Corporate India's COVID-19 Action plan: How To Balance Data Protection With Emergency Response
On March 11, 2020, the World Health Organization (WHO) declared COVID-19 as a pandemic, effectively urging countries to take all necessary measures to detect, test, isolate treat people in order to avoid handful of cases resulting into clusters and community transmissions, that further stress capacity of global public health institutions[1]. In case of COVID-19, the pandemic declaration...
On March 11, 2020, the World Health Organization (WHO) declared COVID-19 as a pandemic, effectively urging countries to take all necessary measures to detect, test, isolate treat people in order to avoid handful of cases resulting into clusters and community transmissions, that further stress capacity of global public health institutions[1]. In case of COVID-19, the pandemic declaration is reflective of its spread, unlike intensity. Both prior to and post issuance of the WHO directive, the Indian Government, through the Ministry of Health and Family Welfare, has notified multiple travel, immigration, employment and public health-related advisories to proactively contain and delay onset of the outbreak in India.
Some of these measures include all except specific visas to India to be suspended until April 15, 2020, requiring persons having visited Italy/South Korea to submit negative status COVID-19 declarations from recognized laboratories of such countries as a condition for entry into India, mandatory medically supervised quarantine for a minimum period of 14 days for persons having visited high-risk countries[2], home quarantine for all travelers entering India, to name a few. The State and municipal authorities have separately issued travel and public health advisories directed at private citizens, organizations and public administration bodies.
The COVID-19 pandemic has resulted in unprecedented disruption to civic and business activities across the world, and it is fair to assume that the evolving situation will continue to demand more resources, mobilization, focus and expense in times to come.
Like other countries, the responsibility of responding to the COVID-19 crisis is largely affixed on immigration and public health professionals in India, however managing a novel crisis of such magnitude surely mandates an organized and consistent response from all capable stakeholders. It's therefore good to see corporate organizations extending proactive health, safety, accessibility, employment protection and continuity measures to protect their employees and partners from possible exposure. Their objective is two-fold, one – depending on the industry and nature of employees in question, to comply with their statutory obligations relating to providing a safe working environment to all employees; and two – to respond, contain and delay a public health crisis with the means at their disposal, ensure business continuity in view of the expanding nature of the disease, reduce chances of community transmission in their offices in order to avoid a complete shutdown of business activities on a long-term basis.
The initial step of any corporate COVID-19 action plan will be to collect and monitor information pertaining to employees and partners, including their travel history (both official and personal), symptoms including of self and of family members, interaction with suspected or confirmed COVID-19 persons, as well as medical information. It's fair to assume that most organizations are unlikely to have pre-existing disaster management plans that are specific to prevention of infectious diseases such as COVID-19, that has resulted in companies collecting and asking for information not anticipated either in policies or consent frameworks established till date. This practice is of concern, as it is equally important for employers to understand the need to balance emergency response with protection of privacy of their employees, workers, consultants or extended workforce. It is interesting to see how data protection principles are implemented in practice in times of emergencies, as it is then naturally desirable to find a consent-based or legitimate purpose approach towards personal data to be an academic objective – good to have, but who can really implement this? And if it this endeavor is even proportionate considering the risks involved in taking time to implement a program that is legally compliant? Practical approach is key, but how to implement that is often fraught with uncertainty.
This update outlines some of the data protection blind spots that are emerging from COVID-19 emergency plans and addresses common queries that corporate organizations may have in this regard.
Current legal position in India
The current data protection law (IT Act) classifies an employee's physiological and / or health information, medical records as sensitive personal data (SPDI), which is considered sensitive and therefore worthy of more protective safeguards. Information such as travel history of self and family members, exposure to suspected persons, may be classifiable as personal data (PI) which is protected but with lesser restrictions.
IT Act – SPDI and PI
The law entails that any SPDI collected, processed or stored either for providing a service or under a lawful contract or otherwise must be described under a privacy policy, informed consent should be obtained prior to collection of the SPDI, purpose of usage of the SPDI should be disclosed in advance, and the SPDI collected should be stored only for the period necessary to serve the specified purpose. Organizations are mandated to implement reasonable security practices and procedures such as ISO 27001 for that are commensurate with nature of its business. Collection, processing and storage of PI can be done provided a privacy policy is put in place.
All employers can therefore collect health information/records or travel history of an employee by stating its intended purpose under a privacy policy. For collection of SPDI, additional consent requirements are to be met, and the SPDI can be collected only in connection with providing a service (say, arranging an insurance provider for health coverage) or under terms of a lawful contract. Organizations are not liable for accuracy of the information submitted by the employees, if it is requested to transfer such information to Government agencies. Employees are legally entitled to refuse consent, though this right seems to be available only when an employer is collecting SPDI for providing a service.
