What does data mean in the context of Data Protection and Privacy?

Here, data means any information directly or indirectly identifiable with an individual, including their physical, physiological, genetic, mental, commercial, cultural, or social characteristics. This may also include attributes that can be assigned to them, such as a telephone number, address, and date of birth.>

There are two types of data:>

• Personal data can help identify an individual, with specific details such as their name, biometrics, health data, Aadhar Number, PAN (Permanent Account Number), credit card number, car number plate, etc.>
• Non-personal data does not contain personally identifiable information, examples of which could be information collected during a government census, data in industrial databases and anonymized personal data.>

What is Data Protection and Privacy?

Data Protection> refers to a set of regulations, policies, and practices that aim to safeguard against the arbitrary and unregulated collection, storage, dissemination and usage of data of individuals without their consent. >Privacy> is the desire, right and ability of individuals to protect themselves, their identity and their personal information from being known by the world. The concept has recently gained greater significance since there are increasing >reports of data breaches> by hackers and privacy violations by internet giants such as Facebook, Twitter, and Google.>

The Constitution of India does not expressly provide for a fundamental right to privacy. However, the Supreme Court of India has, in the case of >Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1>, read the right of privacy into the right to life [>Article 21>] and freedom of speech [>Article 19(1)(a)>] provisions of the Constitution. The Court held that the law must protect an individual's right to privacy. Currently, there is no comprehensive data protection law in the country. However, a Personal Data Protection Bill has been doing the rounds of the Houses of Parliament since 2019. Recently, the government withdrew the Bill in favour of introducing new and comprehensive legislation, since the Parliamentary Panel reviewing the old Bill had suggested a significant number of amendments to the same.>

Currently, our data privacy & protection segment is primarily governed by the >Information Technology Act 2000> and the rules framed under the Act, combined with certain sectoral laws (telecom, e-commerce, financial sector, et.al.). >Section 43A> of the Act requires the payment of compensation by a corporate body dealing with sensitive personal data which fails to protect such data. Sections >72> and >72A> of the Act impose a penalty for disclosing information about any person concerned. Sections >66C>, >66D> and >66E> provide the punishment for identity theft, cheating by personation and violation of privacy, respectively.>

India is also a party to certain international conventions, including the >UDHR> and the >ICCPR>, which recognize the Right to Privacy. Foreign investigations for a data breach can be conducted in India with the aid of the Treaties and >Code of Criminal Procedure, 1973>.>

Inclusion of privacy and confidentiality aspects in the Code of Conduct of an organization

Without a comprehensive statute dealing with data protection and privacy, most organizations have to devise their own rules. Most organizations' >Codes of Conduct> (CoC) usually provide for the rules and regulations related to data protection, privacy, and confidentiality. A CoC, also known as an "Employee Handbook", is a guide for employees on how they are required to behave during their employment with the organization. The CoC provides the rules that all employees must follow to maintain the confidentiality of all information collected from third parties (such as clients, vendors, and contractors of the organization). When the rules of confidentiality are explicitly mentioned in an organisation's CoC, other organizations get the impression that it is a well-governed and disciplined organization and are more confident in dealing with it. >

Apart from the confidentiality of information of third parties, the CoC also often specifies that the organization will keep the data of all its employees confidential and vice versa. In the context of an employee, an organization may possess the following data:>

• name and contact details,>
• details related to caste, religion and race,>
• bank account and salary information,>
• details of educational qualification and past work experience,>
• membership in work associations and trade unions,>
• any work assessments by superiors,>
• information related to any disciplinary or sexual harassment proceeding,>
• any correspondence between the organization and the employee,>
• biometric data in the case of organizations that use fingerprint/iris scan door locks and store the biometric data of their employees,>
• entry/exit timings of employees,>
• personal data, email data and phone data stored or obtained from electronic devices provided by the organization to its employees.>

Organizations can follow some basic principles to ensure the privacy of the employee data collected by them, which are:>

• Data of employees should be collected and used only with their consent.>
• Data of employees should be collected only for a specific purpose, be minimized once the purpose has been served and be deleted when the data is no longer needed.>
• The organization should employ processes and technologies that protect employees' personal data in its collection and storage process.>
• Organizations should have a forum where employees can seek redressal in case of any data breach or violation of privacy.>

Another aspect of confidentiality vis-à-vis employees in the code of conduct is the aspect of whistleblower confidentiality. Several organizations have a whistleblower policy per which employees are encouraged to report incidents of wrongdoing in the organization to the management with the assurance of their names remaining anonymous. Organizations need to maintain the utmost confidentiality of the identity of whistleblowers so that employees are not scared to come forward to file complaints about misconduct observed by them.>

Privacy considerations in Sexual Harassment cases

One of the most critical areas where an employee's right to privacy gains primary importance is in cases of Sexual Harassment. >Section 16 of the PoSH Act> prohibits the publication or communication in public, press or media, of the identity and address of the complainant/aggrieved woman, the accused, the witnesses, information relating to conciliation and inquiry proceedings, recommendations of the Internal Committee or the Local Committee, and the action taken by the employer or the District Officer under the PoSH Act. The only exception to this directive is that information regarding the justice received by the aggrieved woman may be disseminated, disclosing no other details, which may lead to the identification of the aggrieved woman and witnesses.>

Organizations need to ensure the highest level of confidentiality as far as the identity of the victim is concerned. Only in an environment where aggrieved women feel assured that the organization will maintain their privacy, they will feel secure enough to file complaints about incidents of Sexual Harassment. Where the harasser is in a position of power over the aggrieved woman or of the witnesses, they may hesitate to file a complaint or take part in the proceedings, apprehensive of retribution from their superior.>

Similarly, organizations also need to protect the identity of the accused, at least until they have not completed the Sexual Harassment proceedings. Failure to protect the identity of the accused becomes especially problematic if, at the end of the Sexual Harassment proceedings, his innocence is proved. It may affect the accused person's chances of future employment, leading to employment action by the accused against the organization on the grounds of defamation or invasion of privacy.>

Section 17 of the PoSH Act> deals with the repercussions of failing to maintain confidentiality by a person entrusted to handle the Sexual Harassment complaint, conduct the proceedings, implement the recommendations given by the IC, or take action against the accused. A penalty is to be imposed on such a person per the conditions of the service rules applicable to the aggrieved woman.>

A reading of Section 17 shows that only those entrusted with certain functions can be penalized for a breach of confidentiality. However, there is no clarity on what the consequences would be if the breach of confidentiality of Sexual Harassment proceedings was by the aggrieved woman, the accused, any of the witnesses, or any other employee of that organization. Organizations can frame their policies/rules to prevent and penalize such breaches and include them in the Code of Conduct.>

In organizations where the rules of data protection and privacy are clearly defined, employees feel both respected and respectful towards their employers. That makes for a more efficient and professional work environment. >

Author: Pallavi Mohan Editor: Sumali Nagarajan

References –

1. https://advisory.kpmg.us/blog/2022/new-chapter-anti-corruption-enforcement.html
2. https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-privacy-case-background/
3. https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=No%20one%20shall%20be%20subjected%20to%20arbitrary%20interference%20with%20his,against%20such%20interference%20or%20attacks.
4. https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights

DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.