You are here: Home / Internet Governance / Blog / The Boss Will See You Now - The Growth of Workplace Surveillance in India, is Data Protection Legislation the Answer?

The Boss Will See You Now - The Growth of Workplace Surveillance in India, is Data Protection Legislation the Answer?

Posted by Shweta Mohandas and Deepika Nandagudi Srinivasa at Dec 31, 2020 12:00 AM |
The use of pervasive technologies to monitor employees was picking up pace in India, the pandemic accelerated it. The pandemic has changed the way we work either through permanent work from home mandates for those who can work remotely, to heightened social distancing norms for office goers.

 

 The use of pervasive technologies to monitor employees was picking up pace in India, the pandemic accelerated it. The pandemic has changed the way we work either through permanent work from home mandates for those who can work remotely, to heightened social distancing norms for office goers. A recent survey of 12,000 employees across the US, Germany, and India revealed that as of June 2020, some companies were forced to move up to 40 percent of the employees to remote working. Companies big and small now need to look at ways to ensure a returned trust in the product, the safety of the employee while also ensuring that the productivity picks up pace post lockdown. The safety standards which are mandated by the government include adequate social distancing, regular temperature checks, mandatory use of masks, and collection of information for tracing. Some private offices, as well as most government offices, have also mandated the compulsory downloading and verification of the status of the employee on the Aarogya Setu mobile application. All these measures and more are needed to be done daily and with the least human intervention. This is where technologies such as facial recognition, increased use of CCTV’s, and thermal screening come into play. In addition, for employees who are working remotely, there are a number of software and technologies that are being used to track them during and maybe even after working hours.

 

Employee Monitoring Technology in India 

 

When companies collect data from the consumers, the company is mandated to reveal if they are sharing this data with third parties or government agencies. The consumer also has the right and the option to not choose a particular company or to withdraw their consent. In the case of employees, however, the data collected is more continuous, can be identified back to them, and can have an immediate and direct impact on their life; such as hiring, firing, or promotions. In light of this, the option to withdraw consent for employees leaves only two choices: either to consent to surveillance or lose their jobs.

 

The use of employee monitoring technologies such as facial recognition is not new in India. While there are a number of reports on how factories are being made safe, the people who bear the brunt of these measures are not consulted. In 2018, Tech Mahindra announced the rollout of facial recognition technology to record not just the attendance of their employees but also the “mood of the workforce”. In an interview regarding the implementation of such measures, Tech Mahindra’s spokesperson stated that the employee has the choice to consent to the use of such a system. However, in a similar interview, the Tech Mahindra group also stated that soon recording attendance through facial recognition would be mandatory

 

Madurai Corporation has also introduced facial detection to record the attendance of the sanitation workers. Similarly or rather much worse, for some the surveillance is not limited to the confines of the workplace, for example, a report revealed that Panchkula’s Municipal Corporation had made their employees wear wearable devices called “Human Efficiency Tracker” to monitor the location as well as see and hear the sanitation worker. The report also stated that similar employee surveillance systems were being used in Mysore, Lucknow, Indore, Thane, Navi Mumbai, Nagpur, and Chandigarh. Closer home, building security app Mygate allows residents of an apartment complex to rate and review their domestic help, and can even prevent their access to the building once they are fired. However, the ratings are not two ways and the domestic help cannot rate the employer nor do they have a chance to question the actions and decisions taken about them.

 

The monitoring as we can see is not just limited to the confines of the physical workspace. A number of remote employee monitoring software have been in use for a while. These include software to monitor the online activity of the employees, from email and social media screeners, cameras that can record the amount of time spent on a webpage, laptops that take timed photos of the employee, to even technology that records the keystroke movement of the keyboard. A simple online search will reveal the number of companies that provide employee monitoring services. For example, XNSPY allows the employer to monitor every activity of the employee in their official devices from call records to emails, contacts, photos, and video, location, and even Whatsapp messages. According to the website this software once installed runs invisibly in the background, meaning that the employee might not even be aware of it being installed. Similarly, Bangalore-based EmpMonitor takes screenshots from the employee’s laptop at intervals determined by the employer, along with the provision to get the browsing history or the top apps used by the employee. EmpMonitor also states in its FAQ that the employer can capture all keystrokes by the employee including passwords. Similar to XNSPY, EmpMonitor also claims that it runs in the background invisibly, and “They also couldn’t stop being monitored”(sic). 

