INDIA: DATA PRIVACY IN THE TIMES OF PANDEMIC
Updated: Jul 29, 2020
[Authored by Pragati Dadas, a final year B.A. LL.B. (Hons.) student at ILS Law College, Pune.]
On 11 March 2020, WHO declared Novel Coronavirus Disease (COVID-19) outbreak as a pandemic and reiterated the call for countries to take immediate actions and scale up response to treat, detect and reduce transmission to save people's lives. Along with public health authorities, non-profit-organization and corporates, the Central Government and various State Government in India are gathering, tracking and using such information of the individuals to slow down the spread of corona virus. As a result of COVID-19 pandemic, corporates are required to implement deviant measures to safeguard their employees and workforce. Also, they need to provide an assurance to their employees that their data is safe as per the rules and regulations of Data Protection laws in India.
Brief Overview of Data Protection in India
In India, for the protection of Data Privacy there are specific provisions has been introduced such as, Information Technology Act, 2000 (The IT ACT) and The Information Technology Rules, 2011 (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information)- SPDI. The SPDI RULES (Rule 3 of IT Rules, 2011) with IT ACT can consider as “Data Protection Laws”.
Key Features of SPDI Rules
The SPDI Rules defined under Rule 3 of IT Rules,2011. And the following data is termed as SPDI:
· Physical, Psychological and Mental Health Condition
· Medical Records and History
· Sexual orientation
· Biometric Information
· Financial Information, such as bank account or credit card or debit card or other payment instrument details
· Any detail relating to the above as provided to Body Corporate for providing service
· Any information received under Body Corporate for processing, stored or processed under lawful contract or otherwise
Penalties for the breach of Data Privacy (SPDI)
Section 43-A of the IT Act provides that a body corporate dealing with or handling or possessing any sensitive personal information or data in a computer resource controlled, owned and operated by it would be liable to pay the damages as compensation to affected persons if they are negligent in implementing and maintain reasonable security procedures and practices to protect sensitive personal data or information.
Section 72-A of the IT Act provides for a fine up to INR 5,00,000 or imprisonment for a period of three years or both when there is disclosure of personal information in breach of a lawful contract or without consent.
Specific sectors who have contributed in Data Privacy regulations
IT Act and SPDI Rules have given a vision for the Data Privacy Regulation. Apart from these there are certain sectoral guidelines and regulations which also address various aspects of Data Privacy and Data Protection in India.
1. Cyber security and Cyber Resilience Framework of Stock Exchanges, Clearing Depositories and Corporations, issued by SEBI on 6th of July 2016.
2. The Reserve Bank of India mandates all system providers to store the payments data in India.
3. Insurance Regulatory and Development Authority of India has issued guidelines on Cyber Security of Insurers which are binding on all Insurance Companies in April 2017.
4. Ministry of Health and Family Welfare notified draft of Digital Information Security in Healthcare Act inviting public comments, introduced in March 2018.
Privacy Concerns for employers in Pandemic
As WHO declares the COVID-19 Novel Corona Virus outbreak in March employers started taking a wide range of actions to deal with this extraordinary situation. Even now, employers are taking extra care to protect the privacy of data of their employees and also client contacts as well as business contacts in order to alleviate the risk and set the seal on smooth continuity of business in such a tough as well as challenging time.
· Temperature recording and physical screening: The SPDI rules designates among others, “physical, psychological and mental health condition” as Sensitive Personal Data. Any information pertaining to the physical condition of an employee such as body temperature will be considered as a Sensitive Personal Data and all the SPDI rules need to follow for that.
· Collecting travel history and all the related information from visitors, clients, business contacts: Information related to the travel history collected from clients, visitors and business can be considered as personal information but not the sensitive data. Under Information Technology Act, 2000 any personal information other than sensitive data which is collected while providing the services under lawful contract, is not allowed to be disclose without the consent of that other person or unless it is agreed in current contract.
· Self-Declaration from the employees about their medical condition: According to the SPDI Rules “Medical Records and History” is comes under the Sensitive Personal Data. Hence, any such details collected by the employers through the Self Declaration forms or by any different means is required to keep confidential according to the SPDI Rules.
While the current situation poses a risk of doing business, it is important to maintain concurrence with Data Protection Laws. It will keep the Business relations unaffected even during such bad break.
Privacy Concerns for Location Tracking Applications
The WHO has considered testing, isolation and contact-tracing methods to fight against the virus. So, the countries are taking help of technology driven features such as thermal screening, mass surveillance, location tracking etc. to control the spread of this deadly virus. India also launched smartphone applications with different functionalities aiming to fight against Corona Virus. Just after the launch of applications the debate have started based on privacy concerns in relation to the misuse of the data collected by the applications.
1. Aarogya Setu application: This application is launched by the Government of India on 2nd of April, 2020. The main task of this application is, it tracks the location of an infected person and notifies the other users, who are using the same application. The Data Protection Laws only provides a basic framework on data protection. In landmark case of KS Puttaswamy and Anr. V. Union of India and Ors., the Supreme Court of India has observed that if the state preserves the anonymity of an individual it could legitimately assert a valid state interest in preservation of public health to design appropriate policy interventions on the basis of the data available to it. It is mandatory for a user of the Aarogya Setu application to keep GPS and Bluetooth tracking always “ON” and this only thing has been criticized since the launch of this application as it could violate its users’ privacy and it could act as surveillance tool by the government.
2. Sprinklr application: The State Government of Kerala started using this application which run by the U.S. firm,Sprinklr “World’s most loved enterprise software company ever”. This application also been criticized on the ground that sensitive personal information is being accessed by an entity which is not based in India. This came forward with a serious issue of Breach of Privacy involving a U.S. based firm. In recent petition challenging the contract between the Sprinklr and State Government of Kerala, The High Court of Kerala has issued an interim order in April 2020, asking the Government to remove identifying particulars or details which are collected for that application with respect to COVID-19 and then share remaining data to Sprinklr. Also inform to all the users of Sprinklr that such data can be shared with Sprinklr or any third party and obtain the consent of such users. Further High Court of Kerala restricted the Sprinklr from committing any act that may result in the breach of confidentiality of data collected under the contract with the State of Government of Kerala and exploiting such data directly or indirectly for commercial use or advertisement or representation to any third party that they have access to data relating to COVID-19 cases. The court also ordered Sprinklr to return all the to the State Government of Kerala after the contract is over and delete the remaining data which in its ownership. As per the news on 23rd of May, 2020 it came forward that it is stated in the Government’s affidavit, Sprinklr has only limited technical access and there is no access to data.
The question of Data Privacy has been raised in pandemic. The current situation of the COVID-19 pandemic is very uncertain and out of the ordinary. Government of India will need to strike the right balance between protection of public interest and maintaining the fundamental right to privacy. While mass monitoring and data processing systems appears to be indispensable weapons in a government’s arsenal against the ongoing pandemic, citizens should exercise cautions to ensure that these systems do not become the new normal. The Health and corporate sector and other stakeholders are taking steps to stop the spread of the virus and information such as data tracking and mass surveillance could prove to be effective in suppressing the spread of COVID-19.
 Section 43-A of The Information Technology Act, 2000.
 Id., Section 72-A.
 Rule 3 of The Information Technology Rules, 2011 (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information).
 The Personal Data Protection Bill, 2019.
 KS Puttaswamy and Anr. V. Union of India and Ors. WRIT PETITION (CIVIL) NO 494 OF 2012.