Are your corporate policies updated for opening up post Covid lockdown?

The new normal has also meant increased use of personal devices and unsecured data networks by employeesas they work remotely. These factors have added a different dimension to companies’ data security needs.

After over two months since the paradigm shift from office workplaces to laptops propped up on dining tables, the gradual reopening of economies has brought with it a “new normal”. Companies are now brainstorming to come up with protocols to manage workplaces in this new period of ambiguity. The Union Government is doing its part and the Ministry of Home Affairs has issued order (dated 17th May) covering extensive guidelines for workplaces to follow to maximize safety. Below are some updates that need to be made to company policies in preparation for the return of employees. These policies should give information to employees, explain protocols, provide grievance redressed and outline disciplinary mechanisms for violation of COVID-19 guidelines.

Health and Safety Policy

The company should incorporate the MHA guidelines in its health and safety policy and also mention any other measures that it is taking to reduce the risk of infection without compromising on privacy. The policy should also outline the protocol to be followed in case an employee is diagnosed with symptoms of COVID 19. If insurance coverage is available for COVID 19 in the employee insurance schemes then reference to that too can be made in the health and safety policy. These policies can also provide details of access to professional health assistance to help employees tackle concerns due to social distancing and its allied repercussions.

The MHA in this order has also directed heads of organizations to ensure coverage of the Aarogya Setu app amongst all employees at the workplace on a “best effort basis” in order to facilitate the timely delivery of medical attention to those at risk.

While the Arogya Setu app is primarily for the government to gather data for contact tracing and containment, it still remains unclear as to how companies can use it. Companies need to clearly inform their employees if they plan to leverage the app and consequently require the employees to disclose their status on the Arogya Setu app. If companies take a call that entry into the workplace will be permitted only if the status indicator on the app is ‘green’, the same will need to be clearly notified to employees. This would also require companies to come up with guidelines on what employees should do if their status on the app is not green.

In the unfortunate event that an employee has contracted the virus, any mechanism of disclosing such infection must balance contact tracing efforts and the employee’s privacy. This would also require a clear internal protocol on whether and to what extent co-workers need to be informed of a positive case.

Privacy and Data Protection Policy

The organization’s privacy policy must be updated to clearly outline what data it collects with reference to COVID 19, for what purposes it uses the data, with whom such data is shared, how this data is protected when this data might be disclosed to government contact tracing officers and for how long this data is retained. An organization must also devise an internal protocol on when information on the COVID status of an individual with co-workers and managers.

The company’s assessment and disclosure mechanism for COVID 19, such mechanism should include data privacy. As basic requirements for such data privacy, companies should ensure that i) data collected should be limited to what is necessary for identifying at-risk employees, ii) data collected is with the informed consent of the employee, iii) data is encrypted before storage and iv) data is automatically deleted at regular intervals unless needed for medical intervention.

The new normal has also meant increased use of personal devices and unsecured data networks by employees as they work remotely. These factors have added a different dimension to companies’ data security needs. There have been multiple reports of cyber-attacks during the pandemic. At the organizational level, there needs to be increased vigilance on all file sharing methods, usage of personal devices etc. thus requiring significant changes to security policies.

Grievance handling and Disciplinary measures

The organization should allow for a body empowered by the management to address employee concerns and report violations with respect to the guidelines put in place. Lastly, the disciplinary policy needs to be updated to give teeth to the organization to enforce the measures in place for COVID. While twenty people meeting in a small room would not be a disciplinary issue a few months back, in the post-COVID workplace, it becomes one now as it puts the health of others at risk. Similarly, if any employee at the workplace is suffering from COVID-19 symptoms and is refusing to self-isolate or seek medical immediate medical attention, the employer should have an enforcement policy to make it clear that the organization may prevent such employees from coming in contact with other employees and may also immediately report the employee to the relevant government authority. Thus, the disciplinary mechanism in the company’s policies need to be updated to address violations of the new policies put in place specifically for COVID.

As employers implement their return-to-work protocols, clear communication to employees of their plans and expectations is important in these uncertain times as we embrace the new normal.

Adv. Akshaya Suresh is Partner, VB Legal, Adv. Pratik Bakshi is Co-Founder of World Law Forum