COVID-19 data protection practices in other countries
EU General Data Protection Regulation (EUGDPR) is more nuanced and allows organizations to collect and process information on grounds of legitimate interest, or to comply with their employer or legal obligations, as applicable in each country. Despite this enablement, data protection authorities across Europe have asked employers to exercise caution in implementing their COVID-19 action plans and urged them to consider proportionality even in face of a pandemic situation. Some examples are:
- The Italian Privacy Authority on March 02, 2020 has asked employers not to collect employee health information or ask them about contact with suspected symptom persons in a systematic and generalized manner, and stated that such inquiries and checks should instead be conducted by civic and public health administration authorities[3].
- In France[4], the Data Protection Authority has reminded employers of their legal obligations under EUGDPR and French public health codes and clarified that COVID-19 action plans cannot require disclosure of medical and health information which goes beyond the management of suspected exposure, and infringe on privacy rights of employees and visitors. It has specifically stated that checking of body temperature and systematic daily processing of said data, asking employees / visitors to submit health declarations is not legally permissible. It has instead encouraged employers to educate employees, ask employees to undergo tests with public health authorities, and set up remote working facilities.
The UK data protection authority, Information Commissioner's Office (ICO) has taken a more pragmatic approach and assured employers that they are cognizant that in pressing times, usual governance and compliance frameworks could be relegated lesser priority, and that employers will not be penalized if they are prioritizing other areas to contain the outbreak amongst their employees, visitors and partners[5]. ICO has however confirmed that this flexibility should not be construed by organizations to forego principles of proportionality, and only such information which is not excessive in the given circumstances should be collected and processed by employers.
Are more updates expected? How does the global position differ from Indian framework?
Given the unique and evolving nature of the pandemic, advanced privacy jurisdictions are also struggling to balance public interest with maintaining privacy of individuals, particularly private employers who are not equipped to respond to a public health emergency. As COVID-19 transmits further, we can expect more detailed and continuous guidance from global regulators for employer organizations, varying in each jurisdiction.
While India is dealing with the same data protection challenges, the interpretational challenges may be more prominent in our jurisdiction since we do not yet have a definitive data protection law that can somewhat anticipate or address such emergency situations, and we also do not have a specific data protection regulator that can address any prevailing confusion or restrict unacceptable practices. Unlike EUGDPR, Indian law further does not envisage collection of information on legitimate grounds such as prevention of a public health emergency or to comply with applicable laws, and does not permit employers to obtain specific information which is fundamentally necessary in interests of an employer-employee relationship. For SPDI, Indian laws are restricted to a consent-based approach.
Corporate India COVID-19 response
Companies are asking employees, visitors and contractors to share travel history (professional/personal) to high-risk countries, share travel history of family members to high-risk countries, share symptoms of self or family members, undergo mandatory health checkups, and submit medical declarations. Travel history of self and family members is being correlated with symptoms for persons who have not visited high-risk countries by employers, for possible community transmissions. Persons with suspected or confirmed COVID-19 are asked to identify persons of contact, to assist employers to administer quarantine and hygiene measures. Employees are also asked to submit medical records for processing of leave, medical coverage, remote working assistance. Employers have also set in place extensive hygiene measures and have encouraged employees with or without symptoms to work from home, discouraged travel plans or any large gatherings.
Areas of concern – data protection perspective
The above measures are helpful in containing community transmission and allowing businesses to address business continuity concerns, but employers are also unknowingly exposing themselves to legal risks by requesting for mass and constant information disclosures. For instance, many employers do not have privacy policies or consent frameworks that envisage collection of information on grounds of prevention of public health emergency, or community transmissions. Many nascent companies have not invested infrastructurally on security procedures relevant for processing and storage of medical records of their employees.
Collection of travel history, exposure to suspected or exposed persons
Travel history of employees, or whether they have and exposure to a suspected or confirmed COVID-19 person is classifiable as PI and can be obtained without consent. While is important for the same to be envisaged under the employer's privacy policy, at a practical level, official travel data will anyways be visible to employers. If described under the privacy policy or with certain amendments to such policies, travel plans of employees and their family members (if proportionate to responding to the current crisis), any COVID-19 exposure details can be requested.
Collection of medical records or medical condition
Health data – namely, medical information, records, condition, information on exposure to suspected or confirmed COVID-19 persons if accompanied with symptoms is classifiable as SPDI and can be collected, processed or stored with prior consent of the employee/visitors. Some companies may have obtained such consents through employment contracts, code of conduct applicable to employees, but this is a good time to assess if additional information being collected and processed as part of COVID-19 response is legally obtainable through existing consent frameworks. If such consents are not in place, corporates should incorporate obtaining them in their action plan steps. Failure to do so can expose them to compensating persons affected by any negligence or improper handling of their SPDI.
