The World Health Organization classified COVID-19 as a pandemic in early March, 2020. Consequently, countries across the globe have taken unprecedented steps to curtail the spread of COVID-19. These steps have caused a lot of disruptions to the way businesses operate including mandating a work from home policy on a scale never before seen.
Considering the implications of COVID-19, employers across the globe are rushing to collect information about their employees including (a) their personal travel plans, and (b) their medical information.
In today’s world where there is a lot of talk about data privacy and protection, the question arises as to whether employees can collect their employee’s personal information. The answer to this is yes and no. While there is no bar on employers collecting the personal information of their employees, there are certain procedures that employers will need to follow. In this article, we will breakdown the procedures
that employers will need to keep in mind whilst collecting personal information of their employees.
What regulations govern employers collecting their employee’s personal information?
In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPI Rules”) governs the processing of personal information. Please note that the Personal Data Protection Bill, 2019 or more commonly referred to as the PDP Bill is still a draft and is yet to get legislative approval. This article does not speak about the same as it is not law as of today.
The SPI Rules governs 2 (Two) categories of personal data – (i) personal information and (ii) sensitive personal information.
In the current context, information such the name of the employee and the details of his/her travel plans will be treated as personal information whereas the employee’s medical data will be treated as sensitive personal information.
How can employers collect personal and sensitive personal information?
Employers can collect personal information of their employees if: (a) the same is expressly permitted by law; or (b) if there are any exceptions expressly provided by law.
Employers can collect personal information (such as the travel history of their employees) by providing their employees with a privacy policy. However, employers will need the express written consent of their employees prior to collecting sensitive personal information (such as the medical history of the employee). Typically, this requirement is covered in the privacy policy of the employer and the consent obtained by the employer at the time of onboarding the employee.
Employers will also need to inform the employee (a) the reason why such personal or sensitive personal information is being collected, and (b) the duration for which sensitive personal information will be stored.
Can employers share details of their medical details of the employees with other employees?
No. This is something that employers cannot do. In addition to the SPI Rules, the medical profession is governed by the Medical Council of India’s Code of Ethics which mandates patient information confidentiality. However as mentioned before, the consent obtained from the employee at the time of onboarding would typically include consent being granted to the company doctor to share medical information with the employee in medical situations like the one we are facing now.
Therefore, if an employee has tested positive for COVID-19, the employer will be required to take measures to stop the spread of COVID-19 to other employees but this will not allow the employer to either share the name or medical information of the employee.
What can employers do if employees refuse to share their sensitive personal information?
Technically, employees can refuse to share their medical details with employers under the SPI Rules.
In such a case, it will not be possible for employers to force employees to give up their medical information. In this scenario, if an employee is displaying flu like symptoms and is unwilling to co-operate, it is recommended that the employer inform the local health authorities about the same who may have additional powers to enforce compliance.
What happens if employers have failed to obtain the consent of their employees?
Although the situation is serious, employers will held in violation the SPI Rules if they collect their employee’s personal information in a manner contradictory to the SPI Rules. Hence, we would recommend that employers (a) review their privacy policy to ensure they have sufficient consent and if not, immediately send notice to employees seeking consent, and (b) obtain the explicit consent of the employees prior to collecting any sensitive personal information if the same has not been done till now.
Are there any additional requirements employers will need to keep in mind whilst collecting employee information?
The SPI Rules stipulate certain additional requirements that employers will need to have in place prior to collecting any employee information. Firstly, the employers will need to implement reasonable security practices and procedures such as ISO 27001. Secondly, employers will need to appoint a grievance officer who will be responsible to ensure compliance with the SPI Rules.
Please note that the information above is valid as of the date of publication. Considering the speed at which this is evolving, it will not be surprising if the Government notifies new measures to be followed by employers.
Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.
Learn more about our Technology practice.
#DataPrivacy #MedicalNecessity #Technology #India #GameChangerLawAdvisors