Get a privacy shield

• The CEO of a fortune 500 company keeps a mini tape recorder in his suit pocket and surreptitiously records conversations with his employees.
  
  
•  A large BPO with facilities across the country has embedded chips in the id tags of its employees that allow managers to track their whereabouts at all times.
  
  
• In another case, systems administrators leaf through office e-mail accounts and chat records at a mid-tier it services company every Saturday under the guise of routine maintenance.
  
  
• Across Bangalore, techies sent for mandatory medical exams have been made to undergo hiv tests without their knowledge.

Sanjay Gupta Head/ BSA India/ and Director (Legal Affairs)/ Microsoft India: "India doesn't have a privacy law for its citizens and this loophole can be used by companies to exploit employees"

If you thought these were scenes from some cheap spy flick, think again. Across corporate India, companies are eavesdropping on internet chats, watching which websites you visit and, according to the grapevine, keeping an ear out on who you call on office phone lines. While a few of these procedures are acceptable, since they are generally for legitimate security reasons, privacy advocates are increasingly getting jittery as organisations begin to snoop into the personal affairs of their employees.

What was completely taboo once is an acceptable practice today as companies seek to keep closer tabs on what their employees are up to at work and how they're utilising their time at their work stations.

While some amount of monitoring can be expected, given the spate of cases of data theft, and more worryingly, terror attacks, it may be time to become a bit more careful about your conduct at work. "India doesn't have a privacy law for its citizens and it is this loophole that companies can exploit to ferret out this kind of data," says Sanjay Gupta, Chair, India Committee 2007 for Business Software Alliance and Director-Intellectual Property (IP) Rights, Legal and Corporate Affairs, Microsoft India.

Others such as Pawan Duggal, a Supreme Court lawyer and expert on it and ip law, argue that in the absence of a privacy legislation, self-regulation is perhaps the best way to go as far as employee privacy is concerned. "A company can easily administer an HIV test on candidates and if they're found positive, refuse to hire them on vague medical grounds.

"The only protection offered is under Article 21 under the Right to Life": Pawan Duggal Advocate (IT and IP Expert)/ Supreme Court

More importantly, issues surrounding how these companies store this data and who gets access to it are rarely spoken about," he says.

Indeed, when BT tried to speak to technology companies, most of them (including global players such as hp and Accenture, and local behemoths such as Infosys) declined to comment.

The security blanket

Handy tips to safeguard your privacy at workplace.

• Many companies monitor internet usage at work. Be careful about what you write and which sites you visit.
  
  
• When you go for a medical examination, check which tests you are undertaking and who has access to these records. Prior permission is mandatory for an HIV test.
  
  
• Ideally, keep private communication off office e-mail systems.
  
  
• Few people need to access your personal records once they are filed with your employer. Ensure that you are intimated if someone from HR or accounts takes a look.
  
  
• A handful of companies do offer contracts that safeguard data on employees. If you work for one, you can hold it responsible for any breach.

One foot forward

P.S. Seshadri Head (Business Excellence & Quality)/Unisys Global Services: "UGSI has made it mandatory for all employees to undergo Online Basic Privacy Training"

Despite these measures, there are some companies that did admit that they train employees (and even make them sign contracts) to ensure they understand the seriousness of the situation. As part of it consulting major Unisys Global's Privacy Programme, the company has made it mandatory for all employees to undergo an "Online Basic Privacy Training" when they are inducted into the organisation. "This course provides an overview of Unisys's privacy principles, definitions of various privacy-related terms and examples of work-related situations. We also have documented guidelines that are followed regarding access to and inspection of the digital domain," says p.s. Seshadri, Head (Business Excellence and Quality), Unisys Global Services India (UGSI).

Better safe than sorry

Part of the problem, according to some critics, is that companies have over-sanitised their offices and made all intrusions into an employee's work life fair game for systems administrators and supervisors. "In most advanced countries, invasion of privacy is considered a violation of individual rights. Unfortunately, in India where there are no specific privacy laws, there is little relief an aggrieved individual can get from the legal system. In the eagerness to portray ourselves as a 'trustworthy outsourcing' destination, employers are investing in the latest electronic gadgets to monitor employees and brazenly infringing their right to privacy," says Anish Singh, CEO of Techbridge Networks, a Bangalore-based hr outsourcing and consulting company.

This means that it's up to the employees to decide what boundaries to set for themselves. "The only protection offered is under Article 21 of the Constitution (under the Right to Life), but we rarely see any cases of corporate oversight on this front," says Duggal.

While it may help to be careful, most employees don't really understand the meaning of basic terms such as privacy and IP. "We've had to educate people literally from the ground up on these issues and it is only over the last couple of years that awareness has reached a reasonable level," says Gupta.

As awareness grows, however, it is also important to draw boundaries between what is acceptable usage of the internet (and, indeed, other forms of communications) at the workplace. "Most clauses (in a contract) are focussed on protecting company IP, data, knowledge of business plans and customers," says Pravin Chand Tatavarti, MD for the India operations of Allegis, a staffing and recruitment services company.

Contract Crisis

Unlike Unisys, an Infosys representative claimed that India's best known name in it "doesn't have any such standard policies. While we have policies in place on internet usage and some other areas, there is no written policy on privacy of employees. We don't even use a standard disclaimer in the e-mails we send."

While most companies are very specific on what data employees can take in and out of their workplace, few, if any, have any contracts lined up to protect employees. "Most organisations are particular about making their employees sign non-disclosure agreements, confidentiality memorandum and a business code of conduct. However, I haven't heard of any (agreement), which commits to safeguarding the privacy rights of its employees or even one that proactively offers advance warning that the employee's on-job performance, work habits, interactions with co-employees or outsiders could be under surveillance," says Techbridge's Singh.

Rather than try to test these limits, it may be advisable to limit non-work communication, especially on the office e-mail and chat servers, says Raghu Raman, CEO, Mahindra Special Services, an it security consultancy. "Some obvious areas that are off-limits for employees are pornography and most file sharing networks, while social networking sites are often blocked to prevent dangerous content from sneaking onto company servers," he says.

Recruitment Rigour

Being careful about your personal data doesn't begin at your office; it extends some way back into the recruitment phase itself when you're asked specific personal details and companies file away these details for records. "It is important to check what companies do with this kind of data and how they ensure it's either properly stored or safely destroyed. These aren't questions that people ask often enough," says Duggal.

Chaitanya Nadkarny, Director (Operations and HR), ThoughtWorks Technologies India, argues: "It is possible that in the services industry, such job contracts might require sharing of employee data. Companies have to brace themselves for legal consequences of sharing such information and where such possibilities exist, the recruiting model will have to take them into account."

With the law offering limited options, legal experts and employees feel that it is better to err on the side of caution rather than "expose" private and confidential data to prying eyes. At the same time, it is important to keep tabs on how companies use personal data submitted for recruitment, medical examinations and the like. As Duggal says, at the end of the day, companies don't want the negative publicity that comes with any incidents of private data getting lost or reaching the wrong hands.