INTRODUCTION
With the digitisation of society and more and more reliance on modern methods, the realm of Right to Privacy has increased exponentially. Even though Right to Privacy has been talked about in Indian context since the landmark judgment of Kharak Singh v. State of Uttar Pradesh, [AIR 1963 SC 1295], the modern interpretation of the right gained relevance only with the historical judgment of Justice K.S. Puttaswamy v. Union of India, [(2017) 10 SCC 1] (the Puttaswamy case).
The Puttaswamy case declared the Right to Privacy as a fundamental right under Article 21 of the Constitution of India and stated it to be the very essence of an individual’s being. Since the judgment, India has witnessed several developments pertaining to data privacy, personal and sensitive data protection, and other such neighbouring concepts.
The corporate entities are bestowed with the responsibility of ensuring that robust data privacy measures are implemented and that the data processing and transfer mechanism of such corporate entities are secure. One of the biggest assets of any corporate entity is its employees. The companies should ensure that the data collected from the employees are safeguarded and secured at all costs. Similarly, even the employees should be aware about their privacy rights.
EMPLOYEES’ PRIVACY RIGHTS AND ISSUES
The Right to Privacy for employees has increasingly gained relevance with the digitisation of workspace. Majority of the corporate entities are technology-driven and have employee and user records stored virtually or in cloud storage systems.
Digitisation of workspace has made the data of employees more vulnerable to exposure or breach. The various ways in which the privacy rights of an employee might be affected are enumerated hereunder:
1. Surveillance: Physical and Virtual
Installation of CCTV cameras and other such recording devices is fairly common in workspaces. However, such installation or surveillance shall be opted for only after taking due consent from the employees.
Additionally, another aspect of surveillance is with regard to the virtual or digital surveillance in the form of tracking the screen time or browser histories of employees in the company devices or sometimes even personal ones.
For example, the email IDs used by the employees are usually provided by the employer and the same is subject to scrutinization by the administrator, i.e. the employer.
Employees should be vigilant about such surveillance measures and seek remedies in the event any untoward incident of physical and virtual surveillance takes place without the prior consent of the employees.
2. Background Checks
Before employment, there are certain organisations that call for strict background checks and this may go back to an enquiry into the smallest of aspects that an employee might prefer keeping private.
This aspect entails the idea of Right to be Forgotten and Right to Erasure in the sense that any employee has the right to seek deletion of his personal data from the records of the company.
3. Storage and Transfer of Data Records
During the course of employment, the employer collects varied kinds of data for different purposes such as financial data, personal and medical details, etc. Usually, the employee data records are retained even after termination of the employment, for the purpose of company records.
As discussed earlier, the employees should have the right to erase or retract their data once any employee is not associated with the respective company. Additionally, the companies should always obtain explicit consent from the employees before collecting, processing or transferring any employee data for any purpose whatsoever.
DATA PRIVACY LAWS ENCAPSULATING EMPLOYER-EMPLOYEE RELATIONSHIP
As far as employees’ rights are concerned, there are numerous legislations governing terms of employment, non-discrimination, maternity laws, wages and salary payable, etc. However, there is no specific legislation that governs the privacy rights of employees which in itself is a reflection of the current scenario of protection of personal data in India.
In the backdrop of the lack of data protection law in India, the privacy rights of employees can be derived from various statutes that directly or indirectly provide such protection. Some of the legislations which discuss the same are as hereunder –
Information Technology Act, 2000
Section 43A of the Information Technology Act, 2000 (IT Act) states that any corporate body possessing or dealing with any sensitive personal data (SPD), which fails to protect the same, shall be liable to pay damages by way of compensation to the person affected.
In furtherance of the above, the Government also introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules). These rules specifically deal with the obtaining of consent while processing SPD and also impose a responsibility on the corporate entity to inform the affected persons in the event of any data breach activity. The IT Rules define personal information which consists of information relating to:
- Passwords;
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information;
- any detail relating to the above clauses as provided to body corporate for providing service; and
- any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.
The IT Rules, however, exclude any private data that is freely available in the public realm by way of Right to Information Act, 2005. One of the most interesting and also debatable aspects of the IT Rules is that it regards “consent” as a very important aspect of privacy.
Section 72A of the IT Act provides for penalisation in case of disclosure of sensitive and personal information by an intermediary without the consent of the concerned individual in the process of providing of contractual services.
The abovementioned provisions provide remedy to any person; employee in the present case, whose personal data has been subject to undue exposure or processing.
Constitution of India
Right to Life and Personal Liberty as a Fundamental Right under Article 21 has been interpreted to include multifarious aspects. Post the Puttaswamy case, Right to Privacy has been included as an extension to Right to Life and Personal Liberty and the same shall be governing the aspect of Right to Privacy of employees at workplace.
Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019 (PDP Bill) is an attempt at an all-comprehensive data protection law in India that covers within its ambit both personal as well as non-personal data including anonymised personal data. Once enacted, the PDP Bill will encompass all the data privacy issues in India.
Data Protection Bill, 2021
The Joint Parliamentary Committee on 16th December, 2021, released the Report of the Joint Committee on the Personal Data Protection Bill, 2019, which discusses the recommendations on the PDP Bill, seeks to safeguard the data privacy of citizens and aims to build a relationship of trust between the users and the entities which process the user data.
AMLEGALS REMARKS
The essential question that arises is that of the protection of personal interests amidst the open professional space. Data privacy is an important aspect which is to be considered in a workspace wherein multitude of data is being processed and stored for varied reasons.
Employees submit their personal and sensitive personal data to the employer in the confidence that the employer would protect such data. Hence, a huge responsibility lies on the employer to safeguard and rightfully process employee data.
Essentially, when it comes to employees’ Right to Privacy, an important aspect is that of drawing the right balance between the said right and the employer’s duty and responsibility to keep a rightful check on the actions of employees in the interest of the organisation. A line has to be drawn and either cannot be unconditional.
For any queries or feedback, please feel free to get in touch with mridusha.guha@amlegals.com or aditi.tiwari@amlegals.com.
Leave a Reply