Harsha Asnani & Roopadaksha Basu
The spread of Novel Coronavirus has led to several concerns in various spheres of social functioning. Disruptions in supply chains, financial markets are a few examples. The Indian government is proactively taking preventive steps to ensure the well-being of its citizens and speedy recovery from this natural disaster. One of the key strategies adopted to tackle the pandemic is identification and monitoring of persons who can come in contact with an infected person or what is commonly called as contact-tracing.
Manner of Collection and dissemination of data
In the process of reporting suspected cases, government agencies and to a certain extent the private parties such as employers have collected large amount of personal data including travel history, points of contact of suspected individuals etc. Several mobile based applications have been developed by the Government using GPS systems to track suspected cases such as Corona Watch by Karnataka government, COVID-19 Quarantine Monitor Tamil Nadu and Test Yourself Goa, Corona Kavach, COVA Punjab to track the suspected cases. These apps are aimed at providing citizens with preventive care information, self-assessment tools with preventive care data and other government advisories. These apps also access the user's mobile number, location data (via GPS) and match the traveling history with that of the Coronavirus positive patients, documented by the data collected by Indian Council of Medical Research (ICMR). For example, Corona Kavach, with the use of Bluetooth, will be able to warn the user not to venture out to a particular location, wherein a COVID-19 patient had stayed or travelled there. It will send notifications to users who have been in close contact with the suspected/infected individuals. The technical specifications of these apps promise to keep the collected data encrypted and limited to the device. The same shall be shared with the health ministry only if the concerned person is tested positive for the disease. However, it isn’t entirely clear how the government will track those people and match up their location data in the app. It can be reasonably presumed that the health ministry may use this information to send a notification to anyone who’s been in close contact with anyone tested positive for COVID-19 to get a test done. The code seems to also suggest a map-like feature to trace your location history and people you’ve been in contact with.
It has also been reported that certain State Government made names and addresses, mobile number, start date of quarantine as well as the police station under which jurisdiction the residents comes of COVID-19 suspects public through newspapers and social media, claiming that it will ensure effective containment of coronavirus transmission. While there has been a wide scale collection of data, there is no guidance/circular regulating the collection and dissemination of such information. Currently, the Government is using the wide powers granted to it under the Epidemic Diseases Act and National Disaster Management Act. In the absence of a well-defined mechanism, there is always an apprehension that the data can be misused.
Privacy Concerns v. Ensuring Greater Good of the Society
While collection and dissemination of such information is motivated towards protection of the greater good, one cannot ignore the pitfalls of the same. An argument can be made that the measures adopted by the Government may potentially be violate a person’s right to privacy and confidentiality. Dissemination of such medical information may also act as a catalyst towards breeding stigma and discrimination against the suspected individuals.
Personal privacy and dignity have now been considered as foundational elements of right to life. The Indian legal jurisprudence has placed greater emphasis upon right to privacy enshrined under the Indian Constitution. The State is under an indispensable obligation to not only ensure protection of such inalienable rights of all persons but also create an environment where all persons can exercise such rights. The collection and dissemination of such sensitive personal data without ensuring that the consent of the concerned person has been obtained or in absence of checks and balances for processing of information is neither warranted under Indian Laws nor encouraged under International Declarations and Conventions.
On the other hand, in the present emergency circumstances where a pandemic has become a threat to public health and has led to manifold increase in the mortality rate, the government is also under an obligation to ensure public health and safety. Countries such as India, with a huge population and limited healthcare infrastructure would not be in a position to face an overwhelming situation which may burden and eventually break the existing healthcare facilities. Tracking suspected cases and disseminating information would help the government in creating awareness amongst the public and keep its facilities abreast to avoid overburdening of its healthcare facilities.
The solution to this tussle between the right to privacy of individuals and right to public health and safety can be found in the Supreme Court’s decision in the matter of Mr. X v. Hospital Z wherein it has been opined that the Right to privacy is not treated as absolute and is subject to such action as may be lawfully taken for the prevention disorder or protection of health or morals or protection of rights and freedoms of others. The principles established in this decision can be extended disclosure of information to the persons at risk to Covid-19 being a communicable and life threatening disease. This view was further elaborated by the Supreme Court in the matter of Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India (2018) 1 SCC 809.
The question which remains to be deliberated upon is the manner in which such a balance can be achieved. Undoubtedly the government has the right to process such information to ensure the safety and well-being of the society at large. However, what should be ensured is that such sensitive information so collected be used and stored in a well devised mechanism so as to avoid unauthorized used. Steps must be taken both by the government and private organisations to minimise and mitigate risk of data misuse.
Laws governing Private Organisations/Body Corporates
As far as the private organisations, specially employers are concerned, the legislations governing the collection and processing of personal information and sensitive personal data or information are The Information Technology Act 2000 (IT Act) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
The Rules interalia define “physical, physiological and mental health condition”, “medical records and history” as sensitive personal data. Therefore any temperature recording and physical screening of the employees can fall under the category. Hence, in order to collect such information it is necessary that the body corporates obtain necessary consent of the persons whose data is being collected and at the same time comply with the guidelines contained under the aforementioned rules.
Therefore, it becomes essential that the body corporates have well defined mechanism to ensure that necessary consent and approval is taken from the individuals, there are proper policies and protocols for collection, storage and protection of such sensitive personal data.
A comparative perspective with other nations
Several other countries such as China placed in similar situation has in response released certain guidance to the deal with the same. The National Health Commission of China issued a notice on February 3, 2020 outlining the personal data protection requirements in the context of the prevention and control of Covid-19. In furtherance to the same, the PRC Cyberspace Administration of China (CAC) (the key Chinese regulator on cybersecurity and data privacy) issued the “Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control” (CAC Circular) to provide detailed guidance on protecting personal data in the current circumstances.
According to the aforementioned circular and notice, the importance of protection of personal data and privacy has been reaffirmed. It has been stipulated that unless otherwise authorized under those laws and regulations, no individual or entity may collect or use personal data, without the consent of the data subjects. Further, while collecting such data, the concerned organisations are mandated to follow principles of necessity and minimum collection i.e. the data sought to be collected must be limited to those who are confirmed or suspected of carrying Covid-19 and those who have had close contact with confirmed or suspected virus carriers. Companies that collect and control personal data are under an obligation to have strict technical measures to prevent data breaches. Any non-compliance with Chinese laws and regulations in collection and use of personal data may lead to administrative sanctions, civil liability and may also extend to criminal penalties in case of severe violations.
EU countries while collecting personal data as part of their COVID-19 response are required to comply with the GDPR in addition to the domestic laws. For instance, Italy’s data protection authority, the Garante, adopted a decree addressing the intersection between the GDPR and COVID-19, the need for processing special categories of personal data, and how some data protection rights could be suspended to combat the virus. The Garante has issued further guidance prohibiting “do-it yourself” data collection. DPAs in France and Ireland have likewise taken positions on the handling of personal data in the context of responding to COVID-19.
Under the GDPR, the member countries can process personal data of their subjects in circumstances where it is essential for compliance with a legal obligations in order to protect the interests of its subjects or other natural persons or in public interest.
While the actions taken by the both government and private organisations are welcome in such emergent times, it is also necessary that there is a mechanism in place which ensures maintenance of data privacy. Since the right to privacy has now been expressly categorised as a fundamental and inalienable right under the Constitution of India, it is imperative that the same must be preserved.