India: Data Protection and Privacy in the times of Covid-19

published on 8 May 2020 | reading time approx. 11 minutes

The outbreak of Covid-19 and the subsequent lockdown has led to several new adjustments for continued business. Even when the lockdown is lifted and employees begin returning to offices/workplaces in a staggered manner, everyone will have to get adapted to the “new normal”, which would include as much as social distancing as possible, increased work from home days in a week, temperature checks and increased medical & travel information collection from employees and visitors.

One of the biggest struggles for all businesses is to handle responsibilities regarding data privacy and protection, where the guidelines are still being developed and new challenges are being faced every day. India’s current data protection laws are neither as mature as compared to the rest of the world, nor do we have strict enforced penal provisions under current laws (such as the European Union General Data Protection Regulations). Thus, it becomes the moral, ethical and technical responsibility of businesses to derive best practices in these changed times and be able to adapt the best ways to collect, protect and use the additional data collected during the pandemic continuation.

• Brief background into present data law and practice »

• Considerations for work-from-home »

• After lockdown – steps taken and queries faced »

• AarogyaSetu app – data privacy concerns »

• Are you set-up with your new policies? »

• Conclusion and Way forward »

 
Brief background into present data law and practice

The Information Technology Act 2000 (“IT Act”) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“Sensitive Personal Data Rules”) are the principal legislations governing the collection and processing of personal information and sensitive personal data or information on a sector neutral basis in India, currently.
 
Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected. Sensitive Personal Data includes passwords, financial information like bank account, credit card or debit card, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information, etc.
 
The data privacy policy should be clearly published on the website of the body corporate and should contain details on the type of information that is being collected, the purpose for which it has been collected and the reasonable security practices that have been undertaken to maintain the confidentiality of such information. Some of the rules imposed on body corporates while maintaining such data includes obtaining sufficient consent from the person(s) and informing the person(s) of the reasons of the data collection and how & why it is being collected/ stored, the collecting and storing information is for lawful purpose only and used only for the purpose informed. The information can be reviewed & corrected by the person(s) and the body corporate must safely delete the information if the purpose has been fulfilled and it is not needed under any law for the time being in force. Security of information must be maintained and a grievance officer appointed to address any matters related to data privacy.  However, there is a stark absence of guidelines given on how the data should be accessed, processed, maintained or deleted.
 
It is also interesting to note that the regulations provide that a body corporate must seek prior permission of the information provider before disclosing such information to a third party unless the request for such information is made by government agencies mandated under law or any other third party by an order under law.
 
The current IT Act provides atleast a broad guideline as to the measures that should already be in place and if not, should be undertaken immediately. As the lines of data privacy and use during the Covid-19 pandemic becomes blurry due to the increased number of Government circulars and notifications for businesses to undertake, the basics of consent and security measures should already be in place to safeguard businesses in the long run.
 

Considerations for work-from-home

In order to be able to continue with businesses, Work from home (WFH) is the foreseeable future for those in the professional and service sector. In this regard, the practical approach has been to communicate constantly with your employees regarding data privacy and protection policies. It is important to trust your employees in these tough times and to remain as vigilant towards cyber-attacks as possible, however, to secure the organization, it is equally important for the company to remind employees of their confidentiality duties of the data available with them regarding their clients/customers as well as the liabilities that will befall both the organization and the employee for such voluntary and/or careless breaches.
 
Some of the work from home policies have included informing the employees to ensure the following:

• Use of safe network connection devices given by the company/network hotspot from your phone and not to use free/open Wi-fi networks.
• Use the hardware given by your company only. Keep it safe, locked, out of harm’s way from your pets or children.
• Use VPN that encrypts your connection with the company network, provides security from additional threats like malware. Do not disable the VPN until the time you shut down your computer.
• Transfer of data as per the company policies, through the dedicated exchange platform or zip files with password protection as far as possible.
• Files/emails should not be sent through private email accounts even if you have issues using your company’s email account for the time being.
• Keep passwords and logins safe and change them often. Internet scammers and hackers are possibly more of a threat now than ever before.
• Do not make too many copies of data on desktop or forget to save and store them on the server, even if the server is slow.
• Threat alerts, phishing attacks are real threats which can destroy data and cause harm to the entire company. Report it to your IT department and be careful to download and use any other applications other than those approved by your company’s IT department.
• Do not download and use Zoom or other video conferencing applications on your computer which has data privacy concerns. Contact your IT department for the company software applications designed for this purpose only.

