Introduction

The increased use of technology in personal and professional life due to the ongoing COVID-19 pandemic has also led to an increased need to ensure data protection and privacy. While India has no express legislation governing data protection or privacy, the relevant laws in this respect are:

  • the Information Technology Act 2000; and
  • the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Information Technology Rules).

In addition, in 2017 the Supreme Court issued a landmark judgment, heralding the right to privacy (including data protection and privacy) as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution.

Data protection under Information Technology Rules

The Information Technology Rules broadly regulate:

  • the collection, receipt, possession, use, storage, dealing in and handling of sensitive personal data or information (SPDI);
  • the transfer or disclosure of SPDI;
  • the security procedures for protecting SPDI;
  • the transfer of SPDI outside India; and
  • the disclosure of SPDI to the government.

The Information Technology Rules provide for the protection of SPDI and deal with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to SPDI. As a system of checks and balances, the Information Technology Act imposes penalties for the disclosure of information in breach of a lawful contract or without the information provider's consent and provides for the protection of personal information.

Further, the Information Technology Rules require corporate entities which collect, process and store personal data (including SPDI) to comply with certain procedures. In August 2011 the Ministry of Communications and Information Technology released a press note which clarified a number of provisions of the Information Technology Rules. Among other things, the press note clarified that the Information Technology Rules relate to SPDI and are applicable to any person located in India or a body corporate.

Prior to addressing the obligations of body corporates during the ongoing COVID-19 pandemic (which apply to body corporates even in non-COVID-19 times), it is important to understand what constitutes SPDI.

Constituents of SPDI

SPDI includes:

  • medical records and history;
  • passwords;
  • financial information, such as bank account or credit card details;
  • information regarding physical, physiological and mental health conditions;
  • information regarding sexual orientation; and
  • biometric information.

Data protection issues that have arisen due to COVID-19 pandemic

The outbreak of the COVID-19 pandemic and the subsequent lockdown has led to several adjustments for businesses. As the lockdown is gradually lifted and employees begin returning to workplaces in a staggered manner, people have started to adjust to the new normal, which includes:

  • as much social distancing as possible;
  • increased remote work;
  • temperature checks; and
  • increased disclosure of medical and travel-related information.

Aarogya Setu app

In April 2020 the Ministry of Electronics and Information Technology released the Aarogya Setu app in order to tackle the increase in COVID-19 cases. The app enables:

  • the government to conduct contact tracing and syndromic mapping of registered subscribers; and
  • subscribers to carry out self-assessments of their medical situation and upload the same to the app to alert people in their vicinity of the number of COVID-19 cases.

The app stores registered subscribers' medical records and location data and requires constant access to their mobile phone's bluetooth, which is invasive from a data security and privacy viewpoint. The app has become more or less mandatory in India.

Kerala Sprinklr case

In April 2020 the Kerala government entered into a contract with US-based data analysis company Sprinklr to process and analyse the data of patients and those susceptible to COVID-19 in Kerala. This sparked a furore among the people of Kerala and the media. The key questions that arose related to:

  • whether satisfactory measures are being taken to ensure the confidentiality of the data collected; and
  • the manner in which the data would be dealt with after processing and analysis.

This matter was taken to the Kerala High Court, where the petitioners alleged that:

  • the contract had little or no safeguards against the commercial and unauthorised exploitation of data entrusted to Sprinklr; and
  • in case of any breach by Sprinklr, the Kerala government has no legal recourse before the Indian courts since the contract grants exclusive jurisdiction to the New York courts.

The Kerala High Court communicated its apprehensions regarding the proper protection of data and observed that the COVID-19 pandemic should not turn into a data epidemic at a later stage. The Kerala High Court directed the Kerala government to, among other things, provide only anonymised data to Sprinklr and apprise and obtain specific consent from citizens to the effect that their collected data will likely be accessed by Sprinklr or any other third party.

Subsequently, after facing sharp criticism from privacy rights activists and the opposition government, the Kerala government backed out of the deal with Sprinklr.

Collection and storage of medical history in offices

Many offices (government and private) are now storing and recording their employees' medical and travel-related information. While it is fine to do so, it is also important to ensure that such data is collected after due cognisance of the Information Technology Rules and after following all data protection procedures and measures.

State governments' door-to-door collection of medical samples and records

Certain state governments (eg, the Delhi government) have started an initiative that requires medical professionals to go door to door in order to identify COVID-19 patients. This also requires the collection of medical data which must be used and disposed of in a proper manner and in consonance with the Information Technology Rules.

Given this increased level of disclosure of medical and travel records to employers and the government due to the COVID-19 pandemic, there is a heightened need to reopen the debate on data protection and procedures to secure such data.

Obligations of body corporates and government agencies controlling SPDI

To ensure that data is processed properly, body corporates and government agencies which collect SPDI (including medical information, especially during and due to the COVID-19 outbreak) should undertake the following obligations:

  • have a privacy policy and publish such policy on their website. The privacy policy must describe:
    • the type of information collected;
    • the purpose and use of the information;
    • to whom or how the information can be disclosed; and
    • the reasonable security practices and procedures followed to safeguard the information;
  • appoint a grievance officer, whose name and contact details must be published on the entity's website along with the privacy policy. The grievance officer must act on any grievance within one month from receiving notice of such grievance;
  • refrain from collecting SPDI unless they obtain the information provider's prior consent. An entity which collects and processes SPDI should also ensure that the information provider is aware of:
    • the fact that the information is being collected;
    • the proposed use of the information; and
    • the name and address of the agency collecting or receiving the information;
  • use personal information only for the purpose for which it was collected. An entity cannot retain SPDI for longer than is required for the purposes for which the information can lawfully be used or as otherwise required under any other law. The SPDI provider has the right to review the information provided and ask for inaccurate or deficient information to be corrected. The information provider also has the right to withdraw their consent to the collection and use of the SPDI at any time;
  • disclose SPDI to a third party only if:
    • it has been agreed in a contract with the information provider;
    • it is necessary for compliance with a legal obligation; or
    • prior permission is given by the information provider;
  • transfer SPDI to a third party, whether in India or overseas, only if the receiving party ensures the same level of protection as provided under the Information Technology Rules. In addition, SPDI can be transferred only if:
    • it is necessary for the performance of a lawful contract with the information provider; or
    • the information provider has consented to the transfer; and
  • carry out the safety and security practices as provided in the Information Technology Rules when dealing with SPDI (which includes medical records). An entity must follow reasonable security practices and have a comprehensive documented information security programme and policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected and the nature of business (eg, International Standard IS/ISO/IEC 27001, Information Technology - Security Techniques - Information Security Management System - Requirements). In the event of an information security breach, such entity must demonstrate (as and when called on to do so by the agency mandated under the law) that they have implemented security control measures as per the documented information security programme and information security policies.

Comment

There is an unparalleled push to upgrade India's data privacy and protection standards, especially in light of the COVID-19 pandemic and its consequences. Further, the judiciary's proactive interest in data privacy issues and its opinion that data providers' information should be secure and that tougher standards should be prescribed for entities which do not comply with the data protection laws have encouraged companies to align themselves with the data privacy and protection laws.

The foundation of securing collected data is, to a large extent, determined by controlling access thereto and the manner in which it has been dealt with.