17 April, 2020
The words like ‘national security’ have a tendency for governments, courts, civil society and intelligentsia (meant to lead, navigate and gravitate the masses towards an apt-course) to wrinkle/shrink (if not shirk-away) their business-as-usual; and permit actions without undertaking necessary processes and debates.
When some permitted ‘solutions’ crafted during these circumstances entail complexity of artificial intelligence (“AI”), technology, gadgets and/or applications; one cannot, but think about the warning-cacophony inbuilt in the DNA of author Nick Bostrom’s book, ‘Superintelligence: Paths, Danger and Strategies.’
The book begins with “the unfinished fable of sparrows”. The story is about a group of sparrows imagining an easy-life where the sparrows would (find and) train an owlet to build and defend their (sparrows’) nests. While most sparrows agree with this plan, a “one-eyed sparrow with a fretful temperament”, Scronkfinkle, is unconvinced and considers it important to think about “the art of owl-domestication and owl-taming first”, before bringing the owlet/owl in their fold. Reply received by Scronkfinkle was that finding an owlet will be difficult enough; therefore, thinking about taming an owl can be thought about later. Scronkfinkle protested against the flaw in the plan – but, in vain, as the flock decided to implement the plan. Scronkfinkle and a couple of other sparrows stayed back to work on how to tame owls and realized the difficulty of the challenge. The end of this story remains unknown – and so, Nick Bostrom dedicated his book to Scronkfinkle and those couple of other sparrows.
Well, gather-around ‘Scronkfinkle(s) and its followers’; for ‘We’ must unravel all difficult challenges and explore ways to tame/domesticate ‘Our Owl’ (AI and other technology-related products).
The outbreak of novel coronavirus (“COVID-19”), has posed real challenges. A key issue that many employers are facing is how to prevent potential COVID-19 cases within the workforce, and what measures to implement to protect employees and the business. The question is relevant for multi-national companies and corporate houses with a large workforce due to mobility, ease of human contact and difficulty in tracking records of a large and diverse workforce. The risk of COVID-19 at workplaces does not lessen responsibility of employers to maintain a safe work environment. In order to implement preventive measures, an employer may be required to obtain certain set of data from its employees.
The question, however, arises that in absence of a robust data protection and privacy law framework in India, to what extent an employer can obtain, process, maintain and use data, specially, data which are Information Technology Act, 2000 (“IT Act”) and rules made thereunder (“IT Rules”). The IT Act and IT Rules provide for a basic framework of data protection and privacy which classifies information pertaining to health condition and medical records as sensitive personal data. Further, the corporate houses are required to provide a policy for privacy and disclosure of sensitive personal data under IT Act and IT Rules. Sensitive personal data can be collected by the corporate houses only for a lawful purpose or if such collection is considered to be necessary. However, the IT Act does not give clear guidelines as to how data of the employees should be obtained, accessed, processed or maintained.
Lack of clear rules and guidelines inter alia regarding the processing and access to such sensitive personal data or information puts even greater onus upon employers and corporate houses to conduct themselves in a manner that their actions do not fall afoul of the ‘right to privacy’ enshrined in the Constitution of India. Some international data protection authorities have started to provide guidance but there are divergent views on how employers should comply with data protection requirements, depending on the jurisdiction.
Although the Government of India is yet to release guidelines or advisory for corporate houses concerning treatment of data collected to tackle the COVID-19 pandemic, but, the corporate houses can in the interregnum (or in lack thereof), take cue from the policies and practices adopted in other jurisdictions.
The scope of allegations surrounding data privacy infringement is not limited to the treatment of data collected by the employers or corporate houses; as it extends to the actions taken by the government (including government-controlled enterprises) to prevent, tackle and curb the pandemic. Contact tracing and surveillance (and technological-tools proposed as solutions) are among a few which may pose threat to an individual’s (fundamental) ‘right to privacy’. In absence of any robust data privacy law, the Government of India will have to shoulder and discharge the onus of balancing between right to privacy and public interest amidst this burgeoning pandemic.
