Introduction:

In the modern workplace, employees hold a fundamental right to personal space and the confidentiality of their personal information. Yet, often, corporate policies take precedence, compelling employees to consent to digital monitoring. This grants companies the authority to oversee their digital activities. Employers employ various technologies to track a spectrum of workplace behaviours (digital footprint) delving into metrics like productivity, collaborations, project-specific hours invested, and more. In today's fast-paced world of technology and information, it's crucial to understand the rights of people whose data is being used. This article focuses on the important privacy concerns of employees and the laws in India that deal with these matters.

Basic workplace privacy concerns:

Collection of Sensitive Personal Data or Information (SPDI): Businesses collect SPDI from their employees for a variety of reasons, including during the hiring process, record retention, employee assessments, and other business purposes. When this information is collected and subsequently divulged or transmitted to third parties, the workers' confidentiality is jeopardised.

According to Rule 5 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules of 2011 (the “IT Rules”), no company may collect sensitive personal data or information unless:

1. The information is used for a legitimate purpose related to one of the Business or the Company’s regular functioning and activities, and
2. The collection of such information is deemed necessary.

Apart from the SPDI, Employers routinely observe employees' actions. Records of telephone conversations and computer surfing are retained, invading employee privacy. When an employee joins a company, he commits to submit just information necessary for the job and no other personal information.

Technology a double-edged sword:

While technology brings numerous benefits, it also raises important considerations. In today's workplaces, employees commonly utilize company-provided technological tools like cell phones, laptops, and email. With the advent of GPS tracking, companies have a compelling business interest in monitoring employees' travel and resource usage. This may involve accessing data from personal email, chats, or social media accounts used on corporate devices. Such practices can potentially encroach upon employees' right to privacy. Hence, it is important to consider what laws would govern the right to privacy of the employees.

Employee Privacy Laws

The Information Technology Act, 2000 and the IT Rules, are the prominent data protection laws in India. According to the IT Act and the IT Rules, “personal information” and “sensitive personal data or information” - specifically, passwords, financial information, such as bank account, credit and debit card details, and other UPI based payment information, physical, physiological, and mental health conditions, sexual orientation, medical records and histories, and biometric information - are perpetually to be protected. However, there was no framework for specifically governing the privacy laws of individuals and restricting the practices of the companies or the employers.

However, recently the Digital Personal Data Protection Act, 2023 (“DPDP Act”) has been introduced. Under section 5 of the DPDP Act it has now become mandatory for any company (or any other entity for that matter) collecting user data to obtain express permission from such persons (with certain exceptions). Furthermore, such persons who provide their consent for the collection of their data, also have the right to withdraw such consent and the company is then required to (within reasonable time) cease the collection of such data.

Up until now the companies have had an overwhelming advantage over their employees concerning the data collection and other consent terms present in the agreement or contract or signing letter. In an ideal world both parties should have had equal footing with reasonable consent terms for the employees, however the same has not been the case up until now. In time though, questions about various aspects of withdrawal or constraints on consent in the workplace will surface. It remains to be seen who will bear the responsibility of privacy protection: the individual or the company. At the moment, it appears that such a weight is placed on the individual, who is, ironically, the one whose right is to be maintained.

Obligations of the Employers

The DPDP Act emphasises on the limitation and the accountability requirement. Section 8 imposes multiple requirements on data fiduciaries (employers) because they are “responsible for complying” with the legislation and any later implementation procedures. This is true, as with GDPR, for processing carried out by them and any other processor on their behalf. Furthermore, employers must take the following into consideration:

1. Changes and correcting the data: Employees have the right to know what data an employer has on file about them, as well as the right to correct, complete, update, and delete this data. HR professionals should think about this clause and document what happens to employee data when their job ends.
2. Access to data: Employers must have systems in place for handling employee requests for access to personal data. Section 11 empowers them to demand the identities and descriptions of all data fiduciaries with whom data has been shared.
3. Transferring personal data: Companies that outsource payroll or financial services such as accounting or bookkeeping will need to review their existing contracts to ensure that such vendors are required to have protection procedures in place to secure personal data.
4. Record retention: Companies will have to keep data for as long as it takes to fulfil the task for which it was obtained, or as long as needed by law. This should also be matched with document retention standards so that firms can justify why data was maintained if necessary.
5. Data safeguarding measures: To prevent data breaches and enable effective law enforcement, data must be protected by proper technical and organisational methods, as well as security precautions. This also applies when the employer uses third-party processors for things like payroll management. Employers must re-verify security measures to ensure they are in accordance with security obligations. In the event of a breach, the employer must notify each affected employee as well as the Data Protection Board. The method of notification has yet to be established.
6. Grievance Redressal: Companies must have data grievance redressal systems in place and reply to employees within the specified time frame, which has yet to be communicated.
7. Appointing Data Protection Officer and Independent Data Auditor: The government may designate specific Data Fiduciaries (entities who collect and processes personal data) as “Significant Data Fiduciaries,” taking into account considerations such as the volume and sensitivity of personal data processed, dangers to user rights, national security, and public order. And as such theses Significant Data Fiduciaries must appoint a Data Protection Officer (based in India) who will answer directly to the Board of Directors and an Independent Data Auditor.

Any non-compliances or breaches of the provisions of the DPDP Act may attract severe penalties, including but not limited to fines ranging from ₹10,000/- (Indian Rupees Ten Thousand Only) upto ₹2,50,00,00,000/- (Indian Rupees Two Hundred and Fifty Crores Only).

Conclusion

Previously, in India, Employee Data Protection Laws were not rigorously upheld. This was largely due to lenient company policies that permitted unfettered collection and processing of employee data, coupled with the existing state of Indian laws. Additionally, there was a widespread lack of awareness regarding the implications of such blatant infringement on employee privacy rights. Eventually, this practice became commonplace, turning into an industry standard for companies, firms, and organizations alike to collect and process employee data without significant scrutiny. With the implementation of the DPDP Act, there are now safeguards in place to regulate these activities. This legislation also holds companies accountable for mishandling, unauthorized use, and exploitation of employees' personal data, as well as non-compliance with the DPDP Act. This signifies a positive stride towards transparent management of employee data rights. There is now an imperative to educate employees about their privacy rights and how they can be safeguarded.

For more information and details concerning data protection laws, compliance mechanisms, and the privacy rights contact us at info@waterandshark.com