This article is part of a 5 part series authored by AnantLaw partners
Part 3: Treatment of data collected during Covid-19 outbreak: Indian Entities
In India, many employers/companies are taking preventive steps on their own. In early March, 2020 when there was absence of any guidelines or advisory from the government, the employers/companies had already moved (or were planning to move) to Work from Home facility and were conducting thermal screenings /checking travel histories of the employees.
In this regard, the employers must adhere to basic principles of data protection and privacy law, in order to ensure that their actions do not constitute an infringement of the fundamental ‘right to privacy’ enshrined under Article 21 of the Constitution of India. We have herein below captured, for this purpose, the basic guidelines that an employer/ company must adhere to, while collecting and treating data during COVID-19 outbreak. On the basis of the IT Act, the IT Rules, the landmark Puttaswamy Case2 on right to privacy and practices adopted in other jurisdictions, below are a few take-aways:
(01) While extending the benefit of ‘work from home’ to employees during quarantine, do ensure that the integrity of client’s data is not compromised.
(02) Employers should, as far as practicable, limit data collection to confirmed or suspected cases, or those who have come in contact with such cases. This information as well, should be collected with a clear and legitimate purpose with the consent of the employee. Collection of irrelevant information should be strictly avoided.
(03) With the crisis becoming severe with every passing day, the employer may be allowed to take temperature of employees or other visitors and accordingly grant access to enter in the office premises. However, such data should not be retained once the purpose for which it was collected, is over.
(04) The information so collected should only be used for the purposes of tackling the pandemic outbreak. Organisations should be extremely careful not to put this data to a different use. The onus of protecting this information falls squarely on the employers. They should in no way allow access, either deliberately or negligently, to third parties of such information/data. Such sensitive data should not be published under any ordinary circumstances. Acting negligently would also be in contravention of section 43A of the IT Act.
(05) Any information procured should not be disclosed without consent. However, given the nature of the current scenario, in certain situations such disclosure may be justified. For example, if the government needs access to such information in order to form policies or take corrective measures; or such information needs to be disclosed to protect public interest; or if there is a legitimate fear that non-disclosure may lead to worsening of the situation. These situations where disclosure without consent may be allowed should be demarcated in no uncertain terms, and employers must ensure that they are not acting outside of such terms.
(06) Information regarding health condition or travel history of the employee might be sought by the employer while the employee is working from home. However, answer to question pertaining to symptoms of COVID-19 may be restricted to just a ‘Yes’ or ‘No’. Further, question in relation to travel history may be restricted to travel to areas which are adversely hit by COVID-19 (and/or notified by the government as restricted travel jurisdictions under regular travel advisories). However, given the deteriorating conditions, identification of risky areas may be arguable.
(07) Once the situation has been brought under control and the virus has been controlled/eradicated, the organisations as well as the government must ensure that the data collected for the specific purpose of dealing with the outbreak must be destroyed. Any sensitive data collected for a specific purpose must be destroyed when that purpose has been met. Processing this data after the fact, for a purpose it was not originally meant for, will be in strict violation of the privacy of such individuals whose data is being used.
(08) Refrain from sharing the data so collected, with the third parties or the general public.
(09) Refrain from collecting information of any other individual, who does not form a part of the organization.
(10) Refrain from retaining the sensitive personal data for longer than is required for the purpose of fighting COVID-19 pandemic.
(11) Refrain from publishing the sensitive personal data or information collected during COVID-19 pandemic to public or other third parties.
(12) Vast datasets provide a competitive advantage and providing access to such datasets to a dominant enterprise can disrupt the competitive forces. Accordingly, in cases of dominant enterprises, the collection of information and further retention of such information, even if they do not act in contravention of privacy laws, may violate provisions of competition law. Therefore, the data collected during COVID-19 outbreak shall not be used for any other purpose than fighting against COVID-19.
(13) Be generally mindful of the data protection and privacy principles while formulating a policy concerning collection and processing the data, as the same is operating in full force, in absence of any guidance from the Government.
The scope of the takeaways mentioned above is restricted to data protection and privacy laws. Nothing stated herein above has any bearing on rights and liabilities of the employers or employees under employment laws. Further, it is clarified that health data can be collected by health authorities, isolation camps set up by the government or any other government approved authority qualified to take the measures appropriate to the situation. The assessment and collection of information relating to symptoms public authorities. These authorities, in absence of any specific guidelines, can also keep in mind the basic principles of data protection and privacy laws to avoid even the slightest infringement of individuals’ right to privacy. Further, in these unprecedented times, it is always advisable that the employers may obtain legal advice from their legal team or data protection and privacy law experts in order to remain in compliance of all applicable laws.