The Indian Legal Position on Employee Data Protection and Employee Privacy

Now, more than ever, it is possible for companies to spy on their workers’ online moves in the workplace. When power is imbalanced between parties in a contract, as it often is in the employee-employer relationship, the employer may be able to coerce the employee into providing further information without the employee’s willingness to give the information. Such actions may constitute a breach of privacy rights since the information at issue may relate to the individual’s private life, preferences, family concerns, history, etc.

Historically, Indian law does not mention or otherwise deal with the idea of data protection or privacy in protecting workers’ data under our labour laws.

Law on data privacy and its effect on employers

The legislation that has attempted to address the data protection and privacy problem thus far is the Information Technology Act, 2000 (“IT Act”), read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”).

Sensitive personal data or information (“SPDI”) is protected by Section 43A of the IT Act, while Section 72A guards against unauthorised disclosures made in violation of a contract. Section 43A outlines the compliances that must be adhered to by an organization that collects, stores, or otherwise handles SPDI (such as passwords, financial information, health conditions, sexual orientation, medical records, and biometric records).

Employers collect SPDI of their employees for various reasons such as for the selection process, record retention, employee evaluations or other legitimate business purposes. In case if the employer is negligent in maintaining the SPDI of the employee, the employee may seek an adjudicating authority designated under the IT Act for compensation up to INR 5 crores (about US$100,000) or the competent civil courts for compensation exceeding INR 5 crores.

What exactly is Sensitive Personal Data?

“Sensitive Personal Data” is a part of Personal Data that is considered ‘sensitive’ to a person’s privacy and may jeopardise it if not gathered, kept, processed, transferred, or erased with care. The extent of harm that may be caused to a data principal if the safety or privacy of such data is compromised due to any sort of misappropriation or mishap during the entire course of the fulfilment of the purpose for which it was collected, according to the Act, is one of the reasons behind the watchful handling of such data.

The Act categorises a large amount of personal information as ‘sensitive.’ Financial data, official identifiers, and biometric data, genetic, health, or biological data, data related to sexual orientation or gender status (primarily intersex or transgender status), data on caste/class/tribe, sex life, and finally political or religious beliefs and affiliations are all on the list.

Compliances in relation to SPDI

  • Nexus- SPDI is only collected where there is a need to collect such information.
  • Opt-in and Opt-out- Specific written consent should be taken from employees prior to collection of SPDI.
  • Privacy Policy- Employees shall have a well-documented privacy policy as required by the IT Act and the policy should be available on the employer’s website.
  • Access- The employees should be allowed to revise or correct the deficiencies in the information.
  • Transfer- SPDI can only be transferred where specific consent has been taken from the employees by adhering to the standards of the IT Act.
  • Reasonable security practices and procedures– Employers should maintain reasonable procedures to protect SPDI.

Question of Employee Surveillance

While employee monitoring is not addressed under the IT Act, these problems have grown in prominence, especially in light of India’s fast-expanding information technology and outsourcing industries. Employers may face major difficulties such as data leakage, intellectual property infringement, defamation, and a slew of other issues if an employee misuses the communication devices which the employer provides to them for work purposes. For instance, if an employee downloads pornographic material on an office laptop and distributes it to other colleagues, it may be considered as sexual harassment, and the employer may be held accountable for creating a hostile atmosphere. To deal with such scenarios, inclusive of but not limited to, protect workers’ privacy on telephonic calls, emails, et. al., the Supreme Court of India in the case of Justice K.S. Puttaswamy v. Union of India [1] declared the Right to Privacy as a fundamental right under Article 21 of the Constitution of India and stated it to be the very essence of an individual’s being while safeguarding the privacy of employees.

Who can collect personal data?

According to Rule 5 of the IT Rules, no body corporate or any person acting on its behalf shall collect sensitive personal data or information unless (a) the information is collected for a lawful purpose related to a function or activity of the body corporate; and (b) the collection of such information is deemed necessary for that purpose.

Furthermore, the person sharing the information must be informed of (i) the fact that the information is being collected; (ii) the purpose for which the information is being collected; (iii) the intended recipients of the information; and (iv) the name and address of (a) the agency collecting the information; and (b) the agency that will retain the information.

For what duration can personal data be stored?

Any corporate or person holding sensitive personal data or information cannot keep it for any longer than is necessary for the purposes for which the information may lawfully be used or is otherwise required by any law currently in force, and such information can only be used for the purpose for which it is collected.

Furthermore, before collecting information, the body corporate or any person acting on its behalf must offer the source of the information with the option of not providing the data or information sought to be gathered. If these conditions are not fulfilled, the information provider has the opportunity to withdraw the permission granted before at any moment whether using the services or otherwise.

References

  1. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
  2. https://www.mondaq.com/india/data-protection/470538/employee-data-protection-in-india-what-should-employers-be-aware-of

Author: Tushar Baid, Research Associate, Law, Rainmaker Online Training Solutions Directions and Contributions: Akanksha Arora, AVP – Legal, Rainmaker Online Training Solutions

DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.