मेनू टॉगल करा
अधिक
    बंद करा

    Privacy and Policy of Maha-AASTHA

    Introduction

    Maha-AASTHA (Maharashtra Administrative Automation for Service, Trust & Human Resource Advancement) is the official e-HRMS platform developed by the General Administration Department (GAD), Government of Maharashtra. This Privacy Policy describes how personal data is collected, used, and protected when employees access the Maha-AASTHA website and mobile application. The platform is committed to protecting personal information in accordance with the provisions of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Maharashtra State Data Policy, 2024. This document aims to provide clear and transparent information about what personal data is collected, the purpose for which it is collected, how it is processed and safeguarded, and the rights and choices available to employees regarding their data. It reflects the Government’s commitment to lawful, fair, and transparent data governance across all Maha-AASTHA operations.

    Data We Collect

    We collect several categories of data through the Maha-AASTHA platform, as described below:

    • Personal Information: This includes information that identifies you. For example, your name, Sevaarth ID, date of birth, contact details (like phone number and email address), address, and identity document details.

    • Service Book Data (Employment Records):The Maha-AASTHA system digitizes your official service book or employment record. This includes details of your government service such as appointments, transfers, promotions, training courses, leave history, pension nominations, disciplinary actions, and other service events. In short, all information that would traditionally be in your physical service book (from recruitment to retirement) are stored on the Maha-AASTHA portal.

    • Usage Logs and Technical Data: When you use Maha-AASTHA website or mobile app, we automatically collect certain technical information. This includes your Internet Protocol (IP) address, device type or browser type, operating system, the dates and times of your visits, and the pages or features you access. We collect this data to understand how the system is used and to improve its performance. We do not attempt to identify you from your usage logs except if necessary to investigate security incidents (for example, if an attempt to damage or unauthorized access to the site is detected).

    • Cookies and Similar Technologies: Our website uses cookies and similar technologies to enhance your experience. Cookies are small text files stored on your browser or device. We use them for purposes such as keeping you logged in during a session, remembering your preferences, and gathering analytics about how users navigate the site. For instance, cookies might track which pages you visit or features you use, which helps us understand usage patterns and improve the platform. These cookies and analytics data do not directly identify you by name, and we do not use cookies for any kind of advertising. You can control or delete cookies through your browser settings; however, please note that some features of the site might not work properly without cookies.

    • Transactions Data: During the use of the HRMS platform, additional data may be generated or submitted as part of routine administrative processes. For instance, when an employee applies for leave, updates personal details, or initiates any service-related request through the system, the corresponding records are securely stored. The platform also logs actions taken—such as updates, approvals, or rejections—along with timestamps to support audit trails. These logs contribute to maintaining a transparent and accountable human resource and administrative framework and may intersect with system usage data. We limit our collection to what is necessary for the functions of Maha-AASTHA. If we ever need to collect any additional personal information, we will ask for your consent or notify you as required and ensure its handled lawfully.

      • How We Use Your Data

      The personal data collected through the Maha-AASTHA e-HRMS platform is used to operate, maintain, and enhance the system, and to deliver relevant administrative and human resource services to employees. Data is processed primarily to support core HR functions, ensure service accuracy, enable workflow automation, and improve user experience across the platform.

      • Providing HR Services: We use your personal and service book information to deliver the intended HR services. This includes maintaining your digital service book, processing your salary and benefits, tracking your leaves and attendance, recording transfers/promotions, facilitating trainings, and eventually handling retirement or pension processes. In short, all HR transactions throughout your employment are supported by using this data. This ensures your employee entitlements and requests are handled efficiently and without delays (one of the key goals of Maha-AASTHA).

      • Administrative and Legal Compliance: We process and retain data as needed to comply with applicable laws, regulations, and government policies. For example, we may generate reports or share necessary information for audits, RTI (Right to Information) queries (if applicable), or as required under laws like the Maharashtra Public Records Act. We follow the data retention rules prescribed by law and policy – meaning we keep your records as long as required for government record-keeping and legal purposes. Using the e-HRMS also helps ensure transparency and accountability in administration, aligning with state initiatives and policies. If a law or authority requires us to produce certain employee information, we will do so in compliance with the law.