TREATMENT OF DATA COLLECTED DURING COVID-19 OUTBREAK: INTERNATIONAL JURISDICTIONS
On March 13, 2020, the data protection authority of Belgium, issued a guidance for the employers in relation to treatment of data collected with respect to COVID-19 (“Belgium Guidance”).
The Belgium Guidance suggested that the employers may not conduct generalized and systematic checks on employees (e.g., temperatures). Checks on employees concerning their health is suggested to be carried out by the occupational physician. Further, the tests cannot be arbitrarily conducted by the employers, and that there should be some justifiable reasoning and a positive presumption that an employee has been exposed or shows symptoms of COVID-19. The Belgium Guidance also suggests that the employers may not ask an employee to fill out a form about his/her health situation or recent travels as this is likely to create a social stigma or social panic. Further, the Belgium Guidance recommends that employees should be encouraged to voluntarily disclose symptoms, if any, or recent travel details to areas which are adversely hit by COVID-19 to the occupational physician. The employers should maintain secrecy about the data pertaining to a person infected by COVID-19 and such data should be shared with other employees, if required, only on no-name basis. Further, any data processed by the employer in response to COVID-19 should be within the four corners of Article 5 of General Data Protection Regulation (“GDPR”) which deals with lawful processing of personal data. This is in line with the guidance issued by other European Economic Area regulators including France, Germany, Hungary and Czech Republic.
United Kingdom’s independent authority is set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It lays down guidelines concerning the treatment of data collected during COVID-19, for the organizations including corporate houses, in form of Q & A (“UK Guidance”). Amongst other things, the UK Guidance attempts to answer
(i) Can an employer or a company disclose the names of the infected persons to other employees or third parties? (ii) Can an employer conduct systematic checks on employees or visitors or collect other health-related data directly or indirectly? (iii) Can an employer share employee’s health information to authorities for public health purpose? (iv) As most of the staff would be working from home, are there any measures which should be taken by the organization to ensure information is secured? The UK Guidance, while responding to the aforesaid questions, recommends that with respect to question (i) that data of infected person(s) can be shared with the employees but on no-name basis.
With respect to question (ii), employer can reasonably ask the employees about their travel history or symptoms (if any) and if this approach doesn’t work, the employer can collect the information only in a limited manner with appropriate safeguards. Further, dealing with question (iii) according to the UK Guidance, the UK data protection law doesn’t restrict the employers from sharing the employee’s information with the public health authorities for the purpose of public health. The UK Guidance further clarifies with respect to question (iv), that although there is no explicit prohibition on working from home, the organizations need to adopt the same kind of security measures that they would use in normal circumstances with
respect to organization’s data.
In the USA, though there is no robust data protection legislation1 like GDPR in European Union, under the Health Insurance Portability and Accountability Act Security Rule, the covered entities are expected to implement reasonable and appropriate administrative and technical controls to protect the confidentiality of protected health information. The US Department of Health and Human Services also released a bulletin outlining when disclosure of such information is allowed, and that though information can be released for public health purposes, to avoid a serious and imminent threat; even such disclosure should be limited to the minimum necessary to accomplish the public health purpose.
China has taken a proactive approach to showcase protection of personal information. Collection of personal information should be limited to key groups (confirmed cases, suspected cases, close contacts of confirmed cases), and it should not constitute de facto discrimination against individuals of targeted geographic locations. Institutions collecting such information shall be responsible for the maintenance and protection of such data. While employers in China may collect their employees’ personal data, such collection should be limited to that required for a legitimate and just purpose, and the informants must consent to and be notified of the purpose and scope of such collection. Such collection is also permissible in Hong Kong and Singapore.
Further, in China, collected information can only be shared with third parties in specific situations, such as a public health emergency or to assist the government in inquiries or investigations, among others. This information can be retained by the employer till the purpose of such collection remains, after which the data should be deleted or anonymized.
TREATMENT OF DATA COLLECTED DURING COVID-19 OUTBREAK: INDIAN ENTITIES
In India, many employers/companies are taking preventive steps on their own. In early March, 2020 when there was absence of any guidelines or advisory from the government, the employers/companies had already moved (or were planning to move) to Work from Home facility and were conducting thermal screenings /checking travel histories of the employees.
