By Vikrant Rana & Vibhuti Vasisth
Covid 19 and data privacy protection in India
The World Health Organization (“WHO”) on March 11, 2020, declared COVID-19 as a pandemic and effectively urged the countries to take all necessary steps and measures to detect, test, isolate, treat people in order to avoid handful of cases resulting into wide-spread community transmissions which would further stress the capacity of global public health institutions. In pursuance of the same, the Indian Government, through the Ministry of Health and Family Welfare, has issued and notified multiple travel, immigration, employment and public health-related advisories to proactively prevent, contain and delay onset of the outbreak in the Country.
Some of these measures also included: suspension of visas until April 15, 2020; requiring persons having visited Italy/South Korea to submit negative status COVID-19 declarations from authorised and recognized laboratories of such countries before they could enter into India; mandatory medical supervision quarantine for a minimum of 14 days for persons having visited high-risk countries; home quarantine for all travellers entering India, etc.
COVID-19 pandemic has resulted in an unprecedented disruption of social and business activities across the globe, and it would only be fair to assume that the evolving situation would continue to demand more resources, enlistment, focus and expenditure in times to come.
Like other countries, the responsibility of responding to the crisis is largely pinned on immigration and public health professionals in India, however, managing a novel crisis of such magnitude surely mandates an organized and consistent response from all the capable and proficient stakeholders. It’s therefore essential to see corporate organizations extending proactive health, safety, accessibility, employment protection and continuity measures to protect their employees and partners from possible exposure to the infection. Their objective is two-fold, one, depends upon the industry and nature of the employees in question, and to comply with all necessary statutory obligations relating to the provision of a safe working environment to all its employees; and two, to respond, contain, prevent and delay a public health crisis with the means available at their disposal, so as to ensure business continuity in view of the expanding nature of the disease, and to reduce chances of community transmission in their offices which would help in avoiding a complete shutdown of business activities on a long-term basis.
The initial step of any corporate COVID-19 action plan would/should be to collect and monitor information pertaining to employees and partners, including their travel histories (both official as well as personal), symptoms including of self and of family members, disclosure of interaction with suspected or confirmed COVID-19 persons, etc. It’s also fair to assume that most organizations are likely to have no pre-existing disaster management plans that are specific to prevention of infectious diseases that has resulted in companies collecting and asking for information which is not anticipated or included, either in policies or consent frameworks, established till date.
Further, this practice is of concern, as it is equally important for employers to understand the need to balance emergency response with the protection of privacy of their employees, workers, consultants or extended workforce members.
This article outlines some of the data protection blind-spots that are emerging from COVID-19 emergency plans and addresses common queries that some corporate organizations may have in this regard.
- What is the current legal position in India?
Well, the current data protection law (“IT Act”) categorises an employee’s physiological and / or health information, medical records as ‘sensitive personal data’ (“SPDI”), which is considered sensitive, and thus, worthy of more defensive safeguards. Information such as travel history of a person of his/her family members, exposure to suspected persons, etc., may be classifiable as ‘personal data’ (“PI”) which is also protected but with lesser precincts.
- What is SPDI and PI under the IT Act?
- What are COVID-19 data protection practices subsisting in other countries?
The EU General Data Protection Regulation (“EUGDPR”) is more nuanced and allows organizations to collect and process information on grounds of legitimate interests, or so as to comply with their employer or legal obligations, as applicable and existing in each of the countries. Despite such an enablement, data protection authorities across the Europe have asked the employers to exercise caution while implementing their COVID-19 action plans and has urged them to consider proportionality even in the face of a pandemic situation. Some of the examples are hereunder:
- The Italian Privacy Authority on March 02, 2020, has asked the employers to not collect employee health information or ask them about their contact with suspected symptomatic persons in a systematic and generalized manner, and has stated that such inquiries and checks should instead be conducted by a civic and public health administration authority;
- In France, the Data Protection Authority has reminded its employers of their legal obligations under the EUGDPR and French public health codes and has further clarified that COVID-19 action plans cannot require disclosure of medical and health information which goes beyond the management of suspected exposure, and infringe on privacy rights of employees and visitors. It was specifically stated that checking of body temperatures and systematic daily processing of the said data, asking employees and visitors to submit health declarations is not legally permissible. It has, instead encouraged the employers to educate their employees, and advise employees to undergo tests with public health authorities, and set up remote working facilities;
- The UK’s Information Commissioner’s Office (“ICO”) has taken a more pragmatic approach wherein it has assured the employers that they are cognizant in pressing times, usual governance and compliance frameworks could be relegated lesser priority, and that the employers would not be penalized if they are prioritizing other areas to contain the outbreak amongst their employees, visitors and partners. The ICO has, however, confirmed that this flexibility should not be construed by organizations to forego principles of proportionality, and only such information which would not be excessive in the given circumstances should be collected and processed by the employers.