      • Improvement and Analytics: We continuously strive to improve the Maha-AASTHA platform’s functionality and user experience. The technical and usage data (like how often certain features are used or if errors occur) helps us diagnose problems, optimize the system’s performance, and plan new features. For example, we analyse usage logs to see if any page is causing frequent errors or to measure how many users login each day. These analytics are generally aggregated and do not focus on individual users. As per our policies, any analytics or public reporting would use anonymized data (with personal identifiers removed). We also ensure that if we ever use data for broader analytics or policymaking, personal data is either used in anonymized form or with appropriate consent, as required by the Maharashtra State Data Policy 2024.

      • Security and Fraud Prevention: Protecting your data and the system from unauthorized access is a top priority. We use login history and other usage information to monitor for suspicious activities and to ensure the system’s integrity. For instance, we may review IP logs to detect if there are repeated failed login attempts or unusual access patterns. We will investigate and take action if we detect any attempts to breach the system’s security. In normal circumstances, these logs are only used for technical administration and are not tied back to your identity, but they are available to investigate and trace any security incidents, should they occur.

      • Communication: We might use your contact information to communicate with you about your use of Maha-AASTHA or your employment services. For example, the system might send notifications or confirmations to your registered email or phone number – such as an alert that your leave has been approved or reminders to update certain details. We may also send important updates about the platform (like system maintenance notices or policy updates). We will not use your contact information for unsolicited marketing, and communications will be limited to official purposes related to the e-HRMS and your employment.

      Personal data will not be used for any purpose unrelated to the core functions of Maha-AASTHA without prior notification to the employee and, where applicable, obtaining explicit consent. The platform does not engage in the sale of personal data or its use for advertising or promotional activities. All data processing is strictly aligned with the delivery of efficient human resource services and administrative governance, in full compliance with applicable laws and guided by the principles of purpose limitation and data minimization as prescribed under the Digital Personal Data Protection Act, 2023.

      Data Sharing and Disclosure

      We respect the confidentiality of your personal information. As a rule, we do not disclose your personal data to any third party except in the situations described below:

      • Within Government and Authorized Personnel: Your data may be shared with relevant government departments or officials only on a need-to-know basis. For instance, if you are transferred to another department or if a particular government authority requires your information to process a benefit or inquiry, the relevant portions of your data may be shared with them. Such sharing will only occur for legitimate, official purposes. All government departments and agencies in Maharashtra are required to handle personal data in compliance with the DPDP Act 2023 and State Data Policy, which means any department accessing your data must protect it and use it lawfully.

      • Service Providers and Partners: Maha-AASTHA is a digital platform, and it may involve technical service providers (for example, NIC or authorized IT contractors) who help us in operating and securing the system. If any external technology partners or contractors have access to the data, it is strictly for them to perform their work on our behalf (such as maintaining the software or providing cloud infrastructure). We ensure that such providers are bound by confidentiality agreements and legal contracts to protect your data. They cannot use your data for any other purpose. In line with government policy, any consultants or agencies assisting us must adhere to the DPDP Act 2023 provisions and have proper security measures in place.

      • Legal Requirements: We may disclose your information if required by law, court order, or governmental regulation. For example, if a law enforcement agency, by following the correct legal procedure, requires certain data for an investigation, we are obligated to comply. Similarly, if there is a legal dispute or a need to enforce any rights (for instance, verifying your employment history for a legal claim), we may need to provide relevant data. In every case, we will only share what is necessary and will ensure the request is legitimate.

      • Without Your Consent: Aside from the above scenarios, we will not share your personal data with anyone outside the Government ecosystem without your consent. We do not sell, rent, or exchange your personal information with any third party for marketing or any unrelated purposes. Your data is used only for governance and administrative purposes as outlined in this policy.

