The COVID-19 pandemic is creating significant health, social, and economic challenges worldwide. The Central and State governments have responded to this evolving situation by imposing curfews, travel restrictions, and closing down certain services and private businesses. As the numbers of COVID-19 cases increase in the country, these restrictive measures will likely become more stringent and widespread.

Many employers with operations in India are already facing steep challenges in coping with this fast-changing situation. Navigating the pace of change, while also dealing with immediate issues can be overwhelming. This is true, especially with regards to employee privacy and the Coronavirus (COVID-19).

Employee privacy is not new and there has been consistent guidance on what is (baseline) possible and what not. What data can you process when an employee calls in sick, and what can you and can’t you ask? A normal everyday question.

But when an epidemic spreads like COVID-19, things may be a little different. Here is an article co-authored with the help of Atul Gupta, Partner at Trilegal and Vikram Shroff, Head of the HR Law (Employment and Labour) practice at Nishith Desai Associates on how to manage employee privacy in the times of COVID-19.

Here are some standard guidelines released by the Indian Government to make sure you don’t violate employee privacy:

About the information that employees to disclose about their health status

Indian privacy law currently recognizes and protects only certain limited information such as sensitive personal data or information (SPDI). SPDI includes inter alia ‘physical, physiological and mental health conditions’ and ‘medical records and history.’ Health status and medical symptoms would accordingly be protected and an employee can also refuse to disclose such information. 

Vikram Shroff, Head of the HR Law (Employment and Labour) practice at Nishith Desai Associates shares, “The employer will need to comply with the relevant provisions while obtaining, storing, processing and transferring any SPDI of the employees. On the other hand, travel plans and history, non-work activities, etc. are not protected by Indian privacy laws and hence can be asked by the employer without worrying from a privacy standpoint.”

India is currently contemplating a GDPR-like privacy law, which, once enacted, will provide extensive protection to employees concerning their health and medical information. 

Atul Gupta, Partner at Trilegal further shares that Indian law generally recognizes an employer’s right to subject employees to medical tests for determining fitness for the job. Government guidelines also expect employers to allow employees with flu-like symptoms to work from home / self-isolate. Such measures cannot be complied with without seeking necessary inputs on personal health status that of close contacts travel plans/history from employees, etc. and doing so would be acceptable. Organizations are advised to roll out specific policies that inform employees about these obligations transparently. At the same time, organizations should remember that medical information of an individual, when held in digital form, is considered as ‘sensitive personal information’ (SPI) under the Information Technology Act, 2000 and the rules thereunder (IT Act). To that extent, it would be advisable for organizations to ensure that they put into place necessary security measures to safeguard medical information and also update their privacy policies if required.

Restrictions on data collection, processing or dissemination to address COVID-19 risks

While there are no specific privacy-related restrictions concerning the COVID-19 outbreak, an employee’s medical records and history is protected by Indian privacy laws. To that extent, the employer will need to comply with the relevant provisions of the law in case of an employee who is suspected or affected by COVID-19. Also, the employer will need to treat such information as strictly confidential. However, that should not prevent the employer from generally disseminating any COVID-19 related information to its employees, as long as it is not in the general public domain. 

Data must be held securely and only be used for legitimate purposes to prevent the spread of the virus. E.g., no such information should be revealed to the public or social media under any circumstances.

Information that companies can collect from third parties and open sources about employees’ health

An employee’s medical records and history is protected under Indian data privacy law, irrespective of whether it has been obtained directly from the employee or a third party such as a hospital or medical practitioner. However, the data privacy law does not protect the information available in open sources such as the public domain.

Atul adds that organizations should implement policies that require employees to self-disclose information about their travel, health, and those of close contacts. However, where there are suspicions about someone’s health status or travel history, organizations could attempt to investigate the same through publicly available information with the overall objective of ensuring that the workplace remains secure.

Privacy concerns of COVID-19 infected employees

Vikram shares that an employee’s medical records and history are protected under Indian data privacy law. To that extent, the employer is required to maintain confidentiality and not disclosure the employee’s name or his medical condition to other employees or third parties. However, the Government may call upon an employer to disclose any infected employee or any employee that may have traveled to a COVID-19 affect country/area, and the employer may need to co-operate with the Government given public interest.

Atul adds, “The primary concern at present is to prevent the spread of the virus, which can be achieved best by isolating individuals who may be infected or at risk of infection. To that extent, it would be important for both individuals and organizations to vigilantly and actively provide necessary information to health care professionals and relevant government authorities to allow them to conduct contact tracing and help them contain further spread of the virus. Individuals that the infected employee may have come into contact at the workplace should certainly be warned to self-isolate and to seek medical help if they are symptomatic.”

As mentioned before, it would be advisable for organizations to update their internal policies to inform and educate employees that such information may need to be shared on a need to know basis to enable the organization to comply with workplace health and safety obligations.

People Matters is continuously monitoring this rapidly developing situation and provide updates as appropriate, including updating this FAQ on an as-needed basis. Make sure you are following People Matters #COVID19 to gather the most up-to-date information. In case you have any questions about regulatory frameworks around workforce management, drop an email to editorial@peoplematters.in