Image source: https://cutt.ly/MkJoWn4

This article is written by Sneha Singh, from Dr. Ram Manohar Lohia National Law University, Lucknow. The article focuses on the contact tracing applications which are being used by the companies and the repercussions related to it when the situation has been restored to normal after the pandemic.

Introduction

Contact tracing applications are being used across the world amidst COVID-19 to retrench the spread of the virus. If we discuss how it works, the general understanding is that people have to download the app, and the app contacts other devices in proximity typically via Bluetooth. Suppose person A tests positive for COVID-19 and puts that information into the app, the people who have been in close proximity with A’s phone within a certain time frame are notified via text message and are advised to self-isolate. The way discussed above it really seems to be a very good way of preventing other people from contracting the disease but like anything else, it has its own pros and cons. So it becomes essential to discuss the way it can be implemented, how would it be impacting the life of the employees, and what about its legitimacy?

The way in which it will be implemented

The most basic way of implementing a contact tracing application is by seeing who all were in close contact with an infected person. When all those persons are detected, tracked, and warned of infection. Then they are directed to either test, self-quarantine themselves, and/or to receive the required treatment.

The contact tracing app can be downloaded to a Bluetooth/ Wi-Fi enabled device and helps people to be aware of their potential exposure to a COVID-19 patient. According to a report by Reuters the use of contact tracing app Arogya Setu to be made mandatory for both private and public workers. The Company heads were responsible to ensure 100% coverage for all the employees. Although later on changes were made when the former Supreme Court Judge BN Srikrishna criticized the step of the government as utterly illegal and has no legal backing. The High Court of Kerala also in one of its judgments held that the people cannot be denied services only on the ground of not having installed the Arogya Setu app.

The employees may decide to use the app to augment their safety and also as a way to maintain a healthy work environment for the employees during the pandemic. But along with it, there are various risks attached to the application. 

Any risks to the privacy of the employees

The right to privacy is recognized in our country and protected under Article 21 of the Constitution. Privacy has been an issue that is discussed a lot and now in this era with the advent of new apps and technologies, there is a lot more danger of it being breached. The breach of privacy can be by individuals who try to sneak into the personal lives of people by using these advanced technologies and it can also be by governmental orders sometimes.  These apps/technologies which are made to benefit the people and to protect them from COVID-19 infected person are also putting privacy consideration of an individual on the line. After the lockdown, employers have to consider how to make the place safe for employers, clients, visitors, etc. 

The companies are considering whether a health passport is required for all the employees when they return to their work. Whether a health certificate by a physician or any other reliable data confirming that the person is not suffering from COVID-19 be provided. If the employers are forced to do so in a country like India where the Right to Privacy is a guaranteed right does not seem to be an appropriate step.

Ways in which employee privacy can be guaranteed

The apps/ technologies made for the safety of the people should be given effect to seeing that their interests are not harmed. There are certain ways by which the implementation of the guidelines regarding the app can be done and also the privacy of the employees is not compromised. They are as follows-

  1. The employees returning to the office may be anxious and have various doubts regarding the app like how it functions, the people have to carry their phone with them, get themselves tested if there is any risk factor, self-report positive cases, etc. Analyzing all these conditions it is apparent that the app may create doubt in the minds of the people regarding privacy considerations and the solution lies in winning over the trust of the employees. This can be done by telling them how it suits their interest and by doing so a safe work environment can be maintained. The data which is being asked for won’t be used against them in any manner. It provides the best practices to stay healthy, medical advisories, and all the guidelines related to COVID-19.
  2. Employees need to have trust that their whereabouts can’t be traced by their employers, coworkers, neighbours, and hackers. Some versions of these apps facilitate this by de-identifying a device’s location data and encrypting it on the device itself, not on the company server. There is a need for the privacy officers to understand these technologies and data flow as part of their PIA.
  3. The employers need to keep all the data related to their workplace confidential and not allow any government interference in it. In this way, they can win over the trust of the employees and can retain their trust in the app which would bring positive outcomes for everyone.
  4. The data which is collected by this app should be deleted at once after reaching a pre-defined and communicated state of acceptable risk of contagion which will maintain proportionality in privacy laws. Employers should not urge to retain this data for any other purpose than COVID-19.

The points given above try to maintain a balance between an individual’s privacy and the use of an app that is necessary for the safety of the employees. The employers have an important role to play as they are the ones whom the employees know and can place their trust in not the companies who had made the app. They can inform them how everything works and also architect it in a way that would respect their rights and freedom and also provide them with a platform where they can provide their feedback.