In this regard, the employers must adhere to basic principles of data protection and privacy law, in order to ensure that their actions do not constitute an infringement of the fundamental ‘right to privacy’ enshrined under Article 21 of the Constitution of India. We have herein below captured, for this purpose, the basic guidelines that an employer/ company must adhere to, while collecting and treating datavduring COVID-19 outbreak. On the basis of the IT Act, the IT Rules, the landmark Puttaswamy Case2 on right to privacy and practices adopted in other jurisdictions, below are a few take-aways:
While extending the benefit of ‘work from home’ to employees during quarantine, do ensure that the integrity of client’s data is not compromised.
Employers should, as far as practicable, limit data collection to confirmed or suspected cases, or those who have come in contact with such cases. This information as well, should be collected with a clear and legitimate purpose with the consent of the employee. Collection of irrelevant information should
be strictly avoided.
With the crisis becoming severe with every passing day, the employer may be allowed to take temperature of employees or other visitors and accordingly grant access to enter in the office premises. However, such data should not be retained once the purpose for which it was collected, is over.
The information so collected should only be used for the purposes of tackling the pandemic outbreak.
Organisations should be extremely careful not to put this data to a different use. The onus of protecting this information falls squarely on the employers. They should in no way allow access,
either deliberately or negligently, to third parties of such information/data. Such sensitive data should not be published under any ordinary circumstances. Acting negligently would also be in contravention of section 43A of the IT Act.
Any information procured should not be disclosed without consent. However, given the nature of the current scenario, in certain situations such disclosure may be justified. For example, if the
government needs access to such information in order to form policies or take corrective measures; or such information needs to be disclosed to protect public interest; or if there is a legitimate fear that non-disclosure may lead to worsening of the situation. These situations where disclosure without consent may be allowed should be demarcated in no uncertain terms, and employers must ensure that they are not acting outside of such terms.
Information regarding health condition or travel history of the employee might be sought by the employer while the employee is working from home. However, answer to question pertaining to symptoms of COVID-19 may be restricted to just a ‘Yes’ or ‘No’. Further, question in relation to travel history may be restricted to travel to areas which are adversely hit by COVID-19 (and/or notified by the government as restricted travel jurisdictions under regular travel advisories). However, given the deteriorating conditions, identification of risky areas may be arguable.
Once the situation has been brought under control and the virus has been controlled/eradicated, the organisations as well as the government must ensure that the data collected for the specific purpose of dealing with the outbreak must be destroyed. Any sensitive data collected for a specific purpose must be destroyed when that purpose has been met. Processing this data after the fact, for a purpose it was not originally meant for, will be in strict violation of the privacy of such individuals whose data is being used.
Refrain from sharing the data so collected, with the third parties or the general public.
Refrain from collecting information of any other individual, who does not form a part of the organization.
Refrain from retaining the sensitive personal data for longer than is required for the purpose of fighting COVID-19 pandemic.
Refrain from publishing the sensitive personal data or information collected during COVID-19 pandemic to public or other third parties.
Vast datasets provide a competitive advantage and providing access to such datasets to a dominant enterprise can disrupt the competitive forces. Accordingly, in cases of dominant enterprises, the collection of information and further retention of such information, even if they do not act in contravention of privacy laws, may violate provisions of competition law. Therefore, the data collected during COVID-19 outbreak shall not be used for any other purpose than fighting against COVID-19.
Be generally mindful of the data protection and privacy principles while formulating a policy concerning collection and processing the data, as the same is operating in full force, in absence of
any guidance from the Government.
The scope of the take-aways mentioned above is restricted to data protection and privacy laws. Nothing stated herein above has any bearing on rights and liabilities of the employers or employees under employment laws. Further, it is clarified that health data can be collected by health authorities, isolation camps set up by the government or any other government approved authority qualified to take the measures appropriate to the situation. The assessment and collection of information relating to symptoms of coronavirus and information on the recent movement of certain people is the responsibility of these public authorities. These authorities, in absence of any specific guidelines, can also keep in mind the basic principles of data protection and privacy laws to avoid even the slightest infringement of individuals’ right to privacy. Further, in these unprecedented times, it is always advisable that the employers may obtain legal advice from their legal team or data protection and privacy law experts in order to remain in compliance of all applicable laws.
