India: Data-Privacy Protection Amidst COVID-19 – Recent Updates For The Employment Sector

The World Health Organization ("WHO") on March 11, 2020, declared COVID-19 as a pandemic and effectively urged the countries to take all necessary steps and measures to detect, test, isolate, treat people in order to avoid handful of cases resulting into widespread community transmissions which would further stress the capacity of global public health institutions¹. In pursuance of the same, the Indian Government, through the Ministry of Health and Family Welfare, has issued and notified multiple travel, immigration, employment and public health-related advisories to proactively prevent, contain and delay onset of the outbreak in the Country.

Some of these measures also included: suspension of visas until April 15, 2020; requiring persons having visited Italy/South Korea to submit negative status COVID-19 declarations from authorised and recognized laboratories of such countries before they could enter into India; mandatory medical supervision quarantine for a minimum of 14 days for persons having visited high-risk countries²; home quarantine for all travellers entering India, etc.

COVID-19 pandemic has resulted in an unprecedented disruption of social and business activities across the globe, and it would only be fair to assume that the evolving situation would continue to demand more resources, enlistment, focus and expenditure in times to come.

Like other countries, the responsibility of responding to the crisis is largely pinned on immigration and public health professionals in India, however, managing a novel crisis of such magnitude surely mandates an organized and consistent response from all the capable and proficient stakeholders. It's therefore essential to see corporate organizations extending proactive health, safety, accessibility, employment protection and continuity measures to protect their employees and partners from possible exposure to the infection. Their objective is two-fold, one, depends upon the industry and nature of the employees in question, and to comply with all necessary statutory obligations relating to the provision of a safe working environment to all its employees; and two, to respond, contain, prevent and delay a public health crisis with the means available at their disposal, so as to ensure business continuity in view of the expanding nature of the disease, and to reduce chances of community transmission in their offices which would help in avoiding a complete shutdown of business activities on a long-term basis.

The initial step of any corporate COVID-19 action plan would/should be to collect and monitor information pertaining to employees and partners, including their travel histories (both official as well as personal), symptoms including of self and of family members, disclosure of interaction with suspected or confirmed COVID-19 persons, etc. It's also fair to assume that most organizations are likely to have no pre-existing disaster management plans that are specific to prevention of infectious diseases that has resulted in companies collecting and asking for information which is not anticipated or included, either in policies or consent frameworks, established till date.

Further, this practice is of concern, as it is equally important for employers to understand the need to balance emergency response with the protection of privacy of their employees, workers, consultants or extended workforce members.

This article outlines some of the data protection blind-spots that are emerging from COVID-19 emergency plans and addresses common queries that some corporate organizations may have in this regard.

1. What is the current legal position in India?

Well, the current data protection law ("IT Act") categorises an employee's physiological and / or health information, medical records as 'sensitive personal data' ("SPDI"), which is considered sensitive, and thus, worthy of more defensive safeguards. Information such as travel history of a person of his/her family members, exposure to suspected persons, etc., may be classifiable as 'personal data' ("PI") which is also protected but with lesser precincts.

2. What is SPDI and PI under the IT Act?

The existing law prescribes that any SPDI collected, processed or stored either: for providing a service, or under a lawful contract or otherwise must be described under a specific privacy policy, and informed consent should be obtained prior to the collection of SPDI, the purpose of usage of the SPDI ought to be disclosed in advance, and the SPDI collected should be stored only for and till the specified purpose is served. Further, the Organizations are mandated to implement a reasonable security practice and procedure such as the ISO 27001 (being the international standards for Information Security Management) for that would be commensurate with the nature of its business. Collection, processing, storage of PI can be done provided a reasonable privacy policy is put in place.

All employers can hence, collect health information/records or travel histories of the employees by stating its intended purpose of use under the privacy policy. However, as mentioned above, for collection of sensitive personal data, an additional consent is required and the SPDI can only be collected for providing a service (let's say for instance, arranging an insurance provider for health coverage) or under the terms of a lawful contract. It may be noted that, where transfer of such information is requested by Government agencies, the organizations would not be liable for accuracy of the information submitted by their employees. Furthermore, employees are also legally entitled to refuse consent, though this Right appears to be available only when an employer is collecting SPDI.