      In all cases of data sharing, we maintain a record of what information was shared, with whom, and for what purpose, as per governance standards. Any data shared with another entity (say, another department) will remain subject to confidentiality and only be used as permitted. Moreover, sensitive personal data (for example, biometric data, if any) will have extra protection and typically will not be shared with any unauthorized agency. Our focus is to ensure transparency within the government for efficient service delivery, without compromising your privacy.

      Cookies and Analytics

      When you visit the Maha-AASTHA website, we use cookies and similar tracking technologies to enhance your user experience and gather usage statistics:

      • What Cookies Are: Cookies are small files placed on your device (computer or smartphone) when you browse a website. They are used to remember information about your visit. For example, a cookie might remember that you have logged in so you don’t have to re-enter your credentials on every page.

      • How We Use Cookies: We mainly use cookies for functional and analytic purposes. Some cookies are essential for the website to work – for instance, to maintain your session when you log into your account. Without these, the site may not function properly. We may also use cookies to remember your preferences (such as language selection if applicable) so that you have a smoother experience. In addition, we use analytics cookies or tools to collect information about how visitors use the platform. This includes which pages are visited, how long users stay, and what actions are taken. The information collected through analytics is anonymous and aggregated – it helps us understand overall usage patterns and improve the system’s design and features.

      • No Third-Party Ads: Our cookies do not collect information for advertising purposes. You will not find third-party advertising or social media tracking cookies on the official Maha-AASTHA platform. All cookies we use are intended for the functioning of the service or for our own analysis as the service provider.

      • Your Control: You can control cookie settings through your web browser. You have the option to refuse or delete cookies. However, please note that if you disable cookies entirely, some features of Maha-AASTHA (especially login and other interactive features) may not work correctly, since the system relies on cookies for core functionality. We encourage you to keep essential cookies enabled for the best experience. For nonessential cookies (like analytics), you may opt-out if you wish, and we will provide such options if required.

      • Analytics and Logs Usage: As mentioned, we gather certain usage data like IP addresses, device info, and pages visited for analytics and security. All such data is used in accordance with this policy – meaning it’s primarily for improving services and ensuring security. The analytics data does not identify you personally in reports; it simply tells us how the system is being used overall. We also adhere to the principle of not linking technical data to individual identities unless we must do so to investigate an incident. Any analytics tools used (for example, a web analytics service) will be configured to respect user privacy and will not receive more data than necessary.

      By using our site, you consent to the use of cookies and analytics as described here. If we introduce any new type of cookie or start using a new analytics tool that collects additional data, we will update this policy and notify you if required.

      Data Security

      Strong measures are implemented to safeguard personal data from unauthorized access, misuse, or loss. In accordance with directives issued by the Government of Maharashtra, all departments and IT systems—including Maha-AASTHA—are required to comply with stringent data protection standards as outlined in the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable guidelines. Maha-AASTHA adheres to these standards by incorporating key security practices designed to ensure the confidentiality, integrity, and availability of personal data.

      • Secure Infrastructure: Your data is stored on secure servers operated by the government (such as the Maharashtra State Data Centre or other approved government cloud services). These facilities have multiple layers of security – both physical security and cybersecurity – to safeguard data. We avoid storing data on unsecured systems or unauthorized cloud services. In fact, state policy directs that sensitive and personal data be primarily stored in the state data centre or similarly secure locations.

      • Encryption and Protection: We use encryption and security protocols to protect data during transfer and at rest where applicable. For example, when you access the website, the connection is encrypted (HTTPS) to prevent eavesdropping. Passwords are stored in an encrypted or hashed form (so that even our administrators cannot read them directly). We also implement firewalls, anti-malware tools, and intrusion detection systems to prevent and monitor for any unauthorized access attempts.

      • Access Control: Only authorized personnel with valid credentials can access the Maha-AASTHA databases, and even within the system, access is role-based. This means an official can only see the data necessary for their role. For instance, your department’s nodal officer (admin/DDO) can see your service record to update it, but a person from an unrelated department cannot. Every access or update by officials is logged for audit trail. All officers, staff, and any external consultants who handle personal data are bound by confidentiality obligations and proper contracts/NDA. They are trained to follow privacy and security best practices. Disciplinary action and legal consequences can occur if someone misuses the data.

