In the modern workplace, employees hold a fundamental right to personal space and the confidentiality of their personal information. Yet, often, corporate policies take precedence, compelling employees to consent to digital monitoring. This grants companies the authority to oversee their digital activities. Employers employ various technologies to track a spectrum of workplace behaviours (digital footprint) delving into metrics like productivity, collaborations, project-specific hours invested, and more. In today's fast-paced world of technology and information, it's crucial to understand the rights of people whose data is being used. This article focuses on the important privacy concerns of employees and the laws in India that deal with these matters.
Collection of Sensitive Personal Data or Information (SPDI): Businesses collect SPDI from their employees for a variety of reasons, including during the hiring process, record retention, employee assessments, and other business purposes. When this information is collected and subsequently divulged or transmitted to third parties, the workers' confidentiality is jeopardised.
According to Rule 5 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules of 2011 (the “IT Rules”), no company may collect sensitive personal data or information unless:
Apart from the SPDI, Employers routinely observe employees' actions. Records of telephone conversations and computer surfing are retained, invading employee privacy. When an employee joins a company, he commits to submit just information necessary for the job and no other personal information.
While technology brings numerous benefits, it also raises important considerations. In today's workplaces, employees commonly utilize company-provided technological tools like cell phones, laptops, and email. With the advent of GPS tracking, companies have a compelling business interest in monitoring employees' travel and resource usage. This may involve accessing data from personal email, chats, or social media accounts used on corporate devices. Such practices can potentially encroach upon employees' right to privacy. Hence, it is important to consider what laws would govern the right to privacy of the employees.
The Information Technology Act, 2000 and the IT Rules, are the prominent data protection laws in India. According to the IT Act and the IT Rules, “personal information” and “sensitive personal data or information” - specifically, passwords, financial information, such as bank account, credit and debit card details, and other UPI based payment information, physical, physiological, and mental health conditions, sexual orientation, medical records and histories, and biometric information - are perpetually to be protected. However, there was no framework for specifically governing the privacy laws of individuals and restricting the practices of the companies or the employers.
However, recently the Digital Personal Data Protection Act, 2023 (“DPDP Act”) has been introduced. Under section 5 of the DPDP Act it has now become mandatory for any company (or any other entity for that matter) collecting user data to obtain express permission from such persons (with certain exceptions). Furthermore, such persons who provide their consent for the collection of their data, also have the right to withdraw such consent and the company is then required to (within reasonable time) cease the collection of such data.
Up until now the companies have had an overwhelming advantage over their employees concerning the data collection and other consent terms present in the agreement or contract or signing letter. In an ideal world both parties should have had equal footing with reasonable consent terms for the employees, however the same has not been the case up until now. In time though, questions about various aspects of withdrawal or constraints on consent in the workplace will surface. It remains to be seen who will bear the responsibility of privacy protection: the individual or the company. At the moment, it appears that such a weight is placed on the individual, who is, ironically, the one whose right is to be maintained.
The DPDP Act emphasises on the limitation and the accountability requirement. Section 8 imposes multiple requirements on data fiduciaries (employers) because they are “responsible for complying” with the legislation and any later implementation procedures. This is true, as with GDPR, for processing carried out by them and any other processor on their behalf. Furthermore, employers must take the following into consideration:
Any non-compliances or breaches of the provisions of the DPDP Act may attract severe penalties, including but not limited to fines ranging from ₹10,000/- (Indian Rupees Ten Thousand Only) upto ₹2,50,00,00,000/- (Indian Rupees Two Hundred and Fifty Crores Only).
Previously, in India, Employee Data Protection Laws were not rigorously upheld. This was largely due to lenient company policies that permitted unfettered collection and processing of employee data, coupled with the existing state of Indian laws. Additionally, there was a widespread lack of awareness regarding the implications of such blatant infringement on employee privacy rights. Eventually, this practice became commonplace, turning into an industry standard for companies, firms, and organizations alike to collect and process employee data without significant scrutiny. With the implementation of the DPDP Act, there are now safeguards in place to regulate these activities. This legislation also holds companies accountable for mishandling, unauthorized use, and exploitation of employees' personal data, as well as non-compliance with the DPDP Act. This signifies a positive stride towards transparent management of employee data rights. There is now an imperative to educate employees about their privacy rights and how they can be safeguarded.
For more information and details concerning data protection laws, compliance mechanisms, and the privacy rights contact us at info@waterandshark.com
.
Comment