AN EMPLOYEE’S RIGHT TO PRIVACY AT WORKPLACE

Sakshi Nathani, Student, Alliance University

An employee’s right to privacy in the workplace is an increasingly controversial legal topic,

especially in an age of increased reliance on computers. An employee’s private life often

intersects with the workplace through personal phone calls, personal emails. Technology has

enabled employers to monitor virtually all workplace communication made by employees using computers. The state of inequality in power in a contractual relationship like employee and employer makes it possible for employer to extract more information from an employee without his or her full hearted consent. The information may be pertaining to the personal life, specific choices, family issues, background etc. such steps may lead to violation of the privacy rights.

Meaning of Privacy

Privacy is-

a) The quality or state of being apart from company or observation

b) Freedom from unauthorized instruction

Provision under Indian Constitution

The constitution of India clearly safeguards the right to privacy as a part of life under Article 21. Despite the fact that privacy is a fundamental right, it is well established that it is not an absolute right and may be lawfully restricted for the prevention of crime, disorder or protection of health or the protection of other’s right and freedom.

Employee’s Privacy rights at workplace are;

 Internet Usage and Email- Employers have right to monitor the employee email as long they have valid business purpose and may limit the access of employees o particular websites infringing the policies of the firm.

 Phone Calls and Voicemail Messages- Employers use electronic surveillance practices, including monitoring employee’s phone conversations and voicemails messages subjected to legal limits. The Electronics Communications Privacy Act (ECPA) places certain

restrictions on employer’s right to monitor its employee telephone usage at work. Under the Act, an employer may not monitor employee’s personal phone calls, even those made from workplace. The act also provides protection for an employee’s voicemails messages at work.

Provisions under Information Technology (IT) Act, 2000

The main enactment that deals with protection of data is the IT Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal information) Rules, 2011 (the “IT Rules”). Under the IT Act and the IT Rules, what is primarily sought to be protected is ‘personal information’ and ‘sensitive personal data or information’, i.e. the information related to

(i) password;

(ii) financial information such as bank account or credit card or debit card or other payment

instrument details;

(iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical

records and history; and

(vi) biometric information. However, the information which is freely available in public domain

is not considered within the ambit of ‘sensitive personal data or information’.

The Government has provided a legal framework for data protection and privacy through the IT Act and the IT Rules in following manner:

The IT Act, after its amendments in 2008, is now equipped with multiple provisions

catering to data protection, mandatory privacy policies, and penalties to be imposed on breach of

such privacy policies. Below are the relevant provisions of the IT Act:

i) Section 43 (a), (b) and (i) - This section provides that any person, who without the permission of the owner or, any other person who may be in charge of a computer, computer system or computer network-

a) accesses or secures access to such computer, computer system or computer network;

b) downloads, copies, or extracts any data, computer data base or information from such

computer, computer system or computer network which includes information or data held

or stored in any removal storage medium;

c) steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter

any computer source code used for a computer resource with an intention to cause damage

shall be liable to pay damages by way of compensation not exceeding the sum of INR

1,00,00,000 (Rupees One Crore) to the person so affected.

ii) Section 43A - This section is bedrock of data protection and provides that where a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, which shall not exceed a sum of INR 5,00,00,000 (Rupees Five Crores).

iii) Section 66C – This section deals with identity theft and provides that whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment for a term which may extend up to three years and shall also be liable to pay a fine of up to INR 1,00,000 (Rupees One Lakh).

iv) Section 66E – This section provides that whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person shall be punished with imprisonment which may extend up to three years or with fine not exceeding INR 200,000/- (Indian Rupees Two Lakh) or with both.

v) Section 72 – This section provides that any person who has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned and thereafter, discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to INR 1,00,000 (Rupees One Lakh) , or with both.

vi) Section 72A - This section provides that, any person, including an intermediary who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend up to three years, or with a fine which may extend up to INR 5,00,000 (Rupees Five Lakh), or with both.