Some companies are also asking for health data / declarations from their partners, visitors, consultants etc., and consent requirements will equally apply to such relationships.
Other compliances
Maintenance of adequate security procedures such as ISO 27001 is mandatory for processing and storage of SPDI, and all organizations should assess if their security standards are equipped to handle SPDI particularly health data of various employees and visitors in a systematic manner for a prolonged period of time. The IT Rules also require organizations to store SPDI until the purpose intended has been achieved, upon which the information stored should be destroyed or scrubbed from security systems as per prescribed procedures. Even though principles of data minimization are more explicitly contemplated under the Personal Data Protection Bill, 2019 and not under the IT Act, it's still advisable for organizations to collect and process data which is proportionate to the threat envisaged to their business structures, and the urge to initiate proactive measures that are more appropriately performed by civil or public health authorities should be curtailed. Data minimization standards will already be applicable to global organizations and should be equally implemented in India. Excessive data collection will ultimately be susceptible to cybersecurity threats, which in context of health data can have complicated outcomes for data subjects.
General Q&A's for employers
Some general Q&A's relevant for corporate India are given below. Many of the situations described below are fact-specific, rapidly evolving and will differ in each State. Employers are advised to seek specific counsel prior to implementing their COVID-19 action plans.
Have employment and public health authorities issued specific guidance to employers? Any specific data protection guidance?
The Ministry of Health and Family Welfare has directed employers to arrange work from home for employees required to undergo home quarantine for minimum 14 days after returning from high-risk countries[6]. Many Indian States such as Delhi, Punjab, Haryana, Karnataka, Orissa, Gujarat, Maharashtra have notified COVID-19 as an epidemic under the Epidemics Diseases Act, 1897 empowering State and district level authorities to undertake expansive measures to contain outbreak of the disease. So far, in context of employers, these notifications only prohibit organizations from sharing any misinformation regarding COVID-19, which in our view would mean sharing of inaccurate information on nature and spread of the disease, its symptoms etc. as that is best addressed by public health bodies who are qualified to dispense such information. Advisories for employers are emerging daily across States and municipalities and will need to be checked on a case to case basis. Karnataka being the IT hub of India has been particularly active in issuing advisories, and has recommended employers to avoid large gatherings, cancel meetings, conferences, and allow remote working facilities for all employees. There are news reports of Karnataka contemplating mandatory work for home for all offices.
In Karnataka, all workers covered under ESI Act who are confirmed COVID-19 cases can now avail mandatory paid leave of 28 days from their respective employers by submitting medical certificate issued by ESI hospitals. All non-ESI covered employees can avail an equivalent leave from their employers under applicable provisions of the Karnataka shops and establishment act. In this case, employers will automatically be in receipt of medical records of confirmed COVID-19 employees and can rely on such information to implement quarantine measures and educate other employees to undergo testing at Government facilities.
So far, employers have been advised to grant paid leave and implement remote work facilities and except for Karnataka, have not been specifically asked to obtain and store medical records of employees.
Do I need to respond to this crisis?
Legally, the severity of your response is at your discretion. Understandably, corporates across the world are responding actively to this crisis in interest of business continuity, and not necessary to tick a legal compliance. In India, some employment legislations such as the Factories Act, ESI Act require mandatory reporting of occupational diseases by employers but COVID-19 has not been notified under said laws. Public health notices issued by Government authorities such as Bureau of Immigration, Ministry of Health and Family Welfare are also directed at citizens, and not specifically at organizations. No specific data collection obligations have been imposed on employers, though they can be justified by employers in view of other employment laws.
What more can I do to enforce success of company's quarantine measures?
Persons who have travel history to COVID-19 countries and exposure to suspected or confirmed COVID-19 person are mandatorily required to under medical screening at the nearest hospital, and such communication can be disseminated by employers for wider reach. Government has also encouraged employers to cancel conferences, and any non-essential travel (professional or personal).
Can employees refuse to share their travel history? Or whether they have interacted with any suspected or confirmed COVID-19 person?
No. Official travel history of an employee is employer information, so no specific request is required in this regard. Companies can validly ask employees to divulge personal travel plans, or exposure with suspected or confirmed COVID-19 persons (including family members) in the interest of providing a safe working environment for all employees and third parties visiting the workplace, and also to better inform other employees of exposure and / or quarantine measures. Exposure to suspected or confirmed COVID-19 person if not accompanied with symptoms is not yet a medical condition, hence no specific consent is required to collect such information. Employers can also access CCTV imaging to verify the trail of exposure of suspected employees in order to enforce their quarantine measures. Employers should at all times practice data minimization practices and destroy information which is irrelevant or no longer serving the purpose of COVID-19 action plans.
