The current Covid pandemic has forced organisations to either allow their employees to work from home or to follow strict safety and hygiene standards and procedures in their organisations. Employers are required to collect personal information such as medical records of employees both as an statutory obligation as well as a social responsibility towards other employees.
This blog helps organisations understand the manner in which the personal data or sensitive personal data of employees should be collected and treated in order to protect the employee privacy and avoid any legal repercussions that may surface in the future.
What information should the Employers collect?
Employers are under a legal and social obligation of collecting certain personal information of their employees such as their private medical information obtained during thermal screening or temperature recording or obtaining medical/ fitness certificates from employees, travel history and associated details.
Collecting information such as the body temperature of employees is mandated by the Ministry of Home Affairs as Standard Operating Procedures. The question really is whether such information comes within the ambit of sensitive personal information or personal data and whether organisations have to comply with certain privacy laws while dealing with such data?
Legal framework for protecting Personal Information of Employees
There is no exclusive legislation, such as (EU-GDPR or PDPA, Singapore) in India that deals with protecting personal information of persons (which includes employees).
In order to understand the concept of protecting personal information or sensitive personal information of employees, a reference has to be made to different legislations. The right to privacy of a person is enshrined in the Constitution of India, in addition to this the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) also contain certain provisions in relation to protection of personal Information and sensitive personal information that is stored electronically.
Sensitive Personal information/ data is defined under the Privacy Rules. The definition includes medical records and history of a person and the physical, physiological and mental health condition of a person, thereby such must be treated with great caution and care. These rules also provide the manner in which this sensitive personal information of persons has to be dealt with.
Further, the Information Technology Act, 2000 also imposes punishments for failure of organisations to protect personal information of persons, which includes employees. Collection of medical records of employees is for a lawful purpose as it is collected under a statutory order, an employee cannot deny providing information about his body temperature to his employee as the same is mandated by the Government.
Upon collecting the Employees’ sensitive personal information and personal information of employees the Employers must keep the information confidential, unless requested by public authorities to divulge the information. Although it is highly unlikely that collection of medical information of an employee in the face of the pandemic and in public interest would be categorised as a breach of privacy of employees, employers shall comply with all privacy laws while collecting and processing such data. Enlisted hereunder are a few obligations of an employer for the protection of the personal information of his/her employees.
- Consent : Obtaining consent of an employee while collecting and processing his/her personal data is of utmost importance. Employer should ensure that requisite consent has been obtained of the employee whose data would be processed. Most standard employment contracts contain terms that allow the employers to collect the such information, which serve as record of taking consent. Consent may be obtained either through a letter, a fax or an email.
- Collection of data : While collecting personal data of an employee, an employer shall collect only that personal or sensitive personal information of employee what is mandated by public authorities.
- Processing of data : Personal information of employees shall be used only for purposes for which it is collected i.e. to monitor the medical health of an employee and to check for symptoms of COVID 19.
- Disclosure of data : Except in a circumstance where the employees’ personal information is requested by a Government authority or otherwise such disclosure is required by law, employers should not disclose the personal information of employees without seeking their prior consent.
- Implementation of reasonable security practices and procedures : Employer should implement all such reasonable security practices and procedures to protect the security of the personal data of his/her employees.
- Retention of data : The personal data of employees should be stored only for as long as it is required or until the purpose for which the data was collected is accomplished. Upon the fulfilment of the purpose of collection, all such data must be destroyed.
- Designate grievance officer : Employers should designate a grievance officer to deal with and redress any grievances that an employee may have with regards to processing of his/her medical data.
Know more about employers’ duty to protect employee’s privacy rights. Contact Legawise for any further information about the Employee Privacy Rights.