

Compliance with Data Protection during COVID-19
Introduction
The Central Government, on March 24, 2020 issued a nation-wide lockdown to slow down the spread of COVID-19. India has been relaxing the measures of the lockdown with ‘Unlock 1.0’ by allowing private offices and other establishments to operate at full capacity. With increased movement of labour, the government, along with employers including corporates and non-governmental organisations, has been burdened with the task of restricting the spread of COVID-19. Employers have had to undertake certain measures like tracking their employees and collecting their health data.
While it is important to implement protocols like monitoring temperature, collecting travel history, documenting symptoms and contact tracing employees, it is also imperative for the employers to balance such actions with their employees’ right to privacy. In this context, the article seeks to examine the data protection regime in India and address the ‘balance’ that employers are bound to maintain.
Legislative Background
Currently in India, the Information Technology Act, 2000 (“ITA”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) govern the data protection regime. The law is applicable to any company, firm, sole proprietorship, and associations of individuals involved in professional/commercial activities. The definition of SPDI includes “physical, physiological, and mental health condition” and “medical records and history”.[1]
In Justice Puttaswamy (Retd.) and Another V. Union of India and Others[2],the Supreme Court held that that right to privacy is a fundamental right to uphold the right to life and personal liberty enshrined under Article 21 of the Constitution of India. The Supreme Court also stated that this right is not absolute and may be curtailed if certain criteria are met.[3] It is relevant to note that no special exemption for complying with privacy regulations has been granted by the Central Government for the duration of the COVID-19 pandemic.
Application of Law
Collection and processing of SPDI attracts a higher level of regulation and it is compulsory for employers to comply with ITA and SPDI Rules when doing so. Under the existing data protection regime, data collection must be as prescribed under a specific privacy policy,[4] The purpose for such collection of SPDI and its consequent terms of use must be intimated[5] and informed consent of the concerned individual must be taken.[6] Furthermore, it is mandatory for employers to implement ’reasonable security practices and procedures’. The said security practices and procedures must be appropriate with the nature and extent of the activities undertaken by the employer. The most commonly followed standard is the International Standard IS/ISO/IEC 270001 and ISO/IEC 27035, which is the international standard for information security management. In a case where another standard is being followed, the same needs the approval of the Central Government, after which its implementation has to be certified by independent auditors.[7]
Practical Considerations
The abovementioned protocols must be adhered to by the employers to ensure that the ITA and SPDI Rules are not violated, and the employees’ right to privacy is not infringed. In the absence of the specific guidelines by the Central Government, an employer needs to adhere to basic data protection principles and the provisions of ITA and SPDI Rules. In view of the same, it is recommended that employers:
1. Collect only relevant data with the employee’s written consent and attempt to limit it to confirmed or suspected cases. When the COVID-19 is controlled, all the data collected to control the outbreak must be deleted/erased.
2. With the severity of COVID-19 increasing, employers may collect and store health details (like temperature, pulse rate or oxygen level) of individuals entering their work premises. However, such data should not be used for any other purpose other than for tackling the spread of COVID-19. It is employers’ duty to ensure that the information is well protected from third-party invasion.
3. Have a policy setting out a protocol for collecting and processing personal and SPDI which is line with an internationally recognized standard for data protection..
Imposition of Penalties under the ITA
Under section 43A of the ITA, an employer is liable to pay compensation if it is found that there is negligence in providing ’reasonable security measures and procedures’, resulting in wrongful loss or wrongful gain to anyone.[8] While there is no upper limit prescribed, the compensation demanded would be commensurate to the damage caused. Under section 72A, the punishment for a service provider may include a jail term extending for three years and/or a fine extending to Rupees Five Lakhs if it is found that personal information has been disclosed without prior consent of the aggrieved individual or in breach of a contract.[9] It is imperative to prove that the intention behind such disclosure was to cause wrongful loss or wrongful gain to any person.[10]
Conclusion
In the fight against COVID-19, data is expected to play a huge role. However, in this pursuit, it is imperative to uphold right to privacy and comply with data protection laws. Utilisation of data will only be deemed successful if it is handled with proper caution and is erased once the crisis in brought under control. It is of utmost importance for employers to evaluate and update their data processing practices and information security management according to the prevailing circumstances.
The views and opinions expressed in this article belong solely to the author and do not reflect the position of Tatva Legal, Hyderabad.
[1] Rule 3 of SPDI Rules
[2] (2018) 1 SCC 809
[3] Ibid.
[4] Rule 5(3) of SPDI Rules
[5] Rule 4(1) of SPDI Rules
[6] Rule 5(1) of SPDI Rules
[7] Rule 8 of SPDI Rules
[8] Section 43A of the ITA
[9] Section 72A of the ITA
[10] Ibid.