 

As the sudden requirement to work from home has resulted in employees working on their personal devices, a mandatory requirement to download monitoring software can create grave issues about privacy. Another important issue that was highlighted in the report on the Panchkula’s Municipal Corporation sanitation workers, was the fear that they had about the supervisors listening to their private conversations when they had to take the device home at the end of the day for charging. A study of the women working in garment factories relieved that they were given no notice or explanation for the CCTV cameras that were being installed in their factories. These measures are also likely to say even when the pandemic is over.

 

These are just a few examples of the growing interest in using new technologies to know more about the employee not just what they do in the office but also outside of working hours. However, the few examples mentioned above expose how the employees working in the “blue-collar jobs” - domestic help, delivery personnel, factory workers, sanitation workers all faced a greater level and more pervasive surveillance, without so much as an intimation While employers that are already using pervasive technologies to monitor employees, they often justify it with quotes about employee satisfaction. However, in a system that is based on power imbalance, in addition to the looming fear of loss of income, and unemployment, there is very little that an employee can do to push back.

 

Covid and New Office Procedures here to stay?

 

The Coronavirus has now added extra dimensions to the existing features of employee monitoring, including ways to check the temperature of a person in a crowd as well as recognise people even through masks. The demand for systems with facial recognition, temperature screen, and mask enforcement has seen a growing demand especially in factories and large offices.  

 

Mygate has also started providing temperature checks and masks compliance. In pursuance of this, employers are frequently notified about the employees’ body temperature as well as whether the worker has worn a mask or not. In June 2020, the Ministry of Health and Family Welfare released a new set of guidelines for resuming offices. The Standard Operating Procedure (SOP) made it mandatory for people working in public services who were also classified as essential workers to use the Aarogya Setu application. Several government offices across India such as Srinagar and Puducherry were also mandated to install and use the app. The use of the app was not limited to the public sector. Around April 2020, online food delivery service companies such as Grofers, Swiggy, and Zomato had mandated their delivery agents to use the app. The apps also displayed the temperature readings of the agents in addition to the people involved in preparing the food.

 

Although the mandatory nature of the app has been removed and most companies no longer require their employees to download the app, new instances of the enforcement of the app in the public sector emerge. For example, in January 2021, the Indian Railways resumed its e-catering services “RailRestro” while imposing the mandatory use of the Aarogya Setu app. The guidelines of the e-catering service in the Indian Railways also require mandatory thermal scanning of delivery agents and restaurant staff. It is anticipated that the use of the app might come back to prominence during the vaccination drive as well.

 

The Defence Research and Development Organisation (DRDO) is also looking at ways to record the attendance of employees by developing “artificial intelligence-based face recognition systems” which they plan to commercialise. Similarly, mobility apps such as Uber, in the process of resuming operations, and as a part of their safety measures, are requiring the drivers to take selfies to verify that they are wearing masks to the Uber's Real-Time ID Check system, and only then can the ride proceed. 

 

The pushback to using these invasive apps is now slowing gaining speed. For example, the Indian Federation of App-Based Transport Workers (hereinafter “IFAT”), in a press statement, highlighted the issues with the use of the Aarogya Setu app. In their press note, the Federation highlighted the concerns with the use of the app, most importantly the possibility of misuse of the data and continued surveillance through the app. The statement also draws emphasis on the absence of a personal data protection bill, and the fear that the data collected through the app could be retained and processed in the future.

 

The Privacy Harms of surveillance of employees 

 

The note by the IFAT on the use of Aarogya Setu best emphasises the uneasiness that comes with employee surveillance and the collection and processing of employee data. The note also shed light on the issues that could arise due to the use of monitoring apps (in this case, Aarogya Setu) on employees which included decisions about retaining or removing from employment based on the health data in the app, decisions based on the app to remove insurance cover and the possibility of the app being consulted to make decisions on payment and compensation. These concerns and more can be attributed to the plethora of employee monitoring apps and technologies. 