      • Preventive Monitoring: We actively monitor the system for vulnerabilities or breaches. Software updates and security patches are applied regularly to keep the system up-to date against threats. Our technical team receives alerts for unusual activities and will respond promptly to any suspected security issue. Additionally, if any data breach (unauthorized data access) were to occur despite these measures, we have procedures in place to contain it and to notify the affected users and authorities as required by law.

      • Data Protection Practices: In alignment with the Digital Personal Data Protection Act, 2023, Maha-AASTHA follows the principles of data minimization and purpose limitation, ensuring that only the data necessary for specific, clearly defined functions is collected and used. Wherever possible, personal data is anonymized or de-identified—particularly when used for analytics, reporting, or performance monitoring. Identifiable data is retained only when essential for delivering a particular service or fulfilling a statutory requirement. By applying anonymization techniques, the platform enables meaningful insights while maintaining the confidentiality of individual records.

      • Regular Audits and Compliance: The platform may be subject to periodic security audits and assessments (as per government IT policy) to ensure that it remains safe. We comply with any security and data protection guidelines issued by central or state authorities. This includes ensuring data is not shared with non-authorized parties, especially sensitive data like biometric identifiers. We also maintain a Data Backup and Disaster Recovery plan to handle unexpected situations like data centre outages, thereby ensuring continuity and integrity of data.

      In summary, we employ a wide range of technical and organizational measures to secure your data. We also want you to feel confident using Maha-AASTHA web portal and mobile app. If you have any specific security concerns (for example, if you suspect your account has been compromised), please contact us immediately (see the Contact section below). We will take appropriate steps to assist you. Remember, we will never ask for your password via phone or email. Protect your login credentials and always log out after using the system on a shared device.

      Your Rights

      As a user of Maha-AASTHA and as the subject of your personal data, you have certain rights regarding the information we hold about you. We want to make it easy for you to exercise these rights, which are in accordance with the DPDP Act, 2023 and good privacy practices. In simple terms, your rights include:

      • Right to Access: Employees have the right to know what personal data is maintained about them within the Maha-AASTHA platform. Upon request, a copy of the relevant information such as entries in the digital service book or contact details on record can be provided. This right enables individuals to understand how their data is being processed and ensures transparency in accordance with applicable data protection laws. Requests will typically be fulfilled within a reasonable timeframe, subject to verification and procedural requirements.

      • Right to Correction: Efforts are made to keep personal data accurate and up to date within the Maha-AASTHA platform. If any errors or outdated information are identified—such as a change in phone number or discrepancies in personal details or service records—employees have the right to request correction or update. Depending on the nature of the data, certain fields may be editable directly through the platform. For other updates, employees may contact the department’s nodal officer/DDO. All correction requests will be verified and addressed in a timely manner, in accordance with established procedures.

      • Right to Grievance Redressal: If you have any concerns, questions, or complaints about how we are handling your personal data, you have the right to raise a grievance and have it addressed. We take privacy and data protection seriously, and we will respond to your complaints in a timely manner. For example, if you believe your data was used beyond what is described here, or if you have attempted to exercise any of the above rights and are not satisfied with the outcome, you can lodge a formal complaint to your department’s nodal officer/DDO or to the Maha-AASTHA Helpdesk.

      • Right to Nominate a Representative: Although not commonly exercised in day-to-day scenarios, the law provides that you can nominate another person to exercise your data rights on your behalf in case of your death or incapacity. In a practical sense, this means, for example, if a government employee becomes incapacitated, their legal heir or guardian could request access to or correction of the employee’s data for necessary purposes. If applicable, such nominations can be set up through official channels. This is more of a precautionary right to ensure your data rights are maintained even if you personally cannot exercise them.

      Contact Us

      If you have any questions, concerns, or requests regarding the privacy policy or any grievance related to your personal data in Maha-AASTHA, you may contact our designated officials below:

      Joint Secretary, General Administration Department (Services)
      General Administration Department, Government of Maharashtra,
      Mantralaya-Annex Building,
      Mumbai, Maharashtra (India).