DATA PRIVACY AND GOVERNMENT’S TECHNOLOGY DRIVEN COVID-19 TACKLING MECHANISM
Containment and Lockdown!! – the only strategy most governments (across the globe) have agreed to be an effective ‘solution’ against this pandemic. In an attempt to contain the COVID-19 pandemic, governments and other responsible authorities of various international jurisdictions including the USA3, Europe4, China5, South Korea6, Singapore7 and Iran8, have deployed technology driven measures to cope with COVID-19 pandemic. These technology-driven measures require rapid identification and quarantine of the infected individuals, determination of whom they have had close contact with, in the previous days and weeks, and decontamination of locations the infected individual has visited (in few countries followed by aggressive testing).
This is achieved by inter alia tracking the locations, analyzing the data, thermal screening, contact tracing and mass surveillance. This raises potential questions as to how this innovative use of data directly or indirectly collected by the Government, may affect the privacy of an individual.
On the other hand, India (presently) does not have a data protection framework which can hold the government accountable for data privacy infringements, however, every action of the government will have to stand the scrutiny of ‘right to privacy’, which is a fundamental right. Therefore, the question arises, whether a technology driven measure which inter alia involves tracking the locations, analyzing the data, thermal screening, contact tracing and mass surveillance can be implemented in a country like India.
It is worth noting that the Disaster Management Act, 2005 and Epidemic Diseases Act, 1897 (currently invoked in India) empower the central government and other responsible authorities9 to take any measure, whatsoever, for prevention, or mitigation, or preparedness and capacity building for dealing with the threatening disaster/ epidemic, as it may consider necessary. The aforesaid legislations further provide immunity to the central government, state governments and other responsible authorities from legal processes undertaken in their official capacity.10
The Technology Development Board (“TDB”), a statutory body under the Department of Science & Technology has already invited proposal applications from Indian companies and enterprises to address protection and home-based respiratory intervention for COVID-19 patients. The TDB has also proposed to provide financial assistance by means of soft loans to the companies (up to 50% of project cost @ 5% simple interest per annum) or equity participation (up to a maximum of 25% of the project cost). The TDB has inter alia invited technologically innovative solutions in low-cost masks which can capture virus from the air and absorb respiratory droplets, cost-effective thermal scanning, bioinformatics and surveillance as well as AI and IoT based solutions for contact-less entry.
Meanwhile, the ‘Founders v. COVID-19’ movement in India has gained momentum wherein founders of more than 200 startups have joined together to develop and launch an application11 which is likely to act as a quarantine application and will live-track the patients who are in home quarantine and those who have tested positive and on basis of the same, perform contact tracing.12
The application (named Aarogya Setu) (“App”) developed by the Ministry of Electronics and Information Technology (MeitY) was launched on April 2, 2020 and has already recorded 5 million
The App does not allow the registrant’s name and mobile number to be disclosed to the public at large at any time.
To implement, what might be the outcome of the functions sought to be performed with this App (to fight COVID-19), several state governments have already introduced state specific regulations under the COVID–19 Regulations, 2020 which allows surveillance of the infected or likely to be infected person, Delhi Epidemic Diseases lawful. Thus, Epidemic Diseases Act, 1897 for instance the Delhi Government has introduced for the reasons that COVID-19 has incubation periods and asymptomatic manifestation, more new technologies are proposed to be deployed which is indeed a necessity in these unprecedented times. Alas, the dilemma of greater efficiency however, will come at the cost of reduced privacy. It is however expected that the government will inter alia regulate the access to such data which are collected by the apps, maintain the anonymization of data, decentralize the data, refrain from processing the data for purpose other than fighting COVID-19 pandemic and destroy the data as and when the world survives this pandemic.