After lockdown – steps taken and queries faced

The real queries for the management and HR of the company are being faced as the lockdown lift is approaching. There have been several measures made mandatory by the Government in order for employees to be able to return to their offices, once the lockdown in the Indian states are lifted. Apart from the social distancing, additional sanitization requirements, reduced staff capacity, shift requirements for lunch, etc the other requirements include temperature testing and recording of medical and travel information of employees and their family members. Therefore, several questions now arise, such as:

• How long does this information require to be retained and recorded? The outbreak may reduce in a month or so but experts have predicted it will be years before normalcy has been reached. In such a case, how much information collected is sufficient and for how long should it be retained?
• Is it necessary to obtain consent from each person again for this additional information, given that the Government is making this into a mandatory requirement? This includes, information of children of employees and their medical conditions. Are there any additional protective security measures to be made in such cases or Sensitive Personal Data of minors?
• In case an employee has been found to have elevated temperature and symptoms of a cold and the employee is sent for a check up to the hospital, the medical tests of such employee has to be handed over to whom and at what stage? How long does this information need to be retained? How obligated is an employee to take such medical tests and provide it to the HR?
• If an employee tests positive for Covid-19, is the obligation of the employer only to evacuate the premises or release the name of the employee to all other employees so that they are aware of the contact they may have had with that particular employee? Considering the stigma and victimization events of those suffering from Covid -19 or suspected of contracting it, this matter is highly sensitive and internal protocols must be set so that false alarms are not raised – what are the internal protocol guidelines in this matter?
• When and how does the employer use/ maintain/delete this additionally collected information like travel history, especially of clients/customers arriving from abroad? What kind of onus for reporting on foreigners is on the organizations and to whom?
•  Government is encouraging the use of Aarogyasetu mobile application as a mechanism for detecting Covid-19 suspected persons in the vicinity. Whether employers are required to make use of this app mandatory by their employees as a preventive measure in their premises or is it an infringement of personal privacy rights for employees?

These are only a few of the questions faced by companies and employers in the wake of the pandemic. The Government has not provided any details or guidelines regarding these privacy and data concerns. In the absence of the same, it is recommended that organizations brief their employees, staff, persons visiting the premises, clearly, of the information being collected, its use and security measures of retention. Furthermore, if additional consents can be taken from employees for the new requirements, now is the time to do so.
 

AarogyaSetu app – data privacy concerns

With the pandemic progressing and Governments demanding for more and more Sensitive Personal Data, it has to be wondered whether data privacy infringement is being extended not only to corporate offices and employers but also to actions taken by the Government and Government controlled enterprises to prevent and curb the pandemic. Contact tracing, surveillance, technological tools proposed as solutions come dangerously close to breaching “the right to privacy”. There are no guidelines in India for online data protection and no policies set out for how the Government stores and protects the data collected from such apps. In the absence of the same, the Government has to balance the onus of Sensitive Personal Data protection of persons amongst the need of the hour during this pandemic.
 
Like other countries which have developed such technological tools (eg. TraceTogether), the AarogySetu app in India is designed to keep track of other AarogyaSetu users that a person came in contact with, and alert him or her if any of the contacts tests positive for Covid-19. It achieves this using the phone’s Bluetooth and GPS capabilities. The application will keep a record of all other AarogyaSetu users that it detected nearby using Bluetooth, and also a GPS log of all the places that the device had been at 15-minute intervals. These records are stored on the phone till the time any user tests positive or declares symptoms of Covid-19 in a self-assessment survey in the app. In such cases, the records are uploaded to the Government servers. A unique digital identity is generated for every user. When two users of this App are nearby for the Bluetooth of the phones to catch it, this unique digital identity is exchanged along with the time and location of the meeting. When an app user tests positive, all unique digital identities in his or her records get an alert on the risk they face and instructions on self-isolation and next steps. Like other such apps, the success of this app depends on how many users download and use the app.
 
