Introduction
What are the constituents of a typical job application form in India? Personal details like name & address, academic and other qualifications, some questions to assess personality like ‘Where do you see yourself in 5 years?’ or ‘What are your strengths and weaknesses?’ etc. However, there are some new entrants in many job application forms and those are social media usernames. Some applications ask for the LinkedIn profile Uniform Resource Locator [URL] of the applicant. LinkedIn is a social media platform that is predominantly used for professional networking. Some applications go one step ahead and ask for Twitter or Facebook user names or URLs. While LinkedIn belongs to a separate class of social media platforms, Twitter or Facebook tend to have more personal information of an individual. For some, these platforms provide a stage to express angst on a disappearing work-life balance or a stage to express and embrace their sexuality, or to express their political views. Irrespective of the purpose they serve, some social media platforms are more personal than the rest. Therefore, there exists a discomfort associated with disclosing social media usernames to employers. Can employees choose to not disclose their social media handles and risk an unhealthy rapport between them and the employer? The dynamics of an employer-employee relationship do not give such privilege to the employee. The question however is, whether it is legal for an employer to ask for social media handles of employees before hiring them, as a part of job application or not. If it is legal to collect such data, are there any obligations on employer while collecting and handling such data? These are questions this article deals with, in the further sections.
The status quo
Due to the absence of separate legislation concerning data privacy, the Information Technology Act, 2000 [Hereinafter referred to as IT act] and the rules made thereunder guide most of the issues concerning personal data. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 [2011 Rules] place different obligations on a body corporate when dealing with collection and storage of sensitive personal data or information[SPDI]. Rule 3 of the 2011 rules defines SPDI and the definition includes passwords, financial information such as bank account, credit card data etc, health, biometric data and sexual orientation. A proviso to this rule however states that any data which is available in the public domain or is freely accessible is not SPDI. Rule 5(3) of the 2011 rules states that a body corporate that collects information directly from the person concerned should state the fact that the information is collected, the purpose of such an information and the intended recipient of the same. Rule 5(7) states that the body corporate while collecting SPDI, should give the person concerned a chance to opt-out if they want to. The prevailing notion in employment law has been that since social media handles of others on a platform are notincluded in the definition of the SPDI and are publicly accessible with an account on that platform, they are in the public domain and do not constitute SPDI and therefore a collection of such data does not give rise to obligations under the 2011 rules.
However, most social media platforms serve as harbours of personal information for many people. A person could announce themselves as asexual on Twitter or one could share how they are battling clinical depression with their friends on Facebook. This information constitutes SPDI and therefore different obligations arise when a body corporate collects information of/about social media handle usernames or URLs. The definition of Sensitive Personal Data or Information starts with the phrase “Sensitive personal data or information of a person means such personal information which consists of information relating to:” and lists out the constituents as “…. iv) sexual orientation…” In this phrase, the definition is not only strictly sexual orientation but also any personal information which consists of information relating to sexual orientation. This logic extends to all the constituents of the definition, from biometric data to passwords and from health data to financial information, thus making social media handles SPDI. Advocates of social media data collection, for the purpose of efficiency in hiring, would claim the defence that the social media username data is in the public domain and therefore does not form SPDI. This would shield collectors of data from obligations arising out of collecting SPDI. This is a valid argument but for one flaw which invalidates it. Usernames in social media platforms are not social security numbers which will directly lead back to the individual who is using them. The usernames could vary from Harry Potter references to The Witcher characters. The only possible way an employer would get to know that a handle called ‘Bellatrix Lestrange’ on Twitter is of their employee is when the employee discloses such information by themselves. Without the reference to an individual, that information is merely a piece of data lying on social media platforms. Almost all social media platforms allow users to be undiscovered via their emails and phone numbers, to protect their posts to only reach certain people they follow. Therefore, social media information including handles or usernames is not in the public domain or is not freely accessible and thus is eligible to be considered as SPDI.