 

When we look at employee surveillance and the different forms it can take, it can be understood that the issue is one of privacy as well as of data protection. When we look at the effects it has on privacy or the right to be let alone, a constant fear of being watched and recorded can have a detrimental impact on the person as well as a feeling that they are not trusted. As seen in the study of garment manufacturers - which is the case with most companies - the employees are not made aware that they are being monitored, something which the monitoring companies sometimes include in their advertisement. The decisions made based on these technologies are also not shared with the employees. As a result, they are often unaware of what the technology records and what decisions are made based on the time they come to work or the number of breaks they take. 

 

Apart from the privacy harms, and the feeling of being watched, the data collected by employers poses a data protection issue. The collection of an employee’s data begins from the time of job application where the CV’s are vetted. However, there is no clarity on where the data collected through the application process is stored or if and when or whether they are being deleted. The terms of employment and contracts such as non-disclosure agreements are necessary, but also a way that can restrict the right of employees over their data.

 

Existing Frameworks for Protection

 

Although employee surveillance cannot be entirely avoided, there is a need to ensure that employees are not subjected to increased surveillance in the guise of increased productivity. Additionally, similar to the existing provisions of data protection in India allow companies to use vague provisions and unclear notice and choice-based framework to process consumer data, the absence of clear provisions for the processing of employee data puts employees at a greater disadvantage. 

 

The Indian labour laws do not provide for provisions that deal with employee monitoring and surveillance. Hence, the provisions that are to be consulted which address the issue of data protection and privacy is the Information Technology (Amendment) Act, 2008 (hereinafter, “IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter, “IT Rules”). Section 72A of the IT Act protects personal information from unlawful disclosure in breach of contract. In addition, Section 43A of the IT Act empowers the Central Government to stipulate the IT Rules which seek to provide individuals certain rights with regards to their information. This section also provides for the protection of sensitive personal data or information (hereinafter, “SPDI”). 

 

The IT Rules seeks to distinguish between personal information and SDPI. According to Rule 2(1)(i), personal information is defined as that information which directly or indirectly relates to a person, “in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. In comparison, Rule 3 fleshes out the composition of SDPI which includes examples of sensitive information are passwords, medical history, biometric information, sexual orientation, bank account details, physiological or mental health condition, etc. 

 

Rule 5 of the IT Rules states that while collecting SDPI, the data collector should seek consent through writing and must ensure that the collection is based on the principles of legality and necessity. Rule 5 also states that the individual whose data is being collected should be made aware of the reason behind the collection of information and who would have access to such information. If an agency is involved in collecting and retaining the information pertaining to individuals, details of such agencies also need to be disclosed. The data collector must also practice purpose limitations, as stipulated under Rule 5, and is hence, precluded from retaining the information indefinitely. 

 

It is imperative to note that Rule 8 read with Section 43A of the IT Act places civil liabilities on corporations in the event of mishandling SDPI. These liabilities involve compensating the individuals whose data has been mishandled. The aggrieved employee could approach an adjudicating officer appointed under the IT Act where the compensation claimed is up to INR 5 crores. However, if the compensation claimed exceeds INR 5 crore, the appropriate civil courts can be approached.

 

Although the IT Act and the SPDI Rules provide checks on the body corporate and means of recourse for non-compliance, there still exist several lacunas. Firstly, the provision of notice and consent does not require the companies to ensure that the terms and laid out in such a manner that the person consenting to the data can fully understand. Additionally, the absence of the need for renewed consent would mean that the consent would be used to justify further data collection and processing, at times with the use of new devices. For example, the consent given for CCTV surveillance could be construed as consent for setting up facial or gait recognition in the future. 