- How does the global position differ from the Indian framework?
Given the evolving nature of the pandemic, even the advanced-privacy jurisdictions are struggling to balance public interest with maintaining the privacy of individuals, especially the private employers who are not equipped to respond to a public health emergency. As COVID-19 transmits further, we can expect a more detailed and continuous guidance from the global regulators for the employer organizations, varying in each jurisdiction.
While our Country is dealing with the same data protection challenges, the interpretational challenges may be more prominent in our jurisdiction since we do not yet have a conclusive data protection law that could anticipate or address such emergency situations. Also, we do not have a specific data protection regulator that could address any prevailing confusion or restrict unacceptable practices. Unlike the EUGDPR, the Indian law further does not envisage any collection of information on legitimate grounds such as the prevention of a public health emergency or to comply with applicable laws, and it also does not permit employers to obtain specific information which is fundamentally necessary to manage the interests of an employer-employee relationship. For SPDI, Indian laws are restricted to a consent-based approach, as mentioned in the preceding paragraphs.
- What is the present response in the Corporate-India context?
In India, Companies are examining employees, visitors and contractors and requiring them to share their travel history (whether professional and/or personal) to high-risk countries, share travel history of family members to high-risk countries, share symptoms of self or other family members, undergo mandatory health check-ups, and submit medical declarations from medical institutions. Travel history of an employee and their family members is being correlated with symptoms for persons who have not visited high-risk countries by the employers, so as to ascertain possible community transmissions. Persons with suspected or confirmed COVID-19 are being asked to identify persons of contact, to assist the employers in administering quarantine and hygiene measures. Employees are also being asked to submit their medical records for processing of leave(s), medical coverage, and remote-working assistance. Employers have also set in place various extensive hygiene measures and are encouraging the employees with or without symptoms to work from home, discouraged travel plans or any other large gatherings.
- What are the other areas of concern from a data-protection perspective?
- Is it okay to collect travel history, and data related to exposure to suspected or infected persons?
- Is it okay to collect medical records or existing medical condition?
Health data – namely, medical information, records, condition, and information of exposure to suspected or confirmed COVID-19 persons, accompanied with symptoms would be classifiable as SPDI and can be collected, processed or stored with only prior consent of the employee and/or visitors. Some companies may have already obtained such consents through their employment contracts, code of conduct applicable to the employees, etc., but this would still be a good time to assess if any additional information being collected and processed as part of COVID-19 response is legally obtainable through such existing consent frameworks. If such consents are not in place, corporates should incorporate obtaining them in their action plan steps for failure to do so could expose them to compensating persons affected by any negligence or improper handling of their SPDI.
Some companies are also asking for health data / declarations from their partners, visitors, consultants etc., and consent requirements would equally apply to such relationships.
- What other compliances can be required?
Maintenance of adequate security procedures such as the ISO 27001 is mandatory for processing and storing SPDI, and all organizations should assess if their security standards are equipped to handle SPDI, particularly health data of various employees and visitors in a systematic manner for a prolonged period of time. The IT Rules also require and recommend organizations to store SPDI until the intended purpose of its use has been achieved, upon which the information stored should be destroyed or burnished from their security systems as per the specified procedures. Even though principles of data minimization are more explicitly contemplated under the Personal Data Protection Bill, 2019, and not under the IT Act, it would still be advisable for organizations to collect and process data which would be proportionate to the threat envisaged to their business structures, and the urge to initiate proactive measures that are more appropriately performed by civil or public health authorities should be curtailed. Data minimization standards would be applicable to global organizations and should equally be implemented in the Country. Excessive data collection would ultimately be susceptible to cybersecurity threats, which in context of health-data can have more complicated outcomes.
General Q&A’s for employers
Some general Q&A’s relevant for corporates are given hereunder. Many of the situations described below are fact-specific, rapidly evolving and would differ from each State to another. Employers are requested to seek specific counsel prior to implementing their COVID-19 action plans.
