Despite an increasingly digital-focused economy brought about by the onset of the COVID-19 pandemic, the legislation governing the data protection and privacy issues inherent in many areas of employment law today is still being developed. Though the Government of India is promoting the use of digital workspaces and policy and legislation is still being formulated today, the current position on data protection and privacy is still largely regulated by the Information Technology Act, 2000 (the “IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”) made thereunder. Given the lack of comprehensive legislation, the position today is heavily subjective, reliant on individual employer policies.

In this background it is pertinent to note that the Supreme Court of India, in the case of K.S. Puttaswamy v. Union of India ((2017) 10 SCC 1), has recognized the ‘right to privacy’ Title of article The current framework focuses on the protection of ‘sensitive personal data or information’, with more comprehensive legislation to be formulated right to life contained in the Constitution of India. This recognition would extend to personal information being shared by the prospective employees with employers. However, since the fundamental rights enshrined in the Indian Constitution are only enforceable against the ’State’ or instrumentalities of the ‘State’, such rights might not be enforceable against employers in the private sector, who do not fall under the definition of the ‘State’.

Do I need consent to process employee data?

The SPDI Rules regulates the collecting, receiving, possessing, storing, dealing with or handling of following information/data (collectively, “SPDI”): (i) passwords (i.e. any secret word or phrase or code or passphrase or secret key, or encryption or decryption keys that one uses to gain admittance or access to information); (ii) financial information (such as bank account or payment details); (iii) physical, physiological and mental health conditions; (iv) sexual orientation; (v) medical records and history; and (vi) biometric information.
In the event the data/information obtained from the employees (“Employee Data”) constitutes SPDI by falling under any of the categories of information listed above, consent is required from employees to collect, disclose, and transfer such Employee Data. As a matter of prudence, it would be advisable for employers to obtain a general consent for collection of Employee Data in any event.

What are the privacy and data protection issues inherent in alcohol/drug testing?

The data collected by way of alcohol/drug testing of an employee would constitute a medical record of the candidate and as such would be covered within the ambit of SPDI. Therefore, while collecting, receiving, possessing, storing, dealing with, or handling information pertaining to the alcohol/drug testing of the employee in electronic form, compliance with the SPDI Rules, including obtaining consent of the employee, would be required.

How can I legitimately monitor employees’ email, internet usage and social media?

There is no specific legal restriction with respect to monitoring employees’ email, internet usage and social media. In the event such monitoring involves collecting, receiving, possessing, storing, dealing with, or handling SPDI, the employer is required to comply with the requirements of the SPDI, including obtaining consent of the candidate.

What are the limits of using artificial intelligence in employment?

The use of artificial intelligence (“AI”) is still in a nascent stage in India, and the Government of India has been promoting its development and application through various public policy think tanks and governmental committees. However, there is presently no comprehensive policy framework in place to address issues of data security and privacy in the use of AI by employers. The general restrictions and safeguards listed above would apply.

What are the data protection issues in whistleblowing?

While there are specific provisions with respect to whistleblowing mechanism codified under the Companies Act, 2013 (the “Act”), the provisions specifically deal with setting up of a ‘vigil mechanism’ for directors and employees to report genuine concerns with respect to a company. However, the provisions are applicable only to listed companies incorporated in India. Further, the Act does not specifically deal with data protection and privacy of the ‘whistleblowers’ and as such the regime remains policy-driven and heavily reliant on employer discretion, with no standard requirement for protection of the identity of whistleblowers.

Further, there is presently no specific legislation governing ‘whistleblowing’ for individuals, private/unlisted companies, firms, or sole proprietorships. Therefore, any issues arising out of data protection and privacy are to be dealt with in accordance with SPDI Rules and the IT Act as described above.