“Data privacy” is integral to any democratic country. It has always been sensitive as it is associated with a citizen’s fundamental right to privacy. With COVID-19, thousands of people are being screened and are tested at the airports and hospitals for the novel coronavirus and the information inter alia pertaining to medical condition and travel itineraries are being collected by the authorities including the private employers.
Undoubtedly, data is likely to play an important role to contain and reduce the spread of the virus but while collection of certain data may be necessary for discharging ‘state’ functions; but collection of not every data can be justified on account of public interest.
Further, even though collection of data for the stated purpose finds acceptance; but retaining such data collected beyond the purpose-stated time-period would be unacceptable. Furthermore, while processing of such data for future analysis and discrimination (by employers/ government) would be characterized an offence; but, examination of patient-related patterns, analysis and studies undertaken by research-groups/ hospitals/ pharmaceuticals, medical device and health care companies of such data (including how they have procured such data in first place etc.) are not readily available straight-jacketed responses.
Therefore, in a tussle between right to privacy and public interest, a balancing line is required to be drawn and practices balancing the two may be adopted by the corporate houses and governments while dealing with the data of Indian citizens and other individuals within Indian territory.
For further information, please contact:
Anu Monga, Partner, Induslaw
1 A few states in the USA have notified privacy laws. For example, the California Consumer Privacy Act (CCPA) was brought into effect on January 1, 2020.
2 Writ Petition (Civil) No 494 Of 2012
3 Aaron Holmes, The CDC will set up a coronavirus 'surveillance and data collection system' as part of the Senate's $2 trillion stimulus bill, (26.03.2020, 09:27 am), Business Insider India, accessed on https://www.businessinsider.in/tech/news/the-cdc-will-set-up-a-coronavirus-surveillance- and-data-collection-system-as-part-of-the-senates-2-trillion-stimulus-bill/articleshow/74821763.cms
4 Elvira Pollina, Douglas Busvine, European mobile operators share data for coronavirus fight, (18.03.2020, 07:25 pm), Reuters, accessed on: https://www.reuters.com/article/us-health-coronavirus-europe-telecoms/european-mobile-operators-share-data-for-coronavirus-fight- idUSKBN2152C2
5Aditya Chaturvedi, How China is using technology to fight coronavirus, (16.03.2020), Geospatial World, accessed on: https://www.geospatialworld.net/blogs/how-china-is-using-technology-to-fight-coronavirus/
6Kim Lyons, Governments around the world are increasingly using location data to manage the coronavirus, (23.03.2020, 02:21pm), The Verge, accessed on: https://www.theverge.com/2020/3/23/21190700/eu-mobile-carriers-customer-data-coronavirus-south-korea-taiwan-priv
7Dean Koh, Singapore government launches new app for contact tracing to combat spread of COVID-19, (20.03.2020),, Mobile Health News,
8 David Gilbert, Iran Launched an App That Claimed to Diagnose Coronavirus. Instead, It Collected Location Data on Millions of People, (14.03.2020, 07:30 pm), Vice News, accessed on: https://www.vice.com/en_us/article/epgkmz/iran-launched-an-app-that-claimed-to-diagnose- coronavirus-instead-it-collected-location-data-on-millions-of-people
9 National Authority, National Executive Committee, State Authority and other authorities which might be created under the, and in terms of the Disaster Management Act, 2005 and Epidemic Diseases Act, 1897 can be construed as responsible authorities
10Section 74 of the Disaster Management Act, 2005
11 Population of India stands at 137 Crores and smartphones have said to reach 50 crore Indians. When less than one-third of Indian population still does not have access to smartphones which have capability to download applications; then the effectiveness of the solution proposed to be brought into action to mitigate and fight against COVID-19, is itself worth testing. However, this is not within our current scope.
12 Garima Bora, Tracking app to thermal camera, Indian startup ecosystem is coming together to fight coronavirus, (07.04.2020, 11:317 am), ET Online, accessed on: https://economictimes.indiatimes.com/small-biz/startups/features/tracking-app-to-thermal-camera-indian-startup-ecosystem- is-coming-together-to-fight-covid-19/articleshow/74786464.cms?from=mdr