The Right to Privacy in the Pakistani Workplace
The right to privacy, defined as “freedom from unauthorized and unreasonable intrusion into individuals’ personal affairs,” is recognized as a fundamental right in Article 14 of the Constitution of Pakistan, which guarantees the inviolability of the dignity of man and the privacy of the home.
The increasing use of technology in workplaces has raised concerns about striking a balance between employer security and employee privacy rights. New technologies, such as computers, telephones, and communication systems, have enhanced productivity but also sparked debates about employee privacy.
It is essential to understand the distinction between workmen and non-workmen under the Labor Law, as workmen are protected under labor laws while non-workmen are not. The determination is based on the employee’s job description and whether they follow or give orders within the organization.
In the context of public sector offices and corporate concerns, certain practices demonstrate what employers consider reasonable monitoring without infringing on privacy rights. Employers may monitor calls with customers for quality control purposes but may also monitor personal calls to prevent misuse of office phones. Computer and internet usage, including web surfing and email, may also be monitored if the devices are provided for official use.
Employees should be cautious when using office devices for personal purposes, as data may no longer be private, and employers may not guarantee data security. Social media activities, off-duty behavior through drug testing, video surveillance, and biometric systems may also be subject to monitoring to ensure security and performance.
Employers have legitimate business reasons for collecting information, such as safeguarding trade secrets and measuring performance. Additionally, monitoring employee actions can help employers avoid liability in harassment and discrimination cases.
It is crucial for employees to recognize that the workplace is not an appropriate setting for personal activities. Engaging in personal business on office computers, social media usage during office hours, sending personal emails, and excessive web surfing are activities best suited for personal time outside the office.
While employers may monitor certain aspects of employee activities for legitimate reasons, employees should be mindful of their actions in the workplace and respect the company’s policies and regulations. Striking a balance between employee privacy and employer security concerns remains an ongoing challenge, and it is essential for employees to be aware of their rights and responsibilities in the workplace. Seeking legal advice and understanding relevant labor laws can provide further guidance on navigating privacy issues in the Pakistani workplace.
Despite several draft laws since 2005, Pakistan has yet to enact a dedicated law on Data Protection. The Prevention of Electronic Crimes Act 2016 (PECA) was promulgated to address cybercrimes and also includes provisions for protecting citizens’ identity data. According to PECA, any identity data can only be processed, stored, or transmitted with the owner’s permission, i.e., the citizen whose data is involved.Although the right to privacy is constitutionally guaranteed in Pakistan, there is no specific legislation to fully realize and protect this right as of now.
Data Protection and the Privacy Landscape in Pakistan
Despite the constitutional guarantee of the right to privacy in Pakistan, there is a pressing need for a comprehensive data protection law. The Prevention of Electronic Crimes Act 2016 (PECA) does address certain aspects of data protection, particularly concerning identity data, but a dedicated and robust legal framework is still lacking.In the absence of a specific data protection law, concerns about unauthorized access, misuse, and exploitation of personal data remain. Individuals and organizations are left without clear guidelines on how to handle and protect sensitive information, leading to potential risks and vulnerabilities in the digital landscape.
Digital Footprints of Employees in Pakistan: Legal and Ethical Considerations
When considering a prospective employee in Pakistan, employers may be interested in examining the candidate’s digital footprints, which encompass their online presence and activities. However, it is crucial to navigate the legal aspects of data privacy and adhere to ethical principles to ensure fairness and protect both the candidate’s rights and the employer’s interests.
- Privacy Laws: Employers must comply with applicable privacy laws as discussed above that govern the collection, use, and disclosure of personal information, including digital footprints. Accessing and using an individual’s digital information, such as their social media profiles and online activities, may be subject to legal restrictions.
- Consent: Obtaining the candidate’s informed and voluntary consent before accessing their digital footprints is essential. The consent should be explicit and separate from other consent forms, clearly specifying the purpose and extent of the review.
- Relevance and Non-Discrimination: Employers should only review digital footprints that are relevant to the candidate’s qualifications and job requirements. It is vital to avoid discriminatory practices based on protected characteristics, such as race, gender, religion, or disability, which may be revealed through the candidate’s digital footprint.
- Social Media Policies: Employers should have well-communicated social media policies that define acceptable and unacceptable online behavior for both employees and job applicants. Candidates should be informed that their digital footprints may be reviewed during the hiring process.
- Publicly Available Information: Employers can typically access publicly available information about candidates without consent. However, they should exercise caution to ensure the information is reliable and relevant to the hiring decision.
- Third-Party Screening: If employers engage third-party screening services to review a candidate’s digital footprints, they must ensure compliance with privacy laws and maintain strict security measures to protect the candidate’s information.
