A POSH case management workflow has two jobs that can pull in different directions. It must help authorised people move a complaint through a fair, timely process, and it must keep sensitive identities and materials from travelling any further than necessary. A generic HR ticket is rarely designed for that combination.

Begin with the Sexual Harassment of Women at Workplace Act, 2013 on India Code, including the linked Rules and current notifications. The Ministry of Women and Child Development maintains the SHe-Box portal as an official complaint channel. Teams should verify the current portal process and the relationship between any portal submission and their internal procedure. This guide is about operating a controlled case file. It does not decide jurisdiction, merits, committee composition, interim measures, evidence, findings, or remedies.

What should happen when a POSH complaint first reaches the organisation?

Make every likely recipient capable of safe routing. A complaint may reach a designated address, manager, HR partner, ethics line, committee member, reception desk, or the SHe-Box route. Staff do not need to investigate at that point. They need a short protocol: preserve what arrived, avoid forwarding it widely, acknowledge without prejudging it, and alert an authorised intake owner.

Open a restricted record with a neutral identifier. Preserve the original communication and record the channel, receipt time, routing history, language or accessibility needs, attachments, and known urgency. Keep the complainant's own words distinct from an intake summary. A summary can omit a detail that later matters.

Use an initial routing table, approved by counsel and the responsible committee:

Intake questionOperational actionWhat not to infer
Is immediate safety support requested?Use the approved urgent-support routeThat urgency proves or disproves the complaint
Is the correct body unclear?Escalate the jurisdiction and committee questionThat intake staff can decide legal coverage
Did a portal or third party transmit it?Preserve source, metadata, and acknowledgementThat external receipt completes internal steps
Are attachments inaccessible or unsafe?Quarantine, scan, and request a safe copyThat the contents can be ignored
Does it mention retaliation or interference?Flag for prompt authorised reviewThat a particular measure is automatically required

The case system should allow “pending authorised assessment.” Forcing every intake into a final category encourages premature conclusions.

How should access and confidentiality work in practice?

Confidentiality is an operating design, not a banner on a folder. Create case-specific access groups. Give each participant only the material necessary for their role, and record every access, export, share, and permission change. Committee members may need the working record. IT administrators may need to maintain the platform without reading case content. A manager asked to arrange logistics may not need allegations or identities.

Separate the identity map from routine task views when feasible. Use neutral task descriptions in calendars and notifications. Disable message previews that reveal names or allegations. Avoid putting confidential material in broad HR drives, email chains, chat channels, personal devices, or meeting recordings. When a document must be sent, use the approved secure route and verify the recipient before release.

A useful permission review asks:

  • Who can see the existence of the case?
  • Who can see each participant's identity?
  • Who can read evidence, working notes, and the final record?
  • Who can add, alter, download, or delete a file?
  • What happens when a member, adviser, or employee changes roles?
  • Which logs remain available to an authorised reviewer?

Review Gotham's security approach and privacy information when assessing a platform, but test the actual deployment, identity provider, storage, backups, support access, and retention configuration. Product material cannot establish that a particular setup meets the organisation's duties.

How can the committee maintain a fair and usable inquiry record?

The record should show process without turning every private discussion into discoverable clutter. Counsel and trained committee members should approve what constitutes the official record. At minimum, maintain source documents, authorised communications, procedural notices, meeting records, evidence submissions, decisions, and delivery confirmations in a consistent structure.

Use an evidence register rather than renaming files casually:

FieldPurpose
Stable item IDLets every note refer to the same item
Source and received datePreserves provenance without deciding weight
Original file hash or protected sourceHelps detect unintended replacement
Access classificationLimits unnecessary disclosure
Procedural statusShows received, shared, disputed, or excluded status
Linked communicationConnects the item to notice and response history

Never overwrite an original with a redacted or annotated copy. Preserve the source, create a working copy, and document OCR, transcription, translation, redaction, or format conversion. A chronology should distinguish a participant's account, documentary fact, committee action, and unresolved point.

What workflow keeps notices, meetings, and responses coordinated?

Model the procedure as gates rather than a free-form task list:

Restricted intake → authorised scope review → committee and conflict check → procedure plan → notices and submissions → meetings and inquiry record → deliberation → approved outcome communication → follow-up and closure

At each gate, define the accountable role, required inputs, decision, permitted recipients, approval, and completion evidence. Build a current obligation register from the Act, Rules, official materials, internal policy, and counsel's advice. Do not hard-code a generic deadline into the platform and assume it applies to every fact pattern.

Meeting operations deserve their own checklist:

  • Participants, roles, format, and access needs are confirmed.
  • Conflicts or substitutions have been reviewed through the approved process.
  • Notices and permitted materials were delivered through a controlled route.
  • The note-taker and official record format are identified.
  • Recording is disabled unless specifically authorised.
  • New material has a defined submission and response path.
  • Follow-up actions have owners without disclosing unnecessary case detail.

The workflow should surface a missed step without silently changing the committee's decision. Technology can coordinate. It should not decide credibility or findings.

How should communications avoid procedural and privacy mistakes?

Use approved templates as starting points, not autopilot. Every communication needs a human review of recipient, purpose, legal and policy basis, attachments, language, accessibility, response route, and confidentiality markings. Keep internal commentary out of participant-facing drafts.

Maintain a communication ledger showing the approved version, sender, recipient, channel, dispatch time, delivery result, and any corrected reissue. If email bounces or a secure link fails, the case owner should see that failure. “Sent” is not the same as received.

Avoid promising an outcome during intake. Avoid asking witnesses to discuss the matter in group channels. Avoid broad “need to know” labels without naming who has decided the need. Where employment, safety, leave, reporting-line, or retaliation concerns intersect, route the issue to the authorised reviewer without exposing the complete file.

What belongs in the decision, follow-up, and closure record?

The official decision record and communications should follow the applicable procedure approved by qualified advisers. Operationally, preserve the version considered, the approval history, delivery evidence, authorised actions, action owners, and completion evidence. Restrict implementation tasks so a payroll or facilities operator receives only what they need.

Do not close the case because a letter was uploaded. Check that authorised communications were delivered, actions were acknowledged, access was narrowed, open support or non-retaliation processes were routed, and the record was locked against silent alteration. Retention and disposal should follow a current, approved schedule that accounts for applicable requirements and connected disputes or holds.

Run a closure review:

  • The case index matches the protected repository.
  • Originals and transformed copies are clearly distinguished.
  • Every material decision has an authorised owner and date.
  • Delivery and implementation failures were resolved or escalated.
  • Temporary users, links, and exports have been reviewed.
  • Retention, hold, and disposal status is recorded.
  • Any policy, training, or workplace-control issue has a separate remediation owner.

For broader employment diligence context, see the employment and labour due diligence guide. Teams evaluating controlled case operations can also explore Gotham workflows, review deployment choices, and contact Gotham. A well-run system makes the authorised process easier to follow and audit. It does not replace trained committee judgment or fact-specific legal advice.