Srikrishna panel report to change the way user data are collected, stored

Srikrishna committee on data privacy gives companies exemption from seeking consent for work-related information due to "unique nature of the relationship" between the employer and employee

Employer-Employee exchange: When consent matters

The next time you send personal information from an official e-mail, your employer may have to seek your permission to access it. In fact, the employer may no longer have access to your official e-mail, except in certain specified cases.

The country’s first proposed privacy law, the Personal Data Protection Bill, 2018, attempts to change the way employers treat the data shared with them by employees.

The committee of experts on data privacy, led by former Supreme Court judge B N Srikrishna, gives companies exemption from seeking consent for work-related information due to “unique nature of the relationship" between the employer and employee.

According to the draft law, employers are also exempted from seeking consent from employees while processing their personal data in certain cases, during recruitment, verification of attendance, performance evaluation and provision of service.

“Ordinarily, information exchanged through official e-mail is not relevant to any of these listed purposes in the draft Bill. However, if the employer wishes to access such information, in exceptional circumstances, the employer should be able to demonstrate that such access is necessary for one of these listed purposes. Even in such cases, the employer is bound to give a detailed notice to the employee prior to such access,” Vidhi Centre for Legal Policy said in an e-mail response.

The proposed law attempts to reduce concerns about the misuse of personal data shared on official e-mails as it penalises any unauthorised transfer, sale or obtaining of personal and sensitive personal data. Also, there is an obligation on employers to ensure that all personal data exchanged over official e-mails are secure, according to the draft law.

Employers will still have to seek explicit consent of the employees before processing sensitive personal data, which includes passwords, financial data, health data, government-issued identity cards, sexual orientation, biometric data, caste and religion, among others.

Though the proposed law gives exemption to employers from seeking consent for performance evaluation or during payment of salary, the use of financial data, which is classified as a sensitive personal data, will need the consent of the employee.

“The proposed law has given exemption from taking consent for collection of personal data in some specified cases, for example, termination, providing employee benefits, verifying attendance and performance assessment,” says Gowree Gokhale, partner, Nishith Desai Associates. Gokhale, however, feels this exemption should have been made applicable even in relation to some categories of the sensitive personal data.

If the employer receives a complaint of sexual harassment within the organisation, it may have to process the personal data of the accused employee, which may include e-mail records. Though the draft law says the employer can collect such data in cases where consent is “not appropriate”, it does not explicitly mention such cases.

Under the present law — the Information Technology Act, 2000 — employers are required to comply with the data protection rules in case of sensitive and personal information of the employees, which includes passwords, biometric information, medical reports, but not in case of other personal information.

Background checks done by a potential employer will not be an issue and not require consent under the proposed law as it will be done for the purpose of recruitment, which has been given an exemption.

An employer must delete any personal data thus collected as soon as the purpose for which it was collected is satisfied. 

“In the employer-employee relationship, there could be situations where processing personal data with consent may not be really feasible. To illustrate, personal data includes characteristics, traits, attributes. For employee evaluation, one may do a 360-degree feedback. In such a case, taking specific consent would defeat the purpose,” Gokhale adds.