are material to the investigation.

The flip-side of serving such notice is that the investigation loses the element of surprise, and gives suspected employees sufficient time to calibrate their responses to the investigation.

Legal obligation to report commission of offences to government authorities on a case-by-case basis

The obligation to report to government authorities is determined on a case-by-case basis having regard to the specific nature of the offence committed, and the corresponding Indian statute that has been violated as a result of the wrongdoing.

Anti-corruption investigations, for instance, that probe allegations of improper payments made by company employees to government officials, to either obtain or retain business, may reveal violation of India’s anti-corruption legislation, the Prevention of Corruption Act, 1988 (POCA), apart from any other foreign anti-corruption legislation that might be applicable to the company.

In this regard, sections 161 through 165A of the Indian Penal Code, 1860 (IPC) had, previously, cast an obligation upon any person, including companies, to report the commission of bribery related offences to the local police. However, sections 161 through 165A of the IPC were repealed pursuant to the coming into force of the POCA. The POCA, however, has no such similar provisions and does not obligate a company to report commission of any bribery-related offences to the local police.

Listed companies, however, must check their disclosure obligations in accordance with the listing agreement signed with the stock exchange.

Monitoring the investigation

The appointment of an authority to oversee the investigation process would depend on the scale and magnitude of the allegations. For instance, the in-house legal department of a company can be entrusted with the responsibility of investigating allegations that are not of a grave nature.

To undertake a truly robust and independent investigation, a company may seek the involvement of outside counsel that has not previously represented the company. Preferred outside counsel who have been engaged in the past by the company may be used for this purpose too, unless their objectivity could be brought into question given their past relations with the company.

The authority chosen to oversee the investigation should be impartial and document all proceedings thoroughly, interview the accused and the whistleblower, if possible, and any other witnesses to aid the investigation and prepare a detailed report to enable requisite corrective action.

Remediation steps

Where an employee is found guilty of misconduct after conducting an internal investigation, proper procedure would have to be followed before taking any disciplinary action against such employee. The employee usually cannot be summarily dismissed and services cannot be terminated solely on the basis of the outcome of the investigation.

First, a preliminary enquiry or fact-finding enquiry should be carried out by the management or disciplinary authority to determine whether misconduct has been committed by the employee (the fact-finding done during the internal investigation can also be used for this purpose but not in all cases). This should be followed by issuance of a charge-sheet (if management is satisfied about the act of misconduct) to the employee with details of the accusation made against him or her, to which the employee may respond in writing.

Typically, an enquiry officer should also be appointed, if the management is not satisfied. Such officer is expected to conduct the enquiry in an impartial, unbiased, fair way with an open mind. This may be followed by appointment of a presenting officer to present the case of management. The employee should be informed about enquiry proceedings and given the necessary details.

The presenting officer thereafter should examine the evidence and witnesses and the employee should have the right to cross-examine as well. The employee should also have the right to bring witnesses supporting his or her stand, who can be cross-examined. After submission of evidence, the enquiry officer should submit a report with all the enquiry proceedings to the management, a copy of which should then be forwarded by the management to the employee.

If management decides to impose any punishment, it typically issues a show cause notice to the employee and a decision is taken after the employee tenders his or her response. Appeal against the decision of punishment passed by the management may lie to an appellate authority (who may be the chairman). Adoption of a detailed process in line with principles of natural justice is recommended as it prevents the possibility of the employee challenging the punishment at a later stage.

In the event an individual is found guilty of malpractice or misconduct such as receiving kickbacks in the course of business, he or she can be prosecuted under the provisions of the Indian Penal Code 1860 on charges of fraud, cheating, forgery or criminal misappropriation, as the case may be.

Termination of employment

Even if a company has sufficient evidence of an employee’s wrongdoing, given the pro-labour sentiment in the country, it is best to adopt a cautious approach when terminating such employee’s service. There are two options for cessation of employment: resignation and termination of non-workman employees.


This option is often more suitable and preferable for the company as a voluntary resignation by employee helps in avoiding any dispute at a later stage by the resigning employee on the ground of illegal termination as employees cannot claim later that they were wrongfully terminated. The company must prepare and maintain proper documentation such as (i) a resignation letter, (ii) its acceptance (iii) release of claims by employees, (iv) a relieving letter, and (v) receipt of severance or termination payments by the employee, in order to avoid any future dispute.

Termination (involuntary)

If the employee does not resign voluntarily, the company can terminate the services of the employee immediately either by giving him or her a notice or payment in lieu thereof as mentioned in their respective contracts. Since this termination is involuntary, the employee may contest his or her termination by filing a complaint in a court, tribunal or with the labour authorities. Such proceedings generally are drawn out and cumbersome. Further, sometimes termination of employees may lead to unruly scenes in the organisation as employees become emotional upon losing their jobs. The higher the number of terminations, the greater the chances are of a complaint being filed with the courts or labour department by the terminated employees on the basis of unfair or illegal termination.  Even in case of termination of employment, the company will have to make all the legitimate payments to the employees. The company should also try to secure the release and receipt of payment made to the employees.

Prevalence of the deferred prosecution agreement (DPA) in line with the practice followed by regulators in the US and UK

A DPA is an understanding that is reached between prosecutors and corporate entities that allows prosecutors to suspend criminal prosecutions, provided the organisation meets certain specified conditions which may include disgorging profits, paying a fine, compensating victims, cooperating in any prosecution of individuals and implementing compliance programmes. India, however, does not have any equivalent provision in its domestic laws. Therefore, this option is not available to Indian companies.

The Indian government, however, has from time to time come out with certain amnesty schemes, most notably, the Black Money Disclosure Scheme, Service Tax Evasion Amnesty Schemes, etc, that have provided amnesty to companies and individuals (ie, provided protection against prosecution), subject to certain conditions, including full disclosure of the wrongdoing, payment of unpaid taxes and penalties, etc.


While internal investigations go a long way in checking malpractices within an organisation and foster transparency, companies, in their zeal of collecting evidence of potential wrongdoing, need to be wary of crossing the line and ending up on the wrong side of law themselves. A structured investigation process is very effective in checking commercial malpractices within an organisation and serving as a deterrent against future instances of corruption. This tool continues to be extremely useful in the Indian scenario where there exists no separate statute to deal with corporate misconduct and corruption is entrenched in the system, although this is changing slowly.

Unlock unlimited access to all Global Investigations Review content