Search Your Queries Related To Trilegal


COVID-19 – Key Issues Faced in the Technology Sector

10 Apr 2020

Cloud thumb image
The spread of COVID-19 and the consequent nationwide lockdown in India is having a far-reaching effect for companies across various sectors. In this update, we address some of the common issues that ‘tech’ companies amongst others are facing while managing business continuity and employees.

Ever since the World Health Organization declared novel coronavirus (COVID-19) as a pandemic on 11 March 2020, various countries, including India are on high alert to contain the spread of COVID-19 cases. The Indian Central and State governments have issued multiple advisories, notifications and regulations on work from home, travel and healthcare, in addition to declaring a 21-day nationwide lockdown till 14 April 2020. In this update, we address some of the common issues that tech companies are facing in the backdrop of COVID-19 lockdown.

Frequently Asked Questions

  • Privacy and Data ProtectionAs COVID-19 continues to rapidly spread across countries, companies are looking at making important decisions to ensure the health of their employees and safety of the workplace. Data plays a crucial role in these decisions; however, it is also important to balance it with an individual’s right to privacy while finding solutions amidst this pandemic. For example, we have seen companies requesting their employees, consultants, visitors, etc. to provide information about their health including medical reports, travel history, exposure to potential COVID-19 cases. In this backdrop, we address some of the common queries below.

    Do Indian data protection laws provide any guidance on either permitting or restricting the collection of personal data to identify COVID-19 cases?

    Yes. Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Data Protection Rules) governs the collection and processing of personal information of any individual in India. Certain categories of information such as information relating to an individual’s physical, physiological and mental health condition, medical history, etc., are considered as sensitive personal information (SPI). This would include any medical/health data of an employee or his/her family members (including medical certificates), their symptoms and information about exposure to potential or confirmed COVID-19 cases. Other information such as one’s travel history is considered as personally identifiable information (PI).

    While PI can be collected without explicit consent, the Data Protection Rules impose several obligations on companies for the collection and disclosure of SPI. They mandate obtaining the consent of the information provider before the collection of any SPI. Further, SPI is only to be collected under a lawful purpose and when its collection is necessary for that purpose. Therefore, employers collecting any sort of medical or exposure information from their employees must obtain prior consent. Such consent must also state the purpose for which the SPI is being collected, the intended recipients (if any), and the individual must have knowledge of the fact that his/her SPI is being collected. This would be applicable for the collection of medical information regarding the individual’s family members and/or requiring the employee to produce medical certificates. Typically, most privacy policies cover such collection and processing of SPI by the employees and if such SPI is collected as provided in the privacy policies, that will be sufficient.

    How can I obtain consent from such an employee, consultant or visitor for collection of their medical information?

    Consent is often procured by employers for general health monitoring and health check purposes through existing terms of employment read with HR policies or employee handbooks. The first step would be for companies to assess their existing employment contracts, HR policies (including data or privacy policies) or handbooks to see if the consent they have already obtained is sufficient for the purpose of obtaining the SPI. If it is, the company does not need to seek consent afresh.

    If not, employers can consider taking explicit consent when they conduct health checks, screen temperatures or collect medical data. Employers may also rely on various government advisories requiring them to undertake preventive measures such as asking employees to undergo health checks at the workplace. This has been covered in further detail along with other issues in our employment update on COVID-19 available here and here. However, if an existing consent framework is not in place, employers can consider obtaining it as a part of their action plan steps.

    Several establishments are also monitoring the temperature of their employees, visitors, guests by way of thermal screenings. If the temperature is not being collected or processed in any form – for instance, thermal scanners at entrances that simply alert security staff about persons with high temperature without in any way identifying them or associating the identified person with any other personal information in the company’s possession, this would not amount to collection of SPI and there would be no requirement to seek prior consent.

Download PDF to read more

Subscribe to our Knowledge Repository

If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.


    Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website,, you acknowledge that:

    • You are seeking information about Trilegal of your own accord and there has been no form of solicitation, advertisement or inducement by Trilegal or its members.
    • This website should not be construed as providing legal advice for any purpose.
    • All information, content, and materials available on this website are for general informational purposes only.
    • Any information obtained or material downloaded from this website is completely at the user’s volition, and any transmission, receipt or use of this website is not intended to, and will not, create any lawyer-client relationship.
    • Information on this website may not constitute the most up-to-date legal or other information. Trilegal is not liable for the consequences of any action taken by any person based on any material or information available on this website, or for any inaccuracy in or exclusion of any information or interpretation thereof.
    • Readers of this website or recipients of content or information available on this website should not act based on any or all such content or information, and should always seek advice of competent legal counsel licensed to practice in the appropriate jurisdiction.
    • Third party links contained on this website re-directing users to such third-party websites should neither be construed as legal reference / legal advice, nor considered as referrals to, endorsements of, or affiliations with, any such third party website operators.
    • The communication platform provided on this website should not be used for exchange of any confidential, business or politically sensitive information.
    • The contents of this website are the intellectual property of Trilegal.

    We prioritize your privacy. Before proceeding, we encourage you to read our privacy policy, which outlines the below, and terms of use to understand how we handle your data:

    • The types of information we collect and why we collect them.
    • How we use your information to provide a personalized experience.
    • The measures we take to ensure the security of your data.
    • Your rights and choices in managing your personal information.
    • How we may share information with trusted partners for specific purpose.

    For more information, please read our terms of use and our privacy policy.

    Up arrow