Exception:

Grounds on which Government can interfere with Data-

Under Section 69 of the IT Act, any person authorized by the Government or by special

authority, if satisfied that it is appropriated to monitor or intercept the information in relation to

following grounds;

a) The sovereignty or integrity of India,

b) Defense of India,

c) Security of the state,

d) Friendly relation with Foreign states or

e) Public order or

f) For preventing incitement to the commission of any cognizable offence relating to above

or

g) For investigation of any offence

 Sensitive Personal Data or Information (SPDI) [under Section 43A]

Employers collect SPDI of their employees for various reasons such as for selection process, record retention purpose, employee evaluations or other legitimate business purposes. In case if employer is negligent in implementing and maintaining the SPDI of employee, it may cause employer to be held liable to pay compensation to relevant employee.

Compliances in relation to SDPI

i) Nexus- SPDI only be collected where there is need to collect such information.

ii) Opt in and opt out- Specific written consent should be taken from employees prior to

collection of SPDI.

iii) Privacy policy- Employees shall have well documented privacy policy as required by IT

Act and it shall be available on employer’s website also.

iv) Access- The employees should be allowed to revise or correct the deficiencies in the

information.

v) Transfer- SPDI can only be transferred where specific consent gas been taken by

employees by adhering to the standards of the IT act.

vi) Reasonable security practices and procedure- The employers should maintain reasonable

procedures to protect SPDI.

 Employee Surveillance

While employee surveillance has not been dealt with under the IT Act, these issues have assumed great importance particularly in light of the rapidly growing information technology and outsourcing industry in India. Employers may face critical issues in terms of data leakage,

intellectual property violations, defamation and a host of other issues in cases of misuse of such means of communication by an employee. For instance, if an employee downloads pornographic material on an office laptop and circulates such material to other employees, such action may be construed to be a case of sexual harassment and the employer may become liable for creating a hostile environment. Therefore, to protect the privacy of employees on the telephonic calling, emails and etc, the Supreme Court of India has provided the protection under Article 21 of the India Constitution to maintain and safeguard the privacy of employees.

 Concerns and difficulties

a) Who can collect the personal data?

Rules 5 of the IT Rules prescribes that no body corporate or any person on its behalf shall collect sensitive personal data or information unless (a) the information is collected for a lawful purpose connected with a function or activity of the body corporate; and (b) the collection of such information is considered necessary for that purpose.

Further, while collecting the information, the person sharing the information is required to be

made aware of (i) the fact that the information is being collected; (ii) the purpose for which the information is being collected; (iii) the intended recipients of the information; (iv) the name and address of — (a) the agency that is collecting the information; and (b) the agency that will retain the information.

b) For what duration can the personal data be stored?

Anybody corporate or persons holding sensitive personal data or information on its behalf cannot retain it for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any law for the time being in force and such information can be used only for the purpose for which it is collected.

Further the body corporate or any person on its behalf collecting the information, prior to the collecting of information, is required provide an option to the provider of the information to not to provide the data or information sought to be collected. The provider of information, at any time while availing the services or otherwise, has the option to withdraw its consent given earlier.

c) To what extend can the personal data be shared with third parties?

The body corporate receiving the information can disclose sensitive personal data or information to any third party, provided prior permission from the provider of such information has been received, or such disclosure has been agreed to in the contract between the recipient and the provider of information, or where the disclosure is necessary for compliance of a legal obligation.

However, no such consent from the information provider is required where the information is shared with Government agencies mandated under the law to obtain information including sensitive personal data or information for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences.

d) What are the obligations of the employers in relation to the personal data collected of its

employees?

The employers routinely collect ‘sensitive personal information’ of its employees such as health records, financial information etc. If the employer stores such personal information on a computer resource, such employer, if a body corporate, is required to have in place a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected.