      Email: gad[dot]maha-aastha[at]mah[dot]gov[dot]in
      Phone: 022-220245

      Alternatively, you may also contact us through the Help & Support section of Maha-AASTHA Portal/Mobile App or through Maha-AASTHA Helpdesk. When you contact us, please include your name, designation/employee ID (if applicable), and a clear description of your request or concern. For example, if you are requesting a data correction, specify what information is wrong and what it should be. If you are making a complaint, please describe the issue you faced. This will help us address your query efficiently.

      We will acknowledge your request or complaint and endeavour to resolve it at the earliest, within the timeframes prescribed by law.

      Data Retention

      Personal data is retained only for as long as necessary to fulfill the purposes outlined in this policy or as required by applicable laws. Since Maha-AASTHA manages official government service records, many data elements must be preserved for extended durations—even beyond an employee’s retirement—in accordance with statutory record-keeping obligations. The Maharashtra State Data Policy and relevant legislation, including the Maharashtra Public Records Act, 2005, govern the retention timelines for various categories of data.

      • Active Employment: During your employment, we will retain and update all your data. This ensures continuity of service records and provision of benefits.

      • After Retirement/Departure: Even after you leave service (retire, resign, etc.), your service record may be archived for a legally mandated duration. This is to support pension processing, verification of past employment, or any legal queries. Typically, service records can be required for many years post-retirement for pension and audit purposes. We follow the retention schedules provided by the government for each category of record.

      • Deletion and Anonymization: Once the retention period expires for certain data and it is no longer needed, we will securely delete or anonymize that data. Secure deletion means the data is removed from our active databases and any backups as feasible, in a manner that it cannot be recovered or misused. In some cases, instead of outright deletion, the data might be anonymized (stripped of personal identifiers) and kept for statistical or historical purposes, since anonymized data is no longer personal data.

      • Logs and Backups: System logs (like access logs) are generally kept for a shorter duration unless needed for security analysis. We might keep logs for a few months to a year, unless they are archived as part of record-keeping. Backup copies of data are stored in secure locations and are rotated or destroyed per our backup policy. There may be a slight lag in purging data from all backup systems, but we ensure that once data is expired, it is not restored or used except if required for legal reasons.

      In summary, Maha-AASTHA does not retain personal data indefinitely. Defined retention schedules are followed for each data category, and efforts are made to minimize privacy risks by avoiding unnecessary data storage. Employees may contact the designated support team for specific queries regarding data retention timelines.

      Updates to this Policy

      This Privacy Policy is effective as of 2nd October 2025. It is version 1.0 of the policy for the Maha-AASTHA e-HRMS platform. We may update or revise this policy from time to time, especially as the Maha-AASTHA system evolves or if there are changes in relevant laws and regulations. For instance, if the DPDP Act rules are updated or if new features in the platform involve new data practices, we will modify the policy accordingly.

      How we will inform you of changes: If we make material changes to this Privacy Policy, we will notify users in a timely manner. Notifications may be done through one or more of the following ways: a prominent announcement on the website, an in-app notification or alert upon login, or an email sent to your registered email address. The notice will explain the key changes and direct you to the updated policy. Minor updates (such as clarifications that do not significantly affect your rights or our obligations) may be simply updated on the policy page with a new effective date. We will always display the “last updated” date at the top of the policy for your reference.

      We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Maha-AASTHA platform after any changes to this policy will be deemed as acceptance of those changes. However, if any change requires your consent by law (for example, if in the future we introduce a new data collection that legally requires consent), we will seek your consent before implementing that aspect.

      This Privacy Policy is issued by the General Administration Department, Government of Maharashtra (Developer of Maha-AASTHA). It aligns with the Digital Personal Data Protection Act, 2023 and the Maharashtra State Data Policy 2024 to ensure that your personal data is handled with care and responsibility.

      Last Updated: October 2, 2025.