On 11 March 2020, the World Health Organisation declared the Covid-19 outbreak as a pandemic, thereby calling for more urgent and aggressive action to stifle its spreading. Employers are taking a wide range of actions to deal with this extraordinary situation. However, even now, it is of the utmost importance that employers be mindful of protecting the privacy of data of their employees and business contacts in order to mitigate risk and ensure the smooth continuity of business in such a challenging time.
Brief overview of present day law
The Information Technology Act 2000 (IT Act) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Sensitive Personal Data Rules) are the principal legislations governing the collection and processing of personal information and sensitive personal data or information (Sensitive Personal Data) on a sector neutral basis. Sensitive Personal Data may be collected by a body corporate by complying with the provisions of the Sensitive Personal Data Rules including obtaining consent.
Privacy concerns for employers for Covid-19 preventive practices
· Temperature recording and physical screening: The Sensitive Personal Data Rules designates among others, “physical, physiological and mental health condition” as Sensitive Personal Data. Any information pertaining to the physical condition of an employee including body temperature will be considered as Sensitive Personal Data and all obligations under the Sensitive Personal Data Rules are required to be complied with.
· Self declaration of medical condition by employees: The Sensitive Personal Data Rules designates “medical records and history” as Sensitive Personal Data. Therefore, any such information as collected by employers through self declaration forms or otherwise is also required to be in compliance with the Sensitive Personal Data Rules.
· Collecting travel history and related information from visitors and business contacts: Information related to travel history collected from visitors and business contacts may in aggregate constitute personal information (but not Sensitive Personal Data). Under the IT Act, any personal information (not containing Sensitive Personal Data) which is collected while providing services under lawful contract, is not permitted to be disclosed except as agreed under such contract or if consent for the same has been obtained.
Some questions to consider
· Does your organization’s HR policy cover situations under which Sensitive Personal Data can be collected and has consent been obtained for the same?
· Does your organization follow any policy/protocol for collection and storage of personal information/ Sensitive Personal Data?
While the current situation is alarming and poses a risk to doing business, it is important to maintain compliance with data protection laws. This will ensure that the business reputation of an organization remains unaffected even in the most trying of circumstances.
- Supratim Chakraborty (Partner), Sumantra Bose (Senior Associate) and Vivekanand Bhardwaj (Associate)