This article was written by Bipasha Saikia a student of National Law Uuniversity, Assam.
Power dynamics form the core essence of the relationship between an employer and an employee. Though originated with the noble intention of ensuring productivity of employees, however, with allegations of breaching the sacred right of privacy of employees, the concept of workplace monitoring has raised serious ethical questions. The “Taylorist System” explains the original intention behind this concept reasonably well. Frederick Winslow Taylor’s concept of performance monitoring includes identifying, fragmenting and regimenting workflows and to deploy methods of performance monitoring to reach production targets. The worker’s knowledge of and control over the work is thus removed from the worker. The rule of the Taylorist system is that the unobserved worker is an inefficient one. Monitoring is meant to prevent workers from slowing or sabotaging the modes of production, both in factories and in offices.
With the advent of newer forms of technology, the boundaries of what constitutes a workplace has become increasingly porous as their interference is not strictly confined to the workplace but in a remote manner as well. Herein lies the difference between “traditional surveillance” and “modern surveillance” with the former restricted to the workplace alone in which the employee has full knowledge that they are under the scanner of the employer while under the latter, employees could be scrutinized anytime anywhere. Also, with the growing IT sector, surveillance technologies has also been introduced such as internet surveillance, CCTV surveillance, telephone and e-mail id surveillance etc.
The various human resources management practices like recruitment, performance appraisal, employee discipline management and adherence to code of conduct, exit interviews and business operation processes like data security and performance monitoring are potential areas where employee vulnerability can be misused. Varied reasons are given by the employer to supervise or rather “scrutinize” the employee. Some of them are gauging productivity, performance, honesty of the employee and ensuring protection of data through means like desktop tracking, phone-tapping etc. Unintentional sharing of intellectual property rights or leaking of any confidential information or unintentional contractual liabilities via email or other electronic communication is always a cause of worry for the employers. Other factors include observing the employee to ensuring the non-commissioning of crime like credit card fraud or downloading and uploading of obscene/prohibited material etc. Such conduct on the part of the employer is however understandable for the maintenance of a good corporate image, legal liabilities owing to fierce competition as a fallout of globalization. Companies are bound by local laws and regulations governing sexual harassment and work environment which compel them to monitor employee activity. In the Chevron case, the company had to pay $ 2.2 million to four plaintiffs who claimed to receive sexual harassment through e-mail jokes from other employees in the company. But looking from the other angle, increased surveillance leaves no room for the employee for self-control and self-monitoring. This creates a rift in the contractual relationship wherein all trust is lost between the two parties and a culture of mistrust is created where the employees see no incentive for being productive, resourceful and efficient. Because of these conflicting interests, privacy has become one of the most contentious issues in an employer-employee relationship.
In the U.S, Bennett and Locke in 1998 defined privacy as “the general right of the individual to be let alone.” More specifically, Employee Privacy has been defined as the “Freedom of employees from unauthorized intrusion by employers.”
Legal Scenario in India, US and UK
There is no direct legislation that deals with this issue in the US, UK or India. However, US appear to have a statute that indirectly governs this relationship as well as a plethora of court judgments. In U.S, invasion of employee privacy is considered to be a major infringement of individual rights.
India being the fastest developing country in the world is witnessing a rapid growth of its IT sector. The Government of India has established several agencies for different surveillance purposes. Some of them are: National Intelligence Grid, Crime and Criminal Tracking Network System, Central Monitoring System, Indian Computer Emergency Response Team, (CERT-In), National Counter Terrorism Center, along with the Unique Identification Authority of India (UID Scheme). Although their establishment can be justified on the grounds of necessity, however, the pertinent question at this juncture is that how do these agencies that handle extremely sensitive information, ensure that there is no misuse of this information by any third party or by any internal governmental body for political purposes?