The app collects a set of personal information such as name, sex, age, phone number, current location and travel history that is uploaded to government servers. The app policy goes into some detail on where and how long the data will be retained, but it leaves the language around who will have access to it rather vague. As per the policy, “persons carrying out medical and administrative interventions necessary in relation to Covid-19” will have access to the data, which suggests interdepartmental exchanges of people’s personal information, which can have negative ramifications in case of misuse or hacks. In other countries, health authorities are leading the efforts to respond to Covid -19. For example, in Singapore only its health ministry can use these server systems or have access to any limited data/interaction which is shared with them. In India, multiple committees have been set up in the context of Aarogyasetu or other technology responses to the pandemic. Further, use of both GPS and Bluetooth seems to be rather in abundance in comparison to other apps.
 
Technical loopholes such as having a stagnant unique identity number which could be easily hacked is also a matter of question. The Internet Freedom Foundation (IFF) has said that India lacks a proper data protection law and, in addition, the application would be useless for the low-income non-smartphone users.
 
Such technological tools, their use and privacy concerns is an important feature here since employees and visitors of your organization would be using this app. The Union Health Ministry recently announced that the use of Aarogya Setu app shall be made mandatory for all employees, both private and public. It shall be the responsibility of the head of the respective organisations to ensure 100 per cent coverage of this app amongst the employees. What is the onus of the employee who may find someone in the vicinity of the organization as positive to inform the management? How much of trust and reliance should be placed on the app which shows that someone has tested positive and the employer must declare protocols for evacuation and quarantine? What measures have to be done in order to guarantee 100 per cent employee support since employees have to download the app willingly on their personal phones?
 
Thus, the use of this app being mandatory doubtless raises concerns for individuals as well as companies who are required to enforce it. Without effective guidelines for enforcement of this requirement, what kind of penalty and onus is being placed on companies for the same?
 

Are you set-up with your new policies?

While organizations are already struggling to match up to the new requirements of adjusting their businesses during the pandemic and lockdown, it is necessary to take the below into consideration and implement policies not done hereto or to remind employees, sub-contractors, vendors, again of the confidentiality and data protection policies set in place. Some of the measures that organizations need to implement as soon as possible include:

• Update your HR policies to include the new functionalities for data collection and protection of your employees such as taking temperature records every day of office, taking records of them and family members’ travel and medical history, access to home office, etc.
• Take employee consent for Sensitive Personal Data processing, maintaining and retention in the wake of the pandemic.
• Prepare internal policies with your HR, IT and management and use judicious and reasonable sense while collecting, maintaining and storing such Sensitive Personal Data. The internal policies should outline not asking for more than required information and not storing for more than required period, that is, effectively deleting such Sensitive Personal Data post the pandemic. Measures of how to delete this data should also be outlined.
• The internal protocols must be developed regarding when to require someone to go for a medical check-up, what to do with the results, how to handle a Covid -19 positive case, when to report to outside authorities/ government, how to inform and evacuate other employees, how to treat the data of medical and travel history or clients/ customers/ visitors, especially from other countries.
• IT and data security, privacy and confidentiality policies should be updated considering the new norm of work from home and employees updated about the same.
• Use of the Aarogya Setu app is said to be made mandatory for public and private sector companies. Effective emails, protocols, guidelines and policies have to be developed to enforce the same within the company.

Conclusion and Way forward

The new Indian Personal Data Protection Bill, 2019 has not yet been enacted into law, which would effectively bring India into the same ring as other countries in the data privacy and protection regime. In the absence of implementation of strong data protection laws in India, our guard should not be let down. Rather, it is imperative to note that sooner or later, the data privacy and protection rules will surface and disputes and claims by individuals, employees, family members of employees, visitors, clients, customers, etc will arise, especially during this crucial pandemic period when data misuse can be rampant and highly dangerous on a personal and organizational capacity.
 
Thus, it becomes crucial for organizations to cover the requirements which have already been existing and adapt to the new requirements during the Covid-19 outbreak for data privacy and protection. Informed consent becomes the most important step all organizations can implement. Moral, ethical, judicious and reasonable policies must be implemented to safeguard the employees and the organization in the best possible manner.