Employers inevitably process large amounts of personal and sensitive information about employees. While most data are collected for standard business purposes, such as payroll and the provision of insurance, the pandemic has seen a rise in the use by employers of sophisticated technology. Whether for recruitment, operational efficiency or tracking, such technology raises concerns over privacy. Enforcement of employment-related data protection and privacy regulation has been low level. This, coupled with unchecked data collection and behaviour monitoring, has resulted in a power imbalance between employers and employees.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (rules), issued under the Information Technology Act, 2000, govern data protection and related issues. Companies must ensure that consent has been sought for the collection, disclosure, and transfer of sensitive personal data and information (SPDI). This is a subset of personal data that includes passwords, financial information, health and medical information, biometrics and sexual orientation. The rules do not provide how consent may be given, stating only that consent must be in writing, which includes electronic communication.
Some companies collect data relying on implied consent. Such companies assume that by furnishing their personal details, employees consent to the processing of their data. This is not what the rules require and companies have begun to comply by having employees agree to processing through specific clauses in employment contracts, by accepting the terms of employment handbooks or by employee specific privacy notices. Unlike in many jurisdictions, the rules do not expressly require consent to be freely given and permit organisations to deny services to individuals who do not consent or withdraw existing consent. Many companies commonly deny employment or withhold benefits from such employees.
Companies now use advanced tools to monitor employees’ browsing habits during work hours and breaches of internet usage rules, measure productivity based on keystrokes and login times and analyse communication between companies. These tools, however, must be scrutinised to identify any collection of SPDI, ensure security measures protect data so collected and check mechanisms through which employees consent to the use of such tools.
CCTV surveillance in workplaces is widespread and often seen as essential to security and law enforcement. Some states require establishments receiving many visitors to install CCTV cameras for public safety and to display notices that the area is under surveillance. Regarding employment, courts have held that CCTV cameras cannot be installed in areas where individuals have a reasonable expectation of privacy. Cameras should not monitor areas in front of restrooms. Many companies follow best practice and display prominent notices confirming the use of cameras.
Employers increasingly rely on artificial intelligence (AI)-enabled software to streamline recruitment. The risk of breaching equality and diversity laws is ever-present as algorithmic bias is inevitably part of the process. Companies employing technology-based service providers often seek reassurance over bias-free recruitment software. While such assurances may be provided, the nature and number of data sets processed by deep learning algorithms make it difficult to remove all bias.
A proposed data protection law will affect how organisations handle employee surveillance. Under the Digital Personal Data Protection Bill, 2022 (bill), employers will have more than one ground on which to collect employee personal data. In addition to consent, which is subject to stricter thresholds than under the rules, employers may process personal data for “employment-related purposes” as well as when employees voluntarily supply data.
The bill enforces transparency, requiring employers, in privacy notices that must be available in 23 languages, to disclose any processing. Employers must set up sophisticated data subject rights’ management and tools to address employees’ requests and grievances. Depending on the sensitivity of the information processed, businesses may have to undertake data audits and data protection impact assessments. These may include tracking technology and AI employment tools.
If enacted, this bill will more effectively plug present gaps in employer data collection practices.
Mathew Chacko is managing partner, and Aadya Misra is a senior associate at Spice Route Legal. Ada Shaharbanu, an associate, also contributed to the article.