Privacy in Tort law

The Right to Privacy is further encompassed in the field of Torts which include the principles of nuisance, trespass, harassment, defamation, malicious falsehood and breach of confidence. The tort of Defamation involves the right of every person to have his reputation preserved inviolate.

It protects an individual’s estimation in the view of the society and its defenses are ‘truth’ and

‘privilege’, which protect the competing right of freedom of speech. Also the employers have personal liability to ensure the physical safety of their employees. They are duty bound to take reasonable care, ensure safe workplace, safe system of work and well managed equipments and assets.

Privacy in Contract law

Under Indian laws, the governing legislation for contractual terms and agreements is the Indian Contract Act. There exist certain other means by which parties may agree to regulate the collating and use of personal information gathered, viz. by means of a “privacy clause” or through a “confidentiality clause”. Accordingly, parties to a contract may agree to the use or disclosure of an individual’s personal information, with the due permission and consent of the individual, in an agreed manner and/or for agreed purposes, but, any unauthorized disclosure of information, against the express terms of the agreement would amount to a breach of contract inviting an action for damages as a consequence of any default in observance of the terms of the contract. Also According to section 23 of the Act 1872, objects and consideration shall e lawful and must not be forbidden by law.

Privacy obligations under Specific relationships

There are instances of specific inter-personal relationships wherein one party might be obligated to maintain a certain measure of confidentiality. A doctor-patient, husband-wife, customer- insurance company or an attorney-client relationship; are instances where there exists a strong ethical obligation on the part of one party to protect the privacy of information relating to an individual which may expose him to social humiliation and/or ridicule. The above principle also receives legal recognition in Ss. 123-126 of the Indian Evidence Act, 1871.

Provision under Intellectual Property Laws

The Indian Copyright Act prescribes mandatory punishment for piracy of copyrighted matter

commensurate with the gravity of the offense. Section 63B of the Indian Copyright Act provides that any person who knowingly makes use on a computer of an infringing copy of computer program shall be punishable for a minimum period of six months and a maximum of three years in prison.

Provision under Credit Information Companies Regulation Act, 2005 (“CICRA”)

As per the CICRA, the credit information pertaining to individuals in India have to be collected as per privacy norms enunciated in the CICRA regulation. Entities collecting the data and maintaining the same have been made liable for any possible leak or alteration of this data. CICRA has created a strict framework for information pertaining to credit and finances of the individuals and companies in India.

The Personal Data Protection Bill, 2019

A Bill to provide for the right to privacy to the citizens of India and regulate the collection,

regulation, maintenance, use and dissemination of their personal information and provide for penalization for violation of such rights and for matters connected therewith or incidental/hereto.

The Bill governs the processing of personal data by (a) government, (b) companies incorporated in India and (c) foreign companies dealing with personal data of individuals in India.

The Bill classifies certain personal data as sensitive personal data. That includes financial data, biometric data, caste, religion or political beliefs, or any other category recognized by the government.

The Bill amends the IT Act, 2000 to delete the provision related to compensation payable by

companies for failure to protect personal data.

Anti- Discrimination Laws

The Constitution of India provides for equality of opportunity for all citizens relating to employment or appointment to any office under the State. Further, there shall be no discrimination on the basis of caste, race sex, descent, place of birth, religion or residence.

Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (‘SHW ACT’) - The Act provides for detailed complaint and inquiry mechanism in case of sexual harassment complaints at workplace. Under the Act, the employers are required to constitute an Internal Complaints Committee (ICC) that will inquire into sexual harassment complaints.

Immune Deficiency Syndrome (Prevention and Control) Act, 2017 (‘HIV ACT’)- provides the strict internal policies with reference to discrimination issues relating to person with HIV, or belonging to social backward class etc.

The Equal Remuneration Act, 1976- Prohibits discrimination between workers on grounds of

gender. The Act applies to both public and private sector employees. The Act extends to situation where relationship of employer and employees exist.