- Retention and Documentation: Employers should establish retention periods for digital footprint information obtained during the hiring process. Unsuccessful candidates’ information should be promptly deleted or anonymized to protect their privacy.
- Bias and Fairness: Employers should be mindful of unconscious bias when reviewing a candidate’s digital footprints. The focus should be on job-related qualifications, avoiding assumptions based on personal beliefs or opinions expressed online.
Possible Ethical Considerations:
- Publicly Available Information: Reviewing publicly available information shared by the candidate on social media or professional networking sites is generally considered ethical.
- Professional Reputation: Assessing a candidate’s professional online presence, such as a personal website or LinkedIn profile, to evaluate their qualifications and industry reputation is deemed ethical.
- Job-Related Skills and Qualifications: Ethical review may be justified when evaluating a candidate’s online portfolios, published work, or contributions to professional forums relevant to the job.
- Assessing Cultural Fit: Examining a candidate’s digital footprint to assess alignment with the company’s values and culture can be ethically justifiable.
Ethical Ways of Reviewing Digital Footprints:
- Consent and Transparency: Inform candidates about the possibility of digital footprint review during the hiring process to ensure transparency.
- Relevance and Job-Related Information: Focus on information directly related to the candidate’s qualifications and job suitability, avoiding discriminatory practices.
- Non-Discriminatory Practices: Adhere to anti-discrimination laws and regulations, avoiding judgments based on unrelated personal characteristics.
- Consistency and Fairness: Apply consistent standards and processes for reviewing digital footprints to maintain fairness and equal treatment.
- Respect Privacy Boundaries: Refrain from accessing private or restricted areas of a candidate’s online presence, focusing on publicly available information.
By navigating the legal and ethical considerations when reviewing a job candidate’s digital footprint, employers in Pakistan can make fair and informed hiring decisions while respecting individuals’ privacy and upholding their rights. Transparency, relevance, fairness, and respect for privacy are essential principles in maintaining ethical practices during the hiring process.
Current Data Protection Guidelines in Pakistan: There are currently no official guidelines on Data Protection in Pakistan. The right to privacy is constitutionally protected as a fundamental right, stating that the dignity of individuals and the privacy of their homes shall not be violated. However, specific and comprehensive guidelines on Data Protection are yet to be developed.For matters related to the Prevention of Electronic Crimes Act 2016 (PECA), the Pakistan Telecommunication Authority and the Federal Investigation Agency act as the supervisory authorities.
Data Protection and Employment Records in Pakistan: General Requirements for Data Collection, Processing, and Disclosure: Sections 3 and 4 of the Prevention of Electronic Crimes Act 2016 (PECA) make unauthorized use of data a punishable offense. Data is defined as content data and traffic data. It is essential to ensure that data is authorized and not misused.
Advertising a Position and Data Collection Regarding CVs, Tests, and Evaluations: While there are no specific rules for data collection, Section 14 of PECA imposes punishment for obtaining, selling, storing, and transmitting another person’s identity information. It is crucial to obtain explicit consent for handling such data.
Requirements and Restrictions for Background Checks: While there are no specific parameters in the law for conducting background checks, respecting an individual’s privacy as protected under the Constitution and adhering to PECA regarding identity data is imperative.
Obligations of the Employer to Protect Candidates’ Right to Privacy During the Interview Process: Employers must ensure that candidates’ privacy rights, as protected under the Constitution and PECA, are not violated. Usage of data should be authorized by the data owner.
Employer’s Right to Ask Questions/Request References: There is no specific law prohibiting employers from asking questions or requesting references. Candidates have the right to refuse to reply, but it may impact their chances of employment.
Candidate’s Obligation to Reveal Information: No law protects a candidate’s right to withhold information they do not wish to disclose.
Retention of Recruitment Records: Recruitment records fall under content data as per PECA. Permission from candidates should be sought for the retention of records.
Information to Be Provided When Acting as a Referee: Information provided voluntarily is considered authorized data under PECA.
General Requirements for Data Collection, Processing, and Disclosure: PECA’s Sections 3, 4, and 14 govern data collection and processing, requiring authorized use of data with prior permission from the data owner.
Notification to the Employee on Collection, Processing, Access, and Disclosure: Employees should ideally sign a consent form allowing the employer or third parties to use their data.
Retention of Employment Records: Retention of employment records requires authorization from the data owner, following PECA’s guidelines.
Employee Rights to Information: While Article 19-A of the Constitution protects the right to information, it is not practically enforced in the private sector. Employees may have limited legal recourse if denied information promised by the employer.