3. What are COVID-19 data protection practices subsisting in other countries?

The EU General Data Protection Regulation ("EUGDPR") is more nuanced and allows organizations to collect and process information on grounds of legitimate interests, or so as to comply with their employer or legal obligations, as applicable and existing in each of the countries. Despite such an enablement, data protection authorities across the Europe have asked the employers to exercise caution while implementing their COVID- 19 action plans and has urged them to consider proportionality even in the face of a pandemic situation. Some of the examples are hereunder:

• The Italian Privacy Authority on March 02, 2020, has asked the employers to not collect employee health information or ask them about their contact with suspected symptomatic persons in a systematic and generalized manner, and has stated that such inquiries and checks should instead be conducted by a civic and public health administration authority³;
• In France⁴, the Data Protection Authority has reminded its employers of their legal obligations under the EUGDPR and French public health codes and has further clarified that COVID-19 action plans cannot require disclosure of medical and health information which goes beyond the management of suspected exposure, and infringe on privacy rights of employees and visitors. It was specifically stated that checking of body temperatures and systematic daily processing of the said data, asking employees and visitors to submit health declarations is not legally permissible. It has, instead encouraged the employers to educate their employees, and advise employees to undergo tests with public health authorities, and set up remote working facilities;
• The UK's Information Commissioner's Office ("ICO") has taken a more pragmatic approach wherein it has assured the employers that they are cognizant in pressing times, usual governance and compliance frameworks could be relegated lesser priority, and that the employers would not be penalized if they are prioritizing other areas to contain the outbreak amongst their employees, visitors and partners⁵. The ICO has, however, confirmed that this flexibility should not be construed by organizations to forego principles of proportionality, and only such information which would not be excessive in the given circumstances should be collected and processed by the employers.

4. How does the global position differ from the Indian framework?

Given the evolving nature of the pandemic, even the advanced-privacy jurisdictions are struggling to balance public interest with maintaining the privacy of individuals, especially the private employers who are not equipped to respond to a public health emergency. As COVID-19 transmits further, we can expect a more detailed and continuous guidance from the global regulators for the employer organizations, varying in each jurisdiction.

While our Country is dealing with the same data protection challenges, the interpretational challenges may be more prominent in our jurisdiction since we do not yet have a conclusive data protection law that could anticipate or address such emergency situations. Also, we do not have a specific data protection regulator that could address any prevailing confusion or restrict unacceptable practices. Unlike the EUGDPR, the Indian law further does not envisage any collection of information on legitimate grounds such as the prevention of a public health emergency or to comply with applicable laws, and it also does not permit employers to obtain specific information which is fundamentally necessary to manage the interests of an employer-employee relationship. For SPDI, Indian laws are restricted to a consent-based approach, as mentioned in the preceding paragraphs.

Click here to continue reading .

Footnotes

1. WHO Director General's opening remarks at the media briefing on COVID-19 on March 11, 2020

2. The Ministry of Health and Family Welfare has continued to update this list. As of March 11, 2020, the high-risk countries are China, Italy, Republic of Korea, France, Spain and Germany. Anyone who has visited these countries after February 15, 2020 will be subject to mandatory quarantine for a minimum period of 14 days. (https://www.mohfw.gov.in/ConsolidatedTraveladvisoryUpdated11032020.pdf)

3. Press Release by Italy Data Protection Authority, March 02, 2020, (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9282117#1)

4. Press Release by CNIL, March 06, 2020, (https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles)

5. UK ICO Guidance, March 12, 2020, (https://ico.org.uk/for-organisations/data-protection-and-coronavirus/)

Originally published April, 15, 2020

For further information please contact at S.S Rana & Co. email: info@ssrana.in or call at (+91- 11 4012 3000). Our website can be accessed at www.ssrana.in

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.