Disclaimer

By clicking, "I Accept" below, you accept and acknowledge the following:

The purpose of this website is to provide general information and insights about TLH, Advocates & Solicitors, and not to advertise or solicit work in any manner whatsoever.

Please note that as per the Bar Council of India Rules, advocates in India are prohibited from advertising or soliciting work in any form or manner. You acknowledge that you are visiting this website at your discretion and that there has been no solicitation, invitation, or inducement of any sort whatsoever from TLH, Advocates & Solicitors or any of its professionals in relation to this website.

The content available on this website does not constitute legal or other professional advice and should not be substituted for advice relevant to particular circumstances.

The access and use of this website does not establish any fiduciary or other relationship between you and TLH, Advocates & Solicitors or any of its advocates.

Please read the ‘Terms of Use’ and our ‘Privacy Policy’ before accessing this website.

I Accept
Blog default background
Blog
Corporate Law

Compliance with Data Protection during COVID-19

Authors:
Atif Ahmed
January 1, 2021
5 min read
Share this post
Copied!

Introduction

The Central Government, on March 24, 2020 issued a nation-wide lockdown to slow down the spread of COVID-19. India has been relaxing the measures of the lockdown with ‘Unlock 1.0’ by allowing private offices and other establishments to operate at full capacity. With increased movement of labour, the government, along with employers including corporates and non-governmental organisations, has been burdened with the task of restricting the spread of COVID-19. Employers have had to undertake certain measures like tracking their employees and collecting their health data.

While it is important to implement protocols like monitoring temperature, collecting travel history, documenting symptoms and contact tracing employees, it is also imperative for the employers to balance such actions with their employees’ right to privacy. In this context, the article seeks to examine the data protection regime in India and address the ‘balance’ that employers are bound to maintain.

Legislative Background

Currently in India, the Information Technology Act, 2000 (“ITA”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) govern the data protection regime. The law is applicable to any company, firm, sole proprietorship, and associations of individuals involved in professional/commercial activities. The definition of SPDI includes “physical, physiological, and mental health condition” and “medical records and history”.[1]

In Justice Puttaswamy (Retd.) and Another V. Union of India and Others[2],the Supreme Court held that that right to privacy is a fundamental right to uphold the right to life and personal liberty enshrined under Article 21 of the Constitution of India. The Supreme Court also stated that this right is not absolute and may be curtailed if certain criteria are met.[3] It is relevant to note that no special exemption for complying with privacy regulations has been granted by the Central Government for the duration of the COVID-19 pandemic.

Application of Law

Collection and processing of SPDI attracts a higher level of regulation and it is compulsory for employers to comply with ITA and SPDI Rules when doing so. Under the existing data protection regime, data collection must be as prescribed under a specific privacy policy,[4] The purpose for such collection of SPDI and its consequent terms of use must be intimated[5] and informed consent of the concerned individual must be taken.[6] Furthermore, it is mandatory for employers to implement ’reasonable security practices and procedures’. The said security practices and procedures must be appropriate with the nature and extent of the activities undertaken by the employer. The most commonly followed standard is  the International Standard IS/ISO/IEC 270001 and ISO/IEC 27035, which is the international standard for information security management. In a case where another standard is being followed, the same needs the approval of the Central Government, after which its implementation has to be certified by independent auditors.[7]

Practical Considerations

The abovementioned protocols must be adhered to by the employers to ensure that the ITA and SPDI Rules are not violated, and the employees’ right to privacy is not infringed. In the absence of the specific guidelines by the Central Government, an employer needs to adhere to basic data protection principles and the provisions of ITA and SPDI Rules. In view of the same, it is recommended that employers:

1. Collect only relevant data with the employee’s written consent and attempt to limit it to confirmed or suspected cases. When the COVID-19 is controlled, all the data collected to control the outbreak must be deleted/erased.

2. With the severity of COVID-19 increasing, employers may collect and store health details (like temperature, pulse rate or oxygen level) of individuals entering their work premises. However, such data should not be used for any other purpose other than for tackling the spread of COVID-19. It is employers’ duty to ensure that the information is well protected from third-party invasion.

