Privacy concerns take two forms: data privacy and surveillance. The first is an issue that is being addressed, with laws in place protecting and restricting the collection of data. The issue of surveillance by the government, such as by the Central Monitoring Service in India and the National Security Agency in the USA, is an issue under debate. The laws on this, though controversial, are also in place.
Surveillance in the workplace, on the other hand, is an unregulated area. It is not addressed either by Indian cyber laws, which so far contain provisions specific to the government, or by Indian labour laws, which deal with subjects like industrial disputes, employee wages, non-discrimination and so on. There is no guidance on this subject from case law either, since this is yet to come up before Indian courts.
Consider a situation where the employer suspects that an employee is passing on clients to a rival company. Unknown to the employee, the employer launches an investigation against him. A private detective agency is hired for this purpose. The employee’s personal information: his name, date of birth, address and contact number is handed over. Using this, the agency acquires the telephone records of the employee from the carrier. The agency is also given access to the employee’s device at the company. Using this, the agency accesses his internet activity, and both private and company emails.
This brings two questions to mind. First, if the employee is guilty, is the employer’s action justified? If the employee is innocent, then is the action not justified? Every employer would want to safeguard his clients, and have a means of ensuring that his employees are not endangering his business. This means that the employer would need a legitimate method of monitoring his employee’s activity. At the same time, an employee would want to safeguard the personal information which he provides to the employer, as well as that which is inevitably accessible to his employer during his use of the employer’s computer systems.
In the American case of Lawlor v. North American Corporation of Illinois, on which this example is roughly based, both the employer and the employee were found guilty; the employer for invasion of the employee’s privacy, and the employee for violating her duty of faith towards the employer.
Under Indian cyber laws, the issue of data privacy has been addressed to a large extent. Companies collect a lot of information from their employees, personal details like date of birth, financial information like credit card details, health information and so on. Section 43A of the Information Technology Act, 2000 imposes the responsibility of protecting this information on the company collecting it. This section provides a legal remedy to an employee affected by a company that fails to protect his data. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 contain detailed guidelines restricting the information that can be collected and the reasons for collecting such information. The employee’s express consent is required before the collection of the information, and also before any disclosure of the information is made.
Government surveillance is covered under Indian laws in the form of Section 69 of the Information Technology Act, 2000 and various rules such as the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
Workplace surveillance is completely unregulated. The cases abroad regarding surveillance at the workplace bring out the two main issues: accessing employee emails, messages, voicemail and the like, and accessing employee internet activity, such as browsing history. Generally, monitoring by an employer during work hours is considered to be valid. Company emails and all other information on the company’s device are, in fact, considered to be the company’s property. This gives the company the right to check these devices and monitor and restrict their illegal use.
The European Court of Human Rights recently held that there was no violation of human rights when a company fired its employee for his private use of e-mail during work hours. In order for such surveillance activities to be valid, however, the companies must inform their employees that their activities are being monitored. Monitoring without informing employees was held to be illegal in several cases abroad. In the absence of relevant laws in place, companies follow certain general practices, along the line of laws abroad, to ensure that their surveillance is legal. Companies have written privacy policies and social media policies in their offices. Filtration and blocking of websites is another common method used to restrict employee online activity.
The use of a company device at work quite reasonably permits surveillance and access of company devices and protects personal devices. The increasingly popular Bring-Your-Own-Device system – the use of your personal device at the workplace – in companies today presents a completely different set of challenges. For instance, an employee may not be willing to have an employer dictate what activities are to be performed on his personal phone or have company security and surveillance systems installed on his phone.
If an investigation is launched against the company, can an employee’s personal device be seized? Who is responsible in case of loss of data because of a virus entering the device? One solution may be to impose restrictions only when the employee is on the company premises. However, the issue will remain unresolved in instances where the employee takes work home, which is common practice. An increasing number of companies have BYOD policies in place to differentiate between these issues.
The government needs to issue specific laws on workplace surveillance along the lines of the laws on government surveillance. These are essential in order to bring uniformity to company practices and provide a remedy for employees in case of invasion of privacy.
By Asheeta Regidi
The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.
The next part of this Firstpost series will examine defamation and social media.