 

Light at the end of the tunnel? - The Personal Data Protection Act

 

With regards to the current version of the draft Personal Data Protection Bill, 2019 (hereinafter, “Bill”), Section 13 provides the employer with a leeway into processing employee data other than sensitive personal data without consent based on two grounds: when consent is not appropriate, or when obtaining consent would involve disproportionate effort on the part of the employer. Furthermore, personal data can only be collected without consent for four purposes, namely, recruitment, termination, attendance, provision of any service or benefit, and assessing performance. These purposes comprehensively cover almost all activities that workers may potentially undertake, or be subjected to, as part of their work-life. However, with respect to this provision, the current version of the Bill is better than the 2018 version, which did not exclude sensitive personal data from non-consensual processing. 

 

The Bill labels employees as “data principal” and provides them with a plethora of rights. These include the right to confirmation and access, portability of data, and withdrawal of consent. However, the present and earlier versions of the Bill fail to define “employee”, “employer”, or “employment”, with respect to the provisions of the Bill. This, in turn, brings out ambiguity as to whom these provisions address. There is no uniform labour law in India and every legislation, be it the Industrial Employment (Standing orders) Act or the Employee’s Compensation Act provides different conditions to be qualified as an employee, and sometimes only addresses workers or “workmen”. Hence, the lack of a clear indication as to whom this provision applies creates an added layer of ambiguity the effects of which would be borne by the employee. 

 

However, the phrasing of employers as “data fiduciaries” provides that they are to ensure that collection and processing of data are in line with the principles of collection limitation and purpose limitation, is accurate, is stored securely, and only for the time period needed. Furthermore, the employer is required to provide notice to employees about their rights to confirmation, access, correction, and portability with respect to their data. The consent exception only extends to the collection of personal data and does not extend to the collection of sensitive personal data by employers. It is important to note that most of the data collected by employers and especially through new technologies is sensitive personal data - including financial data, and most importantly health data and biometrics. According to the Bill, sensitive personal data requires additional safeguards such as explicit consent. 

 

The Bill also adds in another category of data fiduciaries - significant data fiduciaries, based on factors such as the volume of data processed, the sensitivity of that data, risk of harms, and the use of technologies. The Bill also requires that if these data fiduciaries undergo processing by involving new technologies, or use sensitive data such as genetic or biometric data such processing should only be done after a data protection impact assessment. However, until the PDP Bill becomes law all these provisions and safeguards cannot be used against the current and rapid adoption of surveillance technologies in the workplace.

 

Conclusion

 

While we do not know what the provisions relating to employee data would be in the final version of the PDP Bill, policies are already in the way to make it easier to share employee data. The Ministry of Skill Development and Entrepreneurship in its report on Adopting e-Credentialing in the Skilling Ecosystem states how the digital skill credential could be used to allow employers to verify the credentials of the applicants. The policy itself states that the anonymised data from these credentials could be used in data and analytics and to know the most sought after skills. Interestingly, a study conducted by Rocher et al. revealed that even datasets that have gone through the de-identification process or anonymised datasets could, in fact, be re-identified with 99.98% accuracy. Although the PDP Bill in its current version provides some rights to the employees over their data, it is yet to be made into an Act.

 In the current situation, one can only hope that the steps taken for more and more data collection and surveillance of employees during the pandemic are not continued after the pandemic ends. While the fear of mission creep and function creep by the government through contact tracing apps looms, the same is dire in the case of workplaces where employees are already vulnerable due to the erosion of labour laws, pay cuts, and the looming threat of unemployment. 

The push towards new ways of data collection should ideally happen when there is a means for the individual to question or seek clarification and hopefully have a choice and autonomy. Hence, it is imperative that these pervasive technologies are implemented on keeping a “rights-friendly” approach, as observed in other countries. Employers and workplaces should look at ways to ensure the safety of the employee and ensure trust in them, instead of using technology as a placebo, for example instead of being concerned about employees turning to work sick, or with fever (measures such as temperature checks and health monitoring) wouldn’t it be just easy to let the person rest and recover at home? Or if employees were not complying with the mask policy, maybe providing them with washable masks and educating them about the concerns for their health as well, instead of resorting to facial recognition for the same.

 

____________________________________________________________

Edited by Arindrajit Basu 

With inputs from Shweta Reddy, Sumandro Chattapadhyay, and Shruti Trikanad