Here’s what employers must know about employee privacy rights
Technology has blurred the lines between professional and personal space of an individual. Employee’s privacy at workplace is a complex issue today as companies can virtually monitor all employee communications, in or outside the office. Organizations increasingly use digital tools to monitor employees for productivity, enforce discipline or protection of property. Monitoring could involve video and audio surveillance, monitoring of computer/ emails, mobile devices, GPS/ location tracking, etc.
The question is whether employee surveillance by companies in India legal?
While the employees may largely believe this to be intrusive of their personal space, the law does permit this to a certain extent.
Legal position in India
While labour laws in India are mostly employee-friendly, none of them deal with privacy rights of the employees. Currently, Section 43A and Section 72A of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) formulated under Section 43A of the IT Act govern data privacy and protection. The law provides civil liability and compensation of up to INR 5 crores if an organization fails to implement and maintain reasonable security practices when handling sensitive personal data or information (SDPI). Also, there are criminal sanctions for disclosure of ‘personal information’ acquired in the course of providing services, in breach of lawful contract or without the information provider’s consent, with an intent to cause wrongful loss or gain.
What employer needs to do?
Employer’s collect and store a lot of personal information of the employees as well as potential candidates/ recruits. This could include financial information, health data, and records for insurance and other purposes, biometric details for login/ attendance, etc. Some of this information such as password, financial information, physical, health condition, biometric information, etc. qualifies as sensitive personal data (SDPI) defined under the SDPI Rules and needs specific compliances by organizations.
Before a company collects SDPI, it needs to seek consent of the individual. Such consent must be in writing and documented. The employer must also inform the individual about what:
- SDPI is being collected,
- how will it be used,
- how long will it be retained,
- whether it will be transferred to a third party.
- Law mandates that individual has a right to edit/ modify his personal data, or even withdraw consent where he does not wish to allow access of his sensitive data to a third party. As an employer, one must enable requisite IT and HR systems in place to implement these rights.
- Organisations must implement and maintain reasonable security practices for dealing with SDPI. The SDPI Rules have prescribed ISO/270001 as one such standard.
- If employer needs to share the employee’s SDPI with a third party (such as outside vendors/ professional firms for appraisal process/ insurance brokers or companies for health benefits, actuaries, etc), employer must ensure that such third parties comply with same level as protection as the employer. Any third party transfers must be documented by the employer and liability of intermediary be negotiated upfront in case of any mishandling of SDPI.
- Companies also need a designated grievance officer for lodging and addressing any complaints under the SDPI Rules.
Is surveillance legal?
The jurisprudence around this area has still not evolved in India. However, in UK and Europe, there have been several instances wherein the courts have ruled in favor of employees where the employer’s actions were intrusive of personal privacy of the employees. As long as such surveillance is for such legitimate reasons and reasonable, and does not conflict with the employee’s personal space and privacy, law would uphold the same. It is therefore important that organizations provide for surveillance in their office / HR policies, informs the employees about monitoring of calls /emails, etc. in advance, as well as consequences thereof (such disciplinary actions/ termination in case of breach/ unacceptable behavior).
As the technology evolves, workplace dynamics will change with times. Law will need to keep pace and strike a balance with employee’s privacy rights on one hand, and employer’s legitimate business interests on the other. A new data privacy and protection legislation in India is in the offing and one would expect that it will address these emerging workplace privacy issues.