Restrictions in the Workplace
As stated previously, the Central Government has notified the DPDP Act on August 11, 2023. Once effective, it will replace the the Section 43A of the Information Technology Act, 2000 and the IT Rules enacted under the said provision, and serve as the comprehensive legislation governing data protection. While the DPDP Act exempts the requirement of obtaining consent for processing personal data for employment purposes, it still remains to be seen how expansively the Indian courts will interpret the term ‘legitimate uses’ and determine the purview of purposes of employment and those safeguarding the employer from loss or liability, as stated above, with regard to the said legislation.
Can the employer monitor, access, review the employee’s electronic communications?
In terms of the IT Rules, employers can access, review and monitor an employee’s official electronic data (i.e. work-related data) subject to obtaining his/her consent, as clearly stipulated in the concerned employment contract / appointment letter and internal policy / employee’s handbook. Employers would also have to formulate a privacy policy and upload the same on its website. This privacy policy would detail all its obligations regarding collecting, storing, and processing of employees’ personal information. Additional obligations are prescribed under the IT Rules in case the employer collects / has access to ‘sensitive personal information’ of employees such as credit card information, biometric information, passwords and medical records. Moreover, there are a couple of landmark judgments in India on the fundamental right to privacy.
While there are no specific laws that govern employees’ use of social media, any disparagement of employers and/or any divulging of confidential information would attract consequences under existing civil and criminal laws that govern defamation, breach of contract, divulging trade secrets and infringing intellectual property. Further, keeping in mind the rapidly evolving regulatory framework in relation to technology laws and data protection, employers have also started framing policies that would affect their employees’ participation on social media during work hours. Several companies, especially technology and outsourcing companies, have installed firewalls that prevent employees from accessing social media sites at the workplace, whereas several other companies have framed social media usage policies that educate employees on the implications of misuse of social media (especially given that employers could be held vicariously liable for any actions of employees in this regard).
In addition, employers can include strong provisions in the employment contracts / appointment letters for protection of confidential information, trade secrets, intellectual property, and other proprietary information. Indian Courts, typically, take claims of confidentiality breaches and disclosure of sensitive information very seriously; it is an established principle under Indian jurisprudence that an employer has full and exclusive ownership of the information that the employee comes in contact with during the course of employment, including any and all information contained in the employee’s official email accounts. Also, employers can, subject to obtaining employee consent, monitor employees’ activities on social media during work hours for the reasons outlined above.