- Have employment and public health authorities issued any specific guidelines for the employers? Does it include any specific data protection guidance?
The Ministry of Health and Family Welfare has directed employers to arrange work from home for employees who are required to undergo home quarantine for minimum 14 days after returning from high-risk countries. Various Indian States such as Delhi, Punjab, Haryana, Karnataka, Orissa, Gujarat, and Maharashtra have also notified COVID-19 as an epidemic under the Epidemics Diseases Act, 1897, thereby empowering the State and District level authorities to undertake expansive measures to prevent and contain the outbreak of the disease. So far, in context of employers, these notifications only prohibit organizations from sharing any misinformation regarding COVID-19, which in our opinion would mean sharing of inaccurate information on nature and spread of the disease, its symptoms, etc. as that is best addressed by public health bodies who are qualified to dispense such information. Advisories for employers are emerging on a daily basis across the States and municipalities, and would need to be referred to, on a case to case basis. Karnataka has been particularly active in issuing advisories, and has also recommended employers to avoid large gatherings, cancel meetings, conferences, and allow remote working facilities for all the employees. There are news reports of Karnataka contemplating and suggesting mandatory work for home for all offices.
Further, in Karnataka, all workers covered under Employee State Insurance Act (“ESI Act”) who are confirmed COVID-19 cases can now avail mandatory paid leaves of 28 days from their employers by submitting a medical certificate issued by the ESI hospitals. All non-ESI covered employees can avail an equivalent leave from their employers under applicable provisions of the Karnataka shops and establishment Act. In this case, employers would automatically be in receipt of the medical records of confirmed COVID-19 employees and can rely on such information to implement quarantine measures and educate other employees to undergo testing at recognized and authorised Government facilities.
Having said so, employers have been advised to grant paid leaves and implement remote working facilities and except for Karnataka, have not been specifically asked to obtain and store medical records of employees.
I am an Employer, do I need to respond to this crisis?
Legally, the sternness of your response is at your discretion. Understandably, corporates across the sphere are responding actively to this crisis in interest of business continuity, and not necessarily to tick a legal compliance. In India, certain employment legislations such as the Factories Act, ESI Act, etc., require mandatory reporting of occupational diseases by employers, however, COVID-19 has not been notified under the said laws. Public health notices have been issued by Government authorities such as the Bureau of Immigration, Ministry of Health and Family Welfare which is directed to the citizens of the Country, and not specifically at organizations. No specific data collection obligations have been imposed on employers as of now, though they can be justified by employers in view of other employment laws.
- What more can I do to enforce success of my company’s quarantine measures?
Persons who have a travel history to COVID-19 countries and exposure to suspect or confirmed COVID-19 persons are mandatorily required to undergo medical screening at the nearest hospital, and such communication can further be disseminated by employers for wider reach. Government has also encouraged employers to cancel conferences, and any other non-essential travel plans (professional or personal).
- Could an employee refuse to share their travel history? Or whether they have interacted with any suspected or confirmed COVID-19 person?
No. Official travel history of an employee is employer information and already available to an employer, so no specific request is required in this regard. Further, companies can validly ask their employees to divulge personal travel plans, or exposure with suspected or confirmed COVID-19 persons (including their family members) in the interest of providing a safe and hygienic working environment for all the employees and third parties visiting the workplace, and also to better inform other employees of all the exposure and / or quarantine measures. Exposure to suspected or confirmed COVID-19 person, in case not accompanied with symptoms is not yet a medical condition, and hence no specific consent is required to collect such information. The employers can also access CCTV imaging(s) to verify the trail of exposure to and of suspected employees, so as to enforce their quarantine measures. Employers should, at all times practice data minimization practices and destruct any /all information which is irrelevant or no longer serving the purpose of COVID-19 action plans.
- Could employers ask employees to share their medical conditions/records, including whether they have COVID-19 especially when they are symptomatic at the workplace?
Technically, Government authorities have directly asked citizens to undergo medical screening at hospitals if they have a travel history to any of the COVID-19 countries combined with exposure to suspect or confirmed COVID-19 patients. In case a citizen is found to be infected, his/her information is transmitted by the relevant hospital to the district-level health authorities. Private bodies have not been asked to collect and store such information.
