Ever since the World Health Organization declared novel coronavirus (COVID-19) as a pandemic on 11 March 2020, various countries, including India are on high alert to contain the spread of COVID-19 cases. The Indian Central and State governments have issued multiple advisories, notifications and regulations on work from home, travel and healthcare, in addition to declaring a 21-day nationwide lockdown till 14 April 2020. In this update, we address some of the common issues that tech companies are facing in the backdrop of COVID-19 lockdown.
Do Indian data protection laws provide any guidance on either permitting or restricting the collection of personal data to identify COVID-19 cases?
Yes. Section 43A of the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Data Protection Rules) governs the collection and processing of personal information of any individual in India. Certain categories of information such as information relating to an individual’s physical, physiological and mental health condition, medical history, etc., are considered as sensitive personal information (SPI). This would include any medical/health data of an employee or his/her family members (including medical certificates), their symptoms and information about exposure to potential or confirmed COVID-19 cases. Other information such as one’s travel history is considered as personally identifiable information (PI).
While PI can be collected without explicit consent, the Data Protection Rules impose several obligations on companies for the collection and disclosure of SPI. They mandate obtaining the consent of the information provider before the collection of any SPI. Further, SPI is only to be collected under a lawful purpose and when its collection is necessary for that purpose. Therefore, employers collecting any sort of medical or exposure information from their employees must obtain prior consent. Such consent must also state the purpose for which the SPI is being collected, the intended recipients (if any), and the individual must have knowledge of the fact that his/her SPI is being collected. This would be applicable for the collection of medical information regarding the individual’s family members and/or requiring the employee to produce medical certificates. Typically, most privacy policies cover such collection and processing of SPI by the employees and if such SPI is collected as provided in the privacy policies, that will be sufficient.
How can I obtain consent from such an employee, consultant or visitor for collection of their medical information?
Consent is often procured by employers for general health monitoring and health check purposes through existing terms of employment read with HR policies or employee handbooks. The first step would be for companies to assess their existing employment contracts, HR policies (including data or privacy policies) or handbooks to see if the consent they have already obtained is sufficient for the purpose of obtaining the SPI. If it is, the company does not need to seek consent afresh.
If not, employers can consider taking explicit consent when they conduct health checks, screen temperatures or collect medical data. Employers may also rely on various government advisories requiring them to undertake preventive measures such as asking employees to undergo health checks at the workplace. This has been covered in further detail along with other issues in our employment update on COVID-19 available here and here. However, if an existing consent framework is not in place, employers can consider obtaining it as a part of their action plan steps.
Several establishments are also monitoring the temperature of their employees, visitors, guests by way of thermal screenings. If the temperature is not being collected or processed in any form – for instance, thermal scanners at entrances that simply alert security staff about persons with high temperature without in any way identifying them or associating the identified person with any other personal information in the company’s possession, this would not amount to collection of SPI and there would be no requirement to seek prior consent.
If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.
Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website, www.trilegal.com, you acknowledge that: