By: Vrinda Nargas and Namrata Jeph

(This post is the second of a two part series on the topic – ‘A Watchful Eye at Work: Evolving Workplaces and Emerging Employee Privacy Concerns’)

PRIVACY CONCERNS OF “COVID-APPROPRIATE” WORKPLACE MEASURES

Protection of one’s identity occupies a central place in the privacy domain. Medical information is considered to be a kind of data that has a reasonable expectation of privacy.[1] Various workplaces have mandatory AIDS, drugs, and lie detector or voice tests for stress evaluation. Compulsory vaccination of employees at the workplace and making employees go through various medical testing in light of pandemic – temperature screening and asking employees to provide medical information regarding past illness have also been employees at certain workplace set-ups.

In the backdrop of the COVID-19 pandemic, multiple governments and private sector companies mandatorily enforced the usage of the ‘Aarogya Setu’ application during the early stages of the pandemic, which followed a centralized approach to data collection for contact tracing. However, the mandate did not help in garnering the trust of the employees and the public at large, which is undoubtedly an essential element in the success of such contact tracing and monitoring methods. The Home Ministry, which had made it mandatory for its employees to download the app, was quick to revise its policy and roll back the mandate, when the severe flaws associated with the app such as the collection of highly sensitive data, came to light. Another example of workplace surveillance can be seen in corporates’ and government organizations’ decision to introduce facial recognition technology for their employees for attendance purposes, as well as for measuring the mood of employees with the help of a “mood meter”. While employees were provided with the choice to revoke consent, the company is likely to roll out the technology across all its offices, which raises questions about workers’ autonomy and privacy. However, before adopting such measures, it is important that organizations evaluate and adequately communicate the necessity of such measures to the affected stakeholders, and also take into account any alternative measures which are less intrusive and can be used to achieve the same purpose.

NEED FOR A ROBUST REGULATORY FRAMEWORK

At present, there is no consolidated labor law regime to govern workplace surveillance in India. When it comes to personal data laws such as the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”) offer some guidance, albeit not specific not specifically regarding employee privacy. Section 43A of the IT Act and Rules 5 and 6 of the IT Rules emphasize that obtaining consent for personal data is a must, and Sections 70B and 72A prescribe penalties and punishment in case of unlawful disclosure of data. The COVID-19 pandemic has not only led to an increase in the amount of surveillance due to remote work settings but has also increased the need for a robust mechanism to adequately safeguard against the invasion of privacy of employees and their data.

Further, due to the COVID-19 pandemic and the evolving nature of work, the lines between what constitutes personal space and what constitutes work or workplace have become blurred, thereby increasing the exposure of personal and sensitive data and information within organizational systems. The definition of the term “workplace” is evolving, and problems that can arise due to remote work are the recording of overtime, the statutory payment requirements, and maintenance of records. Vague terminology in existing laws and the lack of a robust legislative framework that caters to the protection of employees’ privacy rights make them suspect of misuse by organizations.

In the context of the employer-employee relationship and data privacy, one must look to the Personal Data Protection Bill, 2019 (“the Bill”). Section 13 of the Bill allows employers to forego obtaining consent for processing sensitive personal information in two situations; one, when consent is not appropriate, or two, when the employee would have to make a disproportionate effort to obtain the consent from the employee. Additional qualifications have been provided in terms of the purposes for which employers can collect personal data without consent, which would include attendance, assessing performance, recruitment, termination, and provision of any service or benefit. This leaves a wide ambit for employers to conduct surveillance, without being subject to much scrutiny. The Joint Parliamentary Committee (“JPC”) in its recommendations in the Data Protection Bill, 2021, stated that the provision must be redrafted, as it confers a lot of unfettered power to the employers over their employees’ data. The JPC report emphasized that the employees must have a reasonable expectation of their data being collected and processed, and only in such circumstances would surveillance by the employer be acceptable. However, various studies reveal that workers’ data is captured and processed, often to their detriment, without giving them notice and without their consent.

Against this backdrop, it is important to take note of policy and regulatory formulations adopted to address workplace surveillance and workers’ privacy in other jurisdictions. One noteworthy example is the European Union’s General Data Protection Regulation (“the GDPR”).

While Article 9(1) of the GDPR prohibits the processing of personal data, employers can still lawfully collect and process the personal data of employees if the requirements laid down under Article 9(2) are met. Employers can justify processing personal data for carrying out obligations and exercising specific rights in employment (Art. 9(2)(b)) or in the public interest (Art. 9(2)(i)). In addition, the processing of such data must also conform to the principles set out in Article 5, including purpose limitation as well as lawfulness, fairness, and transparency. Further, a three-pronged test laid down in Article 6(1) must be satisfied when the employer claims to process data as it is in his ‘legitimate interest’ – that of purpose, necessity, and balancing. Further, it is important to note that the GDPR stresses the explicit consent of the employee in case of data processing.

If such a rights-based framework which gives due regard to aspects such as informed consent, necessity and proportionality, and balancing of legitimate interests of both employers and employees is adopted in India as well, it would help ensure that monitoring and surveillance tactics used by employers are utilized only when less pervasive methods are not available, only for their intended purpose, the digital and privacy rights of employees are given adequate protection, and most importantly, the affected employees are aware of and consent to being monitored.

CONCLUSION

In recent times, we have witnessed an evolution in the way we work. Organizations have shifted to remote work at an unprecedented pace, which has also expanded workplace surveillance. Employers are adopting novel technologies to monitor their employees’ behavior, evaluate their performance and ensure that their productivity levels remain high when they are ‘on the clock. However, frequently, such methods of surveillance are pervasive, and often override fundamental principles of informed consent and privacy of the employees. While these techniques are used to manage immediate productivity and efficiency, and can further signal a trust deficit and a lack of transparency. These measures can cause tensions in the employer-employee relationship, with reduced productivity as an outcome in the long run, and employees might devise techniques to game the system and evade surveillance.

Due to the pandemic, there has been a shift in the economy and the labor market. While in certain sectors and circumstances, workers can leverage their demands and have access to alternate job opportunities, it is not the case when it comes to jobs where employees are subject to surveillance. Workers may not have the power to withhold consent when it comes to being monitored. The problem is acute, especially for marginalized groups, low-income earners, and professions marked with low social mobility. The balance of power appears to be titled in favor of the employer, even when viewed from the perspective of remote work.

The level of protection afforded to employees’ data under the present legislative framework in India appears largely inadequate. While employers can have access to employees’ data for legitimate reasons, these must be properly justified and the collection and processing of data must not be at the cost of the privacy rights of the latter. If the power in the hands of employers and organizations is left unchecked, the power imbalance between employers and employees is only likely to grow.

[1] Tomczak DL and Behrend TS, ‘Electronic Surveillance and Privacy’ in Richard N Landers (ed), The Cambridge Handbook of Technology and Employee Behavior (Cambridge University Press 2019)

(Vrinda and Namrata are law undergraduates at National Law University Jodhpur. The author(s) may be contacted via mail at vrindanargas@gmail.com and/ or  namratajeph661@gmail.com)

Cite as: Vrinda Nargas and Namrata Jeph, ‘A Watchful Eye at Work: Evolving Workplaces and Emerging Employee Privacy Concerns (Part-2)’ (The RMLNLU Law Review Blog, 26 June 2022) <https://rmlnlulawreview.com/2022/06/26/employee-privacy-2/>             date of access