Blog Details

Authors - Rashi Suri (Managing Partner) and Dikshita Damodaran (Associate)

Introduction 

Covid-19 or Coronavirus has been recognized as a global pandemic by the World Health Organization (WHO) on March 11, 2020. The said pandemic has led to unprecedented times and have disrupted the business operations all over the world. The implications of Covid-19 are expected to be felt for a long time to come and is expected to demand more resources, focus and expenses of organizations. The implications of Covid-19 have been felt in all the sectors and have led to scrutiny and collection of certain information by employers which was unheard before.

The ongoing crisis have led to the employers demanding certain pertinent information with respect to their employees which in their nature are personal. This sharing and collection of ‘personal information’ gives rise to the concerns of data and privacy. It is understandable that since this pandemic is exceptional, it is unlikely that the employers have a framework for collection of information of such nature in their existing organizational policies. This holds true for employers all over the economic spectrum including the ones forming part of the essential services.

It is pointed out that there is no prohibition under law for the collection of such information from the employee. However, it is important for the employers to keep certain aspects and procedures in mind in order to balance the need for this information and the privacy concerns of the employees. This article aims to analyze existing legal framework which needs to be followed by the employers while dealing with the personal information of the employees. 

Current legal position with respect to data protection in India

The Personal Data Protection Bill, 2019 has not yet received the legislative approval and is currently in the draft stage¹. The bill is currently being analyzed by a joint parliamentary committee. Since the bill is not yet law, the collection, assimilation and utilization of the information pertaining to the employees should be analyzed under the existing legal framework. Therefore, the scope of the Personal Data Protection Bill has not been included in the article for our present purposes. 

The processing of personal information is currently governed by the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”) in India.

Personal Information and Sensitive Personal Information under the Rules

Under the Rules, two categories of personal data are included. They are:

1. Personal information
2. Sensitive Personal data/ information

Personal information is defined under Rule 2 (1) (i) as

‘any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person’.

Sensitive personal information is defined under Rule 3. The sensitive personal information includes in its ambit:

• physical, physiological and mental health condition;
• medical records and history;
• any detail relating to the above clauses as provided to body corporate for providing service’

However, any information, that is freely available or accessible in public domain or furnished under the RTI Act, 2005 or any other law for the time being in force is not regarded as sensitive personal information. Please note that a body corporate in this article covers an organization in which the employee is employed with.

In the current circumstances, an employer seeking information pertaining to the medical records of an employee will fall under the purview of sensitive personal information as per the Rules and the travel history of an employee or his/ her family members will fall under the ambit of personal information under the Rules.

Collection of information by an employer

The Rules² provide that a body corporate or any person who on behalf of body corporate can collect, receive, posses, store, deal or handle information of a provider shall have a privacy policy for handling such an information in place. The body corporate further has the responsibility to ensure that such an information collected is available to the provider for view under a lawful contract. The Rules³ further provide that a body corporate obtaining such information has to obtain a consent in writing from the provider of the information and must disclose the purpose of its usage before its collection. 

The Rules clearly stipulate the conditions on the basis of which an employer can take personal/ sensitive personal information from an employee. The Rules also provide that an employer can collect personal/ sensitive personal information from the employees if:

1. the same is collected for a lawful purpose connected with the function of the employer; or
2. the collection of the information is considered necessary for the function of the employer

The employer collecting the information is permitted to use the information only for the purposes it is collected. Additionally, the employer is not permitted to retain the information for a longer period than it is required. The information obtained must be secured by the employer at all times. The employer is also required under the Rules to ensure that the employee is informed of the reason for the collection of such information and the duration for which the information shall be stored. Since, in the wake of Covid-19 specific directions are being issued by the State and Central Government from time to time, it is to be understood that if any such direction as to divulging of information is mandated, then there shall not be any bar in its collection and disclosure.

Refusal by an employee to share the information

The Rules also permit an employee to refuse to share their information with the employers. It is to be understood that prior to the collection of information an employee is given an option to provide or not to provide the information sought for. An employee who previously gave consent to provide the information is also permitted to withdraw the consent at a later point. 

Therefore, if an employee refuses to share his medical records or travel history with the employer, the employer is not permitted under law to punish the employee or to take an action against him/ her. However, the employer will be permitted to take the necessary actions in accordance to the terms of employment to the extent that such actions were necessary to protect the health and safety of the workplace and other employees. Further, in the interest of the organization and other employees and understanding the gravity of Covid-19, it is recommended that the employer informs the local health authorities about the employee if the symptoms of Covid-19 are observed in the employee.

Sharing of the information obtained with third parties

The employers collecting information are not permitted to share the details of the employee with a third party. The Rules state that unless the disclosure has been agreed under a contract, the disclosure of information by an employer to any third party requires the prior permission from the employee to whom information pertains⁴. However, it is reiterated that the condition does not apply if the information is permitted to be disclosed to any third party by an order under the law for the time being in force.

Consequences of contradiction to the Rules

An employer failing to obtain the consent of the employee for seeking information or collecting information in contradiction to the Rules shall result in their violation. 

Additional requirements and reasonable practices to be followed

The Rules in addition to the provisions stated in this article also require the employer to comply and have the reasonable security practices and procedures in place prior to collecting any employee information. The employers need to implement practices and procedures such as IS/ISO/IEC 27001. 

Recommendations for the employers

The employers in these unprecedented times are taking a wide range of actions to combat this situation. However, even in these times, it is pertinent for the employers to be careful of protecting the privacy of data of their employees. It is understood that a lot of organizations may not have privacy policies or consent frameworks in place. Further, it is likely that many nascent organizations would not have made infrastructural investments on the requisite security procedures relevant for collection and storage information obtained from their employees.

In order to be absolutely sure, the employers must take the necessary steps to ensure the data protection and privacy concerns of its employees. It is necessary to follow certain measures and to be mindful of the concerns provided below. Please note that the pointers covered in this article is not a conclusive list and is only indicative in nature.

1. In case an employee has obtained information from the employee, they need to review their existing privacy policy to ensure that they had obtained prior sufficient consent from the employee and if not, then a notice must be sent immediately to the employee seeking consent;
2. In case the employer does not have a privacy policy in place, explicit consent of the employees must be obtained prior to collecting information from them;
3. Review of the organization's HR policy to ensure that it covers situations under which sensitive personal information can be collected;
4. Formulate a protocol for collection and storage of personal and sensitive personal information in the organization;
5. If not complied yet, then the organization must deploy the reasonable and technical standards for protection of information collected by the organization as per the provisions of the Rules 

It is always advisable for the organizations to limit the collection of data from their employees to the ones that are absolutely necessary and unavoidable. Moderate and minimum collection of data shall reduce the compliances for an organization in relation to data protection laws and shall be beneficial for the organization in the long run. 

1 - Available at https://www.prsindia.org/billtrack/personal-data-protection-bill-2019 
2 - Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
3 - Rule 5 (1) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
4 - Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
5 - Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011