3. Have a policy setting out a protocol for collecting and processing personal and SPDI which is line with an internationally recognized standard for data protection..

Imposition of Penalties under the ITA  

Under section 43A of the ITA, an employer is liable to pay compensation if it is found that there is negligence in providing ’reasonable security measures and procedures’, resulting in wrongful loss or wrongful gain to anyone.[8] While there is no upper limit prescribed, the compensation demanded would be commensurate to the damage caused. Under section 72A, the punishment for a service provider may include a jail term extending for three years and/or a fine extending to Rupees Five Lakhs if it is found that personal information has been disclosed without prior consent of the aggrieved individual or in breach of a contract.[9] It is imperative to prove that the intention behind such disclosure was to cause wrongful loss or wrongful gain to any person.[10]

Conclusion

In the fight against COVID-19, data is expected to play a huge role. However, in this pursuit, it is imperative to uphold right to privacy and comply with data protection laws. Utilisation of data will only be deemed successful if it is handled with proper caution and is erased once the crisis in brought under control. It is of utmost importance for employers to evaluate and update their data processing practices and information security management according to the prevailing circumstances.

The views and opinions expressed in this article belong solely to the author and do not reflect the position of Tatva Legal, Hyderabad.

[1] Rule 3 of SPDI Rules

[2] (2018) 1 SCC 809

[3] Ibid.

[4] Rule 5(3) of SPDI Rules

[5] Rule 4(1) of SPDI Rules

[6] Rule 5(1) of SPDI Rules

[7] Rule 8 of SPDI Rules

[8] Section 43A of the ITA

[9] Section 72A of the ITA

[10] Ibid.

No items found.
COVID-19, Data protection

Footnotes

Share this post
Copied!

Latest posts

July 10, 2025
From PSUs To Private Companies: Enforceability of Employment Bonds in India
This article explores the enforceability of employment bonds in India, focusing on their legal standing, key court decisions, and what makes such agreements valid or void in both public and private sectors.
Read more
Arrow Right
Corporate Law
July 9, 2025
SEBI’s New Disclosure Norms for Related Party Transactions: Redefining Corporate Governance in Listed Companies
The article revolves around corporate governance reforms introduced by SEBI related to Related Party Transactions (RPTs).
Read more
Arrow Right
Dispute Resolution
July 8, 2025
Revisiting the IBC-RERA Interplay in light of Umang Realtech
The article examines the evolving jurisprudence around the interface of the Insolvency and Bankruptcy Code (IBC) and the Real Estate (Regulation and Development) Act (RERA), with particular focus on the recent Umang Realtech decision.
Read more
Arrow Right
Corporate Law
June 14, 2025
The Finfluencer Effect: Unravelling Market Manipulation
Recently, the Indian stock market regulator, Securities and Exchange Board of India (SEBI) published a discussion paper addressing the growing concern pertaining to financial influencers, or finfluencers, providing financial advice. These influencers often lack the requisite qualifications and accountability for their recommendations.
Read more
Arrow Right
Employment Law
June 14, 2025
Contract Labour Deployment in India - Demystifying the Future Conceived by the Code on Occupational Safety, Health & Working Conditions, 2020
The business of human resource deployment by contractors for their clients has grown and evolved globally. In India, the contractor-sourced industrial workforce grew by about 293% between 2002-03 and 2021-22.[1] Recently, India has unfurled four labour codes that revamp its existing labour laws to meet the needs of the Indian workforce such as contract labour deployment.
Read more
Arrow Right
Corporate Law
June 14, 2025
Exploring Unchartered Territory? Laws for the Void
What can the Indian space sector learn from the Avengers? Besides, the incredible budget and scale, the key takeaway would be - bringing experts together to achieve phenomenal results. We all remember the fascinating back stories, the strength of and the role each member plays to fill an essential need under the able guidance of a strong leader.
Read more
Arrow Right
View All Blogs
Arrow Right