Obligations of Body Corporate in collecting information from their employee
The 2011 rules place obligations on body corporate or a person who collects data on its behalf regarding the collection of data. Body Corporate is defined in explanation to Section 43A of the IT act as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.”
According to Rule 4 of the 2011 rules, any body corporate that collects, receives, possesses, stores, deals or handles information of information providers should publish a privacy policy with respect to the purpose and usage of such data, its disclosure and security practices etc. Rule 5(3) mandates that when a body corporate collects information directly from a person, it should inform such person about the collection, the purpose and usage of such collected data, the intended recipients of data and the name and address of the agency that is collecting and retaining the information. Rule 5(5) mandates that the information collected be used for the purpose it had been collected for and Rule 5(6) states that the body corporate shall give a chance to the information provider to review the information or to amend or correct it to the extent of feasibility. This obligation exists irrespective of whether the information is SPDI or not
Rule 5(1) and (2) of the 2011 rules mandate that consent should be obtained in writing through fax or letter while collecting SPDI and any SPDI should not be collected unless it is for a lawful purpose connected with a function or activity of the body corporate while a collection of such information is necessary for carrying out such functions. Rule 5(4) states that SPDI cannot be retained for more period than required. As collection of SPDI has to be done with a lawful purpose, the need to retain the data ends when such purpose is fulfilled. However, if a law requires that the data be retained, it shall be done so. Rule 6 mandates that any disclosure of SPDI to a third party should be done after taking consent of the information provider except in cases of government agencies’ request of information for the purposes of law enforcement. Although there are obligations on a body corporate for collecting information, there are more obligations in the collection of SPDI by the same, as provided in Rule 5(4) and Rule 6.
Without a definite purpose and an obligation to only use for such purpose, the data collected can be used to monitor employees on a personal level. For example, facebook usernames could be collected for the purpose of creating a group of all employees and without any obligations with respect to handling such data, the very usernames could be used to monitor the posts, likes and other activity on facebook. H&M, a multinational fashion retailer was fined by the Hamburg Commissioner for Data Protetion and freedom of information for obtaining data about employees and profiling them. The details such as religious beliefs, diagnoses of any ailments were collected without the cosent and sometimes from informal conversations with the employees. The profiles created from such details would be used to make employment decisions. In USA, artificial intelligence powered technologies give risk assessement scores of individuals, to employers, on the basis of their social media activity. With employer controlled applications and devices dominating the professional life in the pandemic, there are more avenues for employers to collect sensitive personal data with the help of tools such as keylogger, a software used to monitor employee efficiency. These examples indicate how data is a powerful tool in hiring, human resource management and how it can be used for more intrusive purposes. Thus, consent, purpose limitation and security should form the bedrock of employee data collection.
Conclusion
There is no explicit bar on employers collecting information of social media handles or username URLs of their employees, before hiring or during employment. A stringent employee-friendly law exists in markets like California and 24 other states in the USA wherein it is illegal to ask for social media usernames or passwords of employees. In these laws, reasonable exceptions exist, in cases of employee misconduct or violation of laws and regulations, with purpose limitation in place. The example of United States of America indicates that this is not a burden on employers but a basic requirement, even in a liberal and business-friendly economy. There is no such explicit provision in Indian laws and the existing legal provisions do not restrict the collection of social media usernames or handles of employees by employers. According to provisions in Indian laws, social media handles are SPDI and the employers should fulfil their obligations and adhere to norms like taking consent, opportunity to amend, retaining the data only for the required time, using it for the purpose that it was collected for, and employing reasonable security practices while handling the data. With emergence of a data driven world, formulation of policies concerning collection and handling of employee social media data is imperative. Any such policy should keep in mind the employee privacy, the importance of personal space outside of their work and employer’s need to protect their business.
Teja Vardhan, a 5th year student at NMIMS, Mumbai.
Picture Credits: UpMinded
Leave a Reply