We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
31 July 2020
The increased use of technology in personal and professional life due to the ongoing COVID-19 pandemic has also led to an increased need to ensure data protection and privacy. While India has no express legislation governing data protection or privacy, the relevant laws in this respect are:
In addition, in 2017 the Supreme Court issued a landmark judgment, heralding the right to privacy (including data protection and privacy) as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution.
The Information Technology Rules broadly regulate:
The Information Technology Rules provide for the protection of SPDI and deal with compensation for negligence in implementing and maintaining reasonable security practices and procedures in relation to SPDI. As a system of checks and balances, the Information Technology Act imposes penalties for the disclosure of information in breach of a lawful contract or without the information provider's consent and provides for the protection of personal information.
Further, the Information Technology Rules require corporate entities which collect, process and store personal data (including SPDI) to comply with certain procedures. In August 2011 the Ministry of Communications and Information Technology released a press note which clarified a number of provisions of the Information Technology Rules. Among other things, the press note clarified that the Information Technology Rules relate to SPDI and are applicable to any person located in India or a body corporate.
Prior to addressing the obligations of body corporates during the ongoing COVID-19 pandemic (which apply to body corporates even in non-COVID-19 times), it is important to understand what constitutes SPDI.
The outbreak of the COVID-19 pandemic and the subsequent lockdown has led to several adjustments for businesses. As the lockdown is gradually lifted and employees begin returning to workplaces in a staggered manner, people have started to adjust to the new normal, which includes:
Aarogya Setu app
In April 2020 the Ministry of Electronics and Information Technology released the Aarogya Setu app in order to tackle the increase in COVID-19 cases. The app enables:
The app stores registered subscribers' medical records and location data and requires constant access to their mobile phone's bluetooth, which is invasive from a data security and privacy viewpoint. The app has become more or less mandatory in India.
Kerala Sprinklr case
In April 2020 the Kerala government entered into a contract with US-based data analysis company Sprinklr to process and analyse the data of patients and those susceptible to COVID-19 in Kerala. This sparked a furore among the people of Kerala and the media. The key questions that arose related to:
This matter was taken to the Kerala High Court, where the petitioners alleged that:
The Kerala High Court communicated its apprehensions regarding the proper protection of data and observed that the COVID-19 pandemic should not turn into a data epidemic at a later stage. The Kerala High Court directed the Kerala government to, among other things, provide only anonymised data to Sprinklr and apprise and obtain specific consent from citizens to the effect that their collected data will likely be accessed by Sprinklr or any other third party.
Subsequently, after facing sharp criticism from privacy rights activists and the opposition government, the Kerala government backed out of the deal with Sprinklr.
Collection and storage of medical history in offices
Many offices (government and private) are now storing and recording their employees' medical and travel-related information. While it is fine to do so, it is also important to ensure that such data is collected after due cognisance of the Information Technology Rules and after following all data protection procedures and measures.
State governments' door-to-door collection of medical samples and records
Certain state governments (eg, the Delhi government) have started an initiative that requires medical professionals to go door to door in order to identify COVID-19 patients. This also requires the collection of medical data which must be used and disposed of in a proper manner and in consonance with the Information Technology Rules.
Given this increased level of disclosure of medical and travel records to employers and the government due to the COVID-19 pandemic, there is a heightened need to reopen the debate on data protection and procedures to secure such data.
Obligations of body corporates and government agencies controlling SPDI
To ensure that data is processed properly, body corporates and government agencies which collect SPDI (including medical information, especially during and due to the COVID-19 outbreak) should undertake the following obligations:
There is an unparalleled push to upgrade India's data privacy and protection standards, especially in light of the COVID-19 pandemic and its consequences. Further, the judiciary's proactive interest in data privacy issues and its opinion that data providers' information should be secure and that tougher standards should be prescribed for entities which do not comply with the data protection laws have encouraged companies to align themselves with the data privacy and protection laws.
The foundation of securing collected data is, to a large extent, determined by controlling access thereto and the manner in which it has been dealt with.
For further information on this topic please contact Vasudha Luniya at Clasis Law by telephone (+91 11 4213 0000) or email (firstname.lastname@example.org). The Clasis Law website can be accessed at www.clasislaw.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.