Disclosure to Works Councils, State Authorities, Arbitration Courts, etc.: Specific rules regarding disclosure to such entities are not provided.
General Rules on Processing of Workers’ Health Information and Exceptions: Employment agreements and handbooks may contain provisions related to health information. For workmen, Standing Orders and Factories Act address health, but the laws may be outdated.
Legal Grounds: PECA protects unauthorized use of both employee and employer data.
Mechanisms for Data Transfers: Data transfers must be authorized by the data owner.
Sensitive Data: Rules strictly prohibit the removal or use of data sensitive to the security of Pakistan.
Criminal and Civil Liabilities: Unauthorized use of data, including storing, transmission, and processing, may lead to imprisonment of up to 3 years and a fine of up to Rs 5 million, or both, as per PECA.
The Draft Data Protection Bill (2021) envisages that to build public trust, the law should establish a regulatory authority responsible for overseeing data protection compliance and enforcing penalties for violations. This authority should be equipped with the necessary resources and expertise to effectively monitor and address data protection concerns.The Draft Data Protection Bill 2021 has been revised as of 2023.
Legal Update: Personal Data Protection Bill, 2023 – Key Highlights (May 2023)
The Pakistan Ministry of Information Technology and Telecommunication (MITT) has introduced the Personal Data Protection Bill, 2023 (PDPB) on 19th May 2023, aiming to regulate the collection, processing, use, disclosure, and transfer of personal data, with penalties for violations of data privacy rights.
Scope of the PDPB extends beyond Pakistan’s borders, applying to:
- Entities processing personal data within Pakistan’s territory.
- Entities incorporated in other jurisdictions but operating in Pakistan, processing personal data for commercial or non-commercial activities, including profiling within Pakistan.
- Entities processing personal data in territories where Pakistani law applies under international law, despite no physical presence in Pakistan.
- Entities collecting personal data of data subjects within Pakistan, including foreign individuals present during data collection and processing.
All data controllers and processors must register with the National Commission for Personal Data Protection (NCPDP) within six months of the PDPB’s commencement.
In case of a personal data breach, data controllers must notify the NCPDP and the data subject within 72 hours, unless the breach poses no significant risks to the data subject’s rights. Data processors must inform the data controller and the NCPDP. Data controllers must also maintain a data breach register.
The PDPB emphasizes protecting children’s personal data (under 18 years). Controllers and processors must consider children’s rights and obtain parental consent before processing their data. Tracking or behavioral monitoring of children, and targeted advertising is prohibited.
Legitimate grounds for data processing are outlined, including consent, contract, legal obligations, protection of vital interests, court orders, legitimate interests of data controllers, public health, medical emergencies, and exercising functions conferred by law.
Sensitive and critical personal data require explicit consent, except for specific circumstances, such as employment obligations, protection of vital interests, medical purposes, legal proceedings, and obtaining legal advice.
“Sensitive data” includes financial information, health data, national identity data, biometric and genetic data, religious beliefs, criminal records, political affiliations, ethnicity, or caste. “Critical personal data” pertains to data retained by public service providers, data related to international obligations, or data identified as critical by sector regulators or the NCPDP. Enhanced safeguards apply to sensitive and critical personal data, and critical data must be processed within Pakistan’s territory.
Data subjects are granted various rights, including access, correction, erasure of personal data, prevention of harmful processing, redress of grievances with controllers and the NCPDP, data portability, and protection from solely automated decision-making, including profiling.
International data transfers (excluding critical data) can occur based on NCPDP adequacy decisions, binding contracts, explicit consent (without conflicting with Pakistan’s national security or public interest), international agreements, or other conditions specified by the NCPDP.
The Personal Data Protection Bill, 2023, will significantly impact data protection practices in Pakistan, aiming to enhance privacy rights and data security. Businesses must familiarize themselves with the PDPB provisions and ensure compliance with its requirements.
Given the increasing digitization of information and the growing reliance on technology, a comprehensive data protection law is essential to safeguard employee’s privacy rights at the workplace and promote trust in digital transactions. Such a law should address data collection, processing, storage, and transfer, as well as establish clear rules for obtaining consent and enforcing accountability in case of data breaches. To ensure effective data protection in Pakistan, it is imperative for lawmakers and regulators to prioritize the enactment of a dedicated data protection law. Drawing inspiration from international best practices, the law should strike a balance between promoting innovation and safeguarding individuals’ privacy rights.
The law should define the scope of personal data, set out lawful grounds for processing, and establish data subject rights. It should impose obligations on data controllers and processors to implement robust security measures, conduct regular risk assessments, and ensure compliance with data protection principles.