Safeguards to be designed in the technology

Technologies to be designed in such a way to incorporate within its values, ethical norms and legal principles. The design decision can act as a powerful tool in times of crisis so getting the relevant technical design of the contact tracing application is necessary.

Whether these apps will be collecting geolocation data via Wi-Fi or Bluetooth signals, whether the collected data would be stored on users’ devices or would be exported to centralized databases which are run by governments or health authorities, whether the users would be able to control as to who uses their data or whether the data would be used for research, and whether the data are automatically deleted after the pandemic is over. These are all the decisions that relate to legal concerns and require consent, purpose limitation and data protection need to incorporated as a part of technical design.

It calls for a careful deliberation not just by the technology developers but also privacy and human rights advocates, ethicists, and affected groups, to consider the trade-offs of different technical approaches. The decisions are not just related to the app as a technical object but also it deals with the design of the institutional, legal, and organizational measures that need to be created around these applications.

Compulsory or Voluntary

A crucial question regarding whether the contact tracing apps should be used by companies or not is whether it will be made compulsory for all the employees or will it be a voluntary choice by individuals. The lack of compliance with the lockdown measures has invited harsh punishment for the perpetrators. But the question is whether the refusal to use these contact tracing apps invites the same harsh punishments? Like in China individuals can be allowed access to some places public/ private only if they use a contact tracing application. Putting this condition makes it mandatory for people to use it if they want to be a part of society. But these conditions also create discrimination towards the people who don’t have smartphones and can’t use these applications. So if these applications are forced on people it may create a group of people whose interests are harmed.

The advantages and disadvantages of the step

Advantages

  1. The contact tracing application is very advantageous and especially when it is brought into effect to curtail the spread of an infectious disease like COVID-19. It helps in seeing if someone is infected and if the person is, it traces the people with whom that person has been in proximity.
  2. The contact tracing is beneficial as humans can make a mistake and especially in the case of COVID-19 which can be asymptomatic for around two weeks. There the contact tracing application is very useful and more accurate.

Disadvantages

  1. It can not be referred to as a disadvantage but can be considered a question that whether the health of an individual that forms a very important aspect of the society can only be left to by trusting the algorithms.
  2. For using a contact tracking application a smartphone is required but it is not necessary that all have one. So in this manner, it would lead to discrimination between people working in one company.

The legality of the contact tracing apps

There are laws in the country that guarantee the right to privacy of the people in the country. Among them are:

  • The Supreme Court in the judgment of KS Puttaswamy v. Union of India held that the right to privacy is a fundamental right under Article 21(Right to life and personal liberty) of India’s Constitution.
  • In the above judgment, the Supreme Court laid down a provision for the drafting of the wide-ranging Personal Data Protection Bill, 2019 introduced by the Ministry of Electronics and Information Technology. The bill was to be applied to the processing of personal data by the state and private sector but the processing of any anonymous data is not within the scope of the Bill. The Central Government has the power to direct the organizations to disclose any anonymized personal data or non-personal data under Section 91.                                   
  • The proposed bill provides for various definitions of sensitive personal data, identifies financial data, data about caste, tribe, religion, and personal belief or affiliation as sensitive personal data. It also provides stringent requirements with respect to the processing of sensitive personal data and information including the requirement of stringent consent, imposing additional conditions for cross-border transfers and requirement of a copy to be stored.                                                                                                             
  • No central law for the government agencies and departments in India provides for data retention provisions but the various agencies have adopted their own data retention provisions.
  • Rule 5(4) of the Privacy Rules mentions that a body corporate or any person on its behalf who is holding any sensitive personal data or information shall not have the authority to store any data for any period longer than is required for the purpose of which that data may be used lawfully or is required to be kept under any other law for the time being in force. The provisions for keeping a record of data and document preservation provision are also mentioned in various laws that vary from five to eight years of preservation or permanent preservation.      

                           

Conclusion

The contact tracing application seems to be a very good option to curtail the spread of COVID-19 but while implementing it, it becomes necessary to look meticulously at its pros and cons. This application may in many ways harm the privacy of the individuals so it is suggested that the consent of people is taken before implementing any of these measures. It also puts a check on the extent to which the privacy of an individual can be curtailed to secure public health. Each individual has a duty towards society but that should not be to an extent to harm his individual rights and especially when he is not ready to share his/her personal data. So the measure would really be helpful if it is implemented in a manner where no one is forced to sacrifice his individual rights which he possesses as a member of the society. 

References


LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Did you find this blog post helpful? Subscribe so that you never miss another post! Just complete this form…

LEAVE A REPLY