COVID-19 in India (Part 3): Data Privacy during Coronavirus crisis in India

What does the law say? 

Even though India has not yet enacted specific legislation on data protection, it did amend IT Act to include provisions, which give a right to compensation for improper disclosure of personal information. The Government subsequently issued the “Rules” which impose additional requirements on commercial and business entities to collect and disclose SensitivePersonal Data or information which have some similarities with the GDPR and the Data Protection Directive.  It is important to note that Sensitive Personal Data can only be collected by a body corporate by complying with the provisions of the Sensitive Personal Data Rules including obtaining consent.

As far as Covid-19 is concerned, corporate bodies may face some privacy concerns from their employees. We know that to establish whether someone has contracted the virus, their temperature needs to recorded. A psychical examination will also be part of the screening process. Sensitive Personal Data or information of a person means such personal information which consists of information relating to, but not restricted to, "physical, physiological and mental health condition". Therefore, any personal data pertaining to the physical condition including body temperature is Sensitive Personal Data. In this case, companies will have to comply with the Sensitive Personal Data Rules. 

However, if such sensitive information is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force, it shall not be regarded as Sensitive Personal Data or information for the purposes of these rules. 

Likewise, "medical records and history" is also considered Sensitive Personal Data. Any such information as collected by employers through self-declaration  has to be collected in compliance with the Sensitive Personal Data Rules.

Disclosure and collection 

In case the corporate body has to disclose Sensitive Personal Data or information to any third party such as government authorities, it will require  prior permission from the provider of such information, who has provided such information under a lawful contract or otherwise, unless such disclosure has been agreed to in the contract between the body corporate and provider of information, or where the disclosure is necessary for compliance of a legal obligation.

For collecting sensitive information from employees, the body corporate or any person on its behalf has to obtain consent in writing through letter or fax or email mentioning the purpose of usage. Sensitive Personal Data or information shall cannot be retained for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

All these issues can be covered in a HR Policy/Privacy Policy. Although a pandemic like situation may not have been integrated into a company’s Privacy Policy, it may mention the way and under which circumstance the Sensitive Data is collected, transferred, or eliminated. Moreover, this policy must be easily accessible to employees through for instance the company’s website.

---

Even though the current situation is extremely paralysing for businesses, it is important that businesses remain compliant with the data protection laws in India. This will not only save the business from damaging its reputation in the long run but also make sure it stays unaffected even after the pandemic has ended.

Do you have any questions about this article or do you want to get your existing privacy policies checked by a professional, please get in touch with Miss Legal India.