The legal scenario in India with respect to workplace surveillance and breach of privacy is ambiguous owing to the absence of a specific legislation. In the absence of specific legislation, the Supreme Court of India in the cases of Kharak Singh v State of UP, and People’s Union of Civil Liberties v the Unionof Indiarecognized the ‘right to privacy’ as a subset of the larger ‘right to life and personal liberty’ under Article 21 of the Constitution of India. However, even though privacy is a fundamental right, it is not an absolute right and is thus subjected to reasonable restrictions like prevention of crime, disorder, or protection of health or the protection of others’ rights and freedoms. Also, the Supreme Court of India had gone ahead to state that if there was a conflict regarding fundamental rights between two parties, the right that advances public morality would prevail. This goes on to establish the fact that when it comes to the Indian Judiciary, no preference would be given to either the employer or the employee and that “public morality” shall be the decisive factor. But right to privacy under the Constitution can be exercised only against any government action. Non-state initiated violations of privacy come under the ambit of the law of torts. Although there is no specific legislation dealing exclusively on the subject of “employee privacy”, however certain legislations like the Information Technology Act, 2000 (hereinafter the IT Act) has attempted to address the issue of data protection and privacy. Sensitive Personal Data or Information (SPDI) is accorded protection under Section 43A of the IT Act. In breach of a contract (here, between an employer and an employee), Section 72A of the IT Act protects personal information from unlawful disclosure by the employer of the employee. As per the newly-laid out Rules by the Central Government pertaining to this Act, the entity handling sensitive personal information like passwords, sexual orientation, biometric records, medical records has to adhere to certain compliances enshrined in these Rules. SPDI are collected by the employers of their employees for varied reasons like record retention, employee evaluation and other legitimate purposes.
India has recently witnessed the passage of the Privacy (Protection) Bill, 2013 that focuses on the protection of personal and sensitive data of persons. This Bill has an overriding effect on all existing provisions directly or remotely related to privacy as Section 3 of the Bill provides that:
“no person shall collect, store, process, disclose or otherwise handle any personal data of another person except in accordance with the provisions of this Act and any rules made thereunder.”
Under the Bill, the definition of sensitive data has been enhanced and is thus different from the definition provided under The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 that came into effect from April 13, 2011. The Bill places enormous emphasis on the concepts of “confidentiality” and “secrecy” in the following words: Any person who carries out any surveillance or interception of any communication, or who obtains any information, including personal data, as a result of surveillance or interception of communication, shall be subject to a duty of confidentiality and secrecy in respect of it. Thus, employers are expected to exercise due care and caution while handling personal and sensitive data. The key factor here is “proportionality”. It should be clear that the simple fact that a monitoring activity or surveillance is considered convenient to serve the employer’s interest would not solely justify any intrusion into a worker’s privacy. But at the same time, it is difficult to demarcate as to when the surveillance is justified and when it intrudes into the privacy of the employee. Segregation, as to what level of information can be sought or demanded that is needed for organizational business purposes and what should be excluded is intriguing and difficult. In a U.S case, where the plaintiff’s husband sent nude pictures of their daughter over the Internet from the official email system, the plaintiff sued the defendant because of its lack of action and the court had said that an employee’s privacy interest does not trump the employer’s right to monitor an employee’s computer to see if the employee had breached a duty. In another case, where the agency had specific suspicions on the use of “non-standard” software, the agency was within its rights to conduct an investigatory search even though the employee had reasonable expectation of privacy when using his office computer.
Furthermore, what constitutes “organizational privacy” and “employee privacy” has not been a part of any discussion and is therefore mired with ambiguity. Restriction on the use of organizational resources and reducing liability of the business due to misuse are valid reasons for surveillance, but the question here is how can an individual is possibly supposed to lead his life unless he spends some time off work for personal activities.
India needs to come up with strong policies and regulations in order to protect the IT industry as well as the privacy of every citizen. Every organization must come up with a clear-cut definition as to what “privacy” means to them based on their organizational culture, business needs etc., define it in all possible contexts and ensure a limited interpretation to the same. And before inducting a new employee, the same must be made clear to him/her.
On the legal front, India needs to have an exclusive law on the subject of employee surveillance as the IT Act, 2000 does not provide for the same.
 Alex Rosenblat, Tamara Kneese, and Danah Boyd, Workplace Surveillance, Data and Society Research Institute, 2014