However, employers can support requests for collection of SPDI such as their medical condition, records, etc., on the following grounds:
- Employers require medical certificate certifying COVID-19 status so as to grant paid leave(s) to the employee. Karnataka has made this mandatory, other States will soon follow;
- Employers could argue that they need to know such information in order to protect the interests, and provide for a safe working environment for all employees, and protect themselves from tortious claims of negligence from other (potentially) infected employees;
- If employers have obtained prior consent for collection, processing and storage of such SPDI in employment contracts or code of conduct.
- Where we have legitimate grounds for collection of SPDI, do we still need consent?
Yes, since Indian law does not expressly permit collection of SPDI on grounds of legitimate interest or legal compliance alone, you would still require consent. Where no prior consent has been obtained, employers should include them as part of their COVID-19 action plans. Refusal from employees may be expected and should be handled firmly with due sensitivity. Employees may be concerned about possible discrimination, leaves with no pay, forced quarantine upon disclosure of such information, etc., and the employers should extend their support in this regard.
Having said so, like global data protection regulators, Indian authorities are likely to be accommodating the governance gaps in some areas provided employers are able to exhibit their pressing needs to act upon their emergency plans, without obtaining relevant consents. It is advisable that the gaps are addressed immediately once the risk is mitigated.
Could an employee refuse to give consent for collection of their SPDI, like health records?
In principle, employees cannot refuse consent as the IT Act is unclear on whether employees can deny such information during health emergencies or only when sensitive date is sought in connection with provision of goods or services by the employer.
- I don’t have a consent framework in place, I also don’t have time to do this and would like to contain the infection urgently. Does the law envisage an exceptional situation?
Unfortunately, no. While you can continue with your emergency response in order to provide for a safe working environment to your employees, from a data protection perspective, you will still not be compliant and require appropriate compliance. We do expect Indian regulators to be accommodating of such gaps however, and this situation will have more clarity in the times to come.
- Once the medical reports are obtained from the employees, what are my obligations?
You are bound to retain and share it, only as permitted under the relevant law. Government agencies are permitted to request for SPDI so as to verify identity, with a written request.
- Would it be okay to disclose the name of the employee to inform other possibly affected employees?
No. There are various other, and also better methods of implementing quarantine measures. Personal and sensitive information of an employee should always be protected, and the names of the affected or suspect employees should be scrubbed and deleted while being processed internally as a part of the action plans. It’s also important to mention that employers are obligated to extend measures to protect their employees from any form of discrimination that may be attributed or follow as a result of their medical condition or diagnosis.
- Should employers report to Government agencies once they have information about an employee’s confirmed COVID-19 status?
As on date, there is no such obligation under law. However, the Government has directed mandated citizens of India to undergo screening and quarantine as per their travel history, symptoms and exposure to suspect COVID-19 persons. Employers must widely disseminate this directive amongst their staff and social as also professional network.
- Could I ask employees and visitors to submit to a temperature reading and/or medical tests prior to entering the building?
Depends on what you are trying to ascertain. If it is simply to ascertain a fever prior to allowing entry of a person, anyone could do that. However, any invasive or COVID-19 related checks should only be conducted by an authorised medical professional, who may submit the relevant information to the employer or the State medical authorities for further necessary action. Medical professionals are themselves obligated to receive and handle a patient’s information in a prescribed and specified manner.
This update is intended to provide an overview of the relevant-applicable legal framework, however, since the subject matter pertains to an evolving issue, the author strongly recommends to seek specific legal advice relevant to your business scenario before implementing any of the definitive measures mentioned herein above.
 WHO Director General’s opening remarks at the media briefing on COVID-19 on March 11, 2020
 The Ministry of Health and Family Welfare has continued to update this list. As of March 11, 2020, the high-risk countries are China, Italy, Republic of Korea, France, Spain and Germany. Anyone who has visited these countries after February 15, 2020 will be subject to mandatory quarantine for a minimum period of 14 days. (https://www.mohfw.gov.in/ConsolidatedTraveladvisoryUpdated11032020.pdf)
 Press Release by Italy Data Protection Authority, March 02, 2020, (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9282117#1)
 Press Release by CNIL, March 06, 2020, (https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles)
 UK ICO Guidance, March 12, 2020, (https://ico.org.uk/for-organisations/data-protection-and-coronavirus/)
 Home Isolation Advisory by Ministry of Health and Family Welfare, March 10, 2020, ha(https://www.mohfw.gov.in/AdditionalTravelAdvisory1homeisolation.pdf