Opinion | The privacy of employees versus the safety of everyone4 min read . Updated: 17 Mar 2020, 08:38 PM IST
Legal provisions could guide companies on striking a balance but policy tweaks may be needed
The Covid-19 pandemic has given rise to many legal concerns. Among these are worries surrounding the privacy of individuals and data related to them.
Private organizations, including those in hospitality, retail and other sectors which employ large groups of people, have instituted precautionary measures in the nature of taking temperature readings and collecting travel histories from some or all employees, guests or visitors.
Where persons are symptomatic, or are otherwise suspected of having Covid-19, such organizations may find themselves called upon to take additional actions, including disclosing names of employees or guests to identify those at risk, denying access to premises, requiring tests, and reporting their results to the authorities.
As several jurisdictions (including India) restrict the disclosure of individual disease status, these actions may restrict or impact an individual’s right to privacy, and must be viewed in the light of such risks as the stigmatization, persecution, and erroneous identification of individuals. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), categorize physical and physiological health conditions, as well as the medical history and records of people as “sensitive personal data or information (SPDI)" . Information related to symptoms of Covid-19, such as diagnostic results, temperature readings and other vitals may qualify as SPDI.
Under the rules, SPDI may only be collected, processed and retained on the basis of consent, for a clear and well-defined purpose, and may be retained only to the extent required to fulfil the stated purpose. Once collected, SPDI may only be disclosed if and when consented to, or if disclosure is necessary for compliance with a legal obligation.
In the absence of a clear legal obligation and if employees do not grant consent, the above restrictions may constrain private organizations from carrying out actions necessary to protect other employees or guests. Organizations may rely on one of the following approaches to deal with such situations.
Where reliable information in relation to a person’s Covid-19 status is publicly available, private organizations may use and process the same freely, as SPDI has been defined to exclude publicly available data or information. In Mr. X v. Hospital Z, the Supreme Court held that the right to privacy is not absolute and may be subject to lawful action to prevent crime, disorder or to protect health. The court further held that, as the Right to Life includes the right to lead a healthy life, disclosure of a communicable life-threatening disease cannot be said to violate the right to privacy.
In addition to the above general principle, employers may also seek to rely on language that is often included in employee handbooks, allowing them to conduct health checks and undertake necessary actions to safeguard the interests of employees and the organization.
The Personal Data Protection Bill, 2019 (PDP Bill), which has been introduced in Parliament and is currently being reviewed by a joint parliamentary committee, provides for the processing of personal data without consent if needed in response to medical emergencies, or to avoid severe threats to health, or for the undertaking of measures to provide assistance or services during disasters or breakdowns of public order. The Data Protection Authority, to be constituted under the PDP Bill, may be well-advised to consider the current circumstances while formulating Indian codes of practice and regulations.
Private organizations may not be well-placed to make decisions balancing health risks and privacy in an evolving environment, and may therefore want to draw guidance from regulations or notifications released by the government. They also risk running afoul of provisions penalizing the publication of “misinformation" in relation to Covid-19, apart from other regulations like the Karnataka Epidemic Disease, Covid-19 Regulations, 2020, and the Maharashtra Covid-19 Regulations, 2020, both of which deem the spreading of rumours or unauthenticated information regarding Covid-19 a punishable offence.
Guidelines on both sides of the balance that needs to be struck—some permitting the private collection and reporting of Covid-19-specific information from employees, and others restricting it—have been issued in the context of the General Data Protection Regulations by data-protection authorities in Ireland and the UK on one hand, and Italy and France on the other. These may well change as the pandemic evolves.
Owing to the gravity of this pandemic, governments, both Central or state, would be well advised to issue clear regulations or notifications enabling and requiring private organizations to monitor, report and segregate possible cases of Covid-19.
Pending such guidance, private entities faced with a clear case of imminent harm to health or well-being, could rely on existing consent norms and jurisprudence to introduce reasonable and proportionate measures (including screening and reporting) to address the current Covid-19 emergency.
In times to come, private entities should consider hard-coding such measures into the terms of employment they offer their employees and other internal human resource policies.
Piyali Sengupta and Sameer Avasarala contributed to this article.
Arun Prabhu is a partner at Cyril Amarchand Mangaldas