Can employers ask employees to share their medical condition or records, including whether they have COVID-19 specially when they are displaying symptoms at the workplace?
This is tricky, as technically Government authorities have directly asked citizens to undergo medical screening at hospitals if they have travel history to COVID-19 countries combined with exposure to suspected or confirmed COVID-19 persons. If any citizen is found to be infected, his/her information is transmitted by the relevant hospital to the district-level health authorities. Private bodies have not been asked to collect such information.
Employers can support requests for collection of SPDI such as medical condition, records on following grounds:
- Employers need to receive medical certificate certifying COVID-19 status in order to grant paid leave to the employee. Karnataka has made this mandatory, other States will follow suit;
- Employers can argue that they need to know such information in interest of providing a safe working environment for all employees, and protect themselves from tortious claims of negligence from other infected employees;
- If employers have obtained prior consent for collection and processing of such SPDI in employment contracts or code of conduct.
If we have legitimate grounds for collection of SPDI, do we really need consent?
Yes, since Indian law does not expressly permit collection of SPDI on grounds of legitimate interest or legal compliance alone. If no prior consent has been obtained, employers should include them as part of their COVID-19 action plans. Refusal from employees can be expected and should be handled firmly with sensitivity. Employees may be concerned about possible discrimination, leave with no pay, forced quarantine upon disclosure of such information, and employers should extend support in this regard.
Having said the above, like global data protection regulators, Indian authorities are likely to be accommodating of governance gaps in some areas provided employers are able to exhibit pressing needs to act upon their emergency plans, without obtaining relevant consents. The gaps should be addressed immediately once the risk is mitigated.
Can employees refuse to give consent for collection of their SPDI, like health records?
Technically, employees cannot refuse consent as the IT Act is unclear on whether employees can deny such information in public health emergencies or only when SPDI is sought in connection with provision of goods or services by the employer.
I don't have consent framework in place, I also don't have time to do this and would like to contain the infection urgently. Doesn't the law envisage an exceptional situation?
Unfortunately, not. While you can continue with your emergency response in order to provide a safe working environment to your employees, from a data protection perspective, you will still not be compliant. We do expect Indian regulators to be accommodating of such gaps however, and this situation will have more clarity in some time.
Once I have obtained the medical reports, what are my obligations?
You are bound to retain and share it, only as permitted under law. Government agencies are permitted to request for SPDI to verify identity, with a written request.
Can I disclose the name of the employee to inform other possibly affected employees?
No. There are better methods of implementing quarantine measures. Personal and sensitive information of an employee should be protected, and names of affected or suspected employees should be scrubbed while being processed internally as part of action plans. It's also important to mention that employers are obligated to extend measures to protect employees from any form of discrimination that may be attributed to their medical condition or diagnosis.
Should employers report to Government agencies once they have information of any employee's confirmed COVID-10 status?
There is no such obligation under law as on date. The Government has directed mandated citizens of India to undergo screening and quarantine as per their travel history, symptoms and exposure to suspected COVID-19 persons. Employers should widely disseminate this directive amongst their staff and network.
Can I ask employees / visitors to submit to temperature reading, medical tests prior to entering the building?
Depends what you are trying to ascertain. If it's simply to check a fever prior to allowing entry, anyone can do that. However, any invasive or COVID-19 related checks should only be conducted by a medical professional, who may submit information to the employer or State medical authorities for necessary action. Medical professionals are themselves obligated to receive and handle patient information in a prescribed manner.
(The author is a Partner with AZB & Partners and advises clients on corporate and commercial matters.)
(This update is intended to provide an overview of the applicable legal framework, however since the subject matter pertains to an evolving issue, it is strongly recommended to seek specific legal advise relevant to your business scenario before implementing any definitive measures.)
[1] WHO Director General's opening remarks at the media briefing on COVID-19 on March 11, 2020
[2] The Ministry of Health and Family Welfare has continued to update this list. As of March 11, 2020, the high-risk countries are China, Italy, Republic of Korea, France, Spain and Germany. Anyone who has visited these countries after February 15, 2020 will be subject to mandatory quarantine for a minimum period of 14 days. (https://www.mohfw.gov.in/ConsolidatedTraveladvisoryUpdated11032020.pdf)
[3] Press Release by Italy Data Protection Authority, March 02, 2020, (https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9282117#1)
[4] Press Release by CNIL, March 06, 2020, (https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles)
[5] UK ICO Guidance, March 12, 2020, (https://ico.org.uk/for-organisations/data-protection-and-coronavirus/)
[6] Home Isolation Advisory by Ministry of Health and Family Welfare, March 10, 2020, (https://www.mohfw.gov.in/AdditionalTravelAdvisory1homeisolation.pdf)