News and developments

DATA PRIVACY LAW IN PAKISTAN AND ITS APPLICABILITY TO EMPLOYMENT PRACTICES

1. THE LAW

1.1. Key legislation and regulations

In the main Employment Law or Labour Law as it is more commonly referred to in Pakistan is applicable to lower cadre employees who may be skilled or unskilled. Examples of lower cadre unskilled workers are drivers, gardeners whereas skilled lower cadre employees can be technicians, clerks, bank tellers, receptionist. Such lower cadre employees whether skilled or unskilled are referred to as “Workmen”. All other employees may simply put be not Workmen. The reason behind categorising an employee as a workman or as a non-workman is the simple fact that the Labour Law will only be applicable to a Workman. Thus if an employee is not a workman he will not be able to seek the protection accorded to a Workman under Labour Law and will also not be able to seek the assistance of courts for the enforcement of the labour rights.

The courts in Pakistan have developed a litmus test for determining whether an employee is a workman or not. The courts examine the job description of an employee to ascertain whether or not the employee is a workman. The courts also look into the fact whether the employee is reporting to somebody/following orders or in fact giving orders to junior staff. If the employee is determined to be a workman the labour law will become applicable else the terms of the Employment Agreement and the organization’s own rules and regulations governing employment shall take

precedence. Needless to say it suits employers to not have the labour law applicable to a situation since as is the case in most jurisdictions, the labour law is drafted in a manner to almost always favour an employee over an employer.

The 18th Constitutional Amendment was promulgated in Pakistan in 2010 after which the provinces in Pakistan were given powers to legislate and promulgate their own laws. The power to legislate for the provinces now includes the power to legislate on labour laws, as result of which labour laws now exist at the federal level as well as the provincial level.

There are three main labour laws which are applicable to workmen in Pakistan. These three laws exist at the federal level as well as the provincial level:

The Industrial and Commercial Employment (Standing Orders) as an Ordinance and as an Act exists both at the federal level and the provincial level. The Standing Orders is the employment law which sets out he demarcation between workmen and nonworkmen. The Standing Orders also lay out the various instances which constitute misconduct and how to investigate and punish misconduct. The Standing Orders also provide for how termination and resignation can be done and in which instances gratuity is not paid to employees.

The Industrial Relations Act like the Standing Orders exists at the federal as well as the provincial level. The Act caters to individual as well as grievances by trade unions and the mechanism for employers to deal with these grievances. The act also provides for the creation of specialised courts to deal with industrial disputes.

The Factories Act also exists at the Federal as well as Provincial level. The Factories Act provides details on leaves, working hours and working conditions.

Despite several draft laws since 2005, Pakistan to date doesn’t have a dedicated law on Data Protection. Pakistan promulgated the Prevention of Electronic Crimes Act 2016 (“PECA”) which amongst protecting people against cybercrimes also provides for protection of identity data of citizens. The Act provides that any identity data may only be processed, stored, transmitted with the permission of the owner of the data which would mean the citizen whose data is being used.

The right to privacy of a citizen is enshrined in the Constitution of Pakistan however this right to date has not been developed into a law.

1.2. Official guidelines

There are no official guidelines on Data Protection in Pakistan. The right to privacy is constitutionally protected fundamental right which declares that the dignity of man and subject to the law the privacy of his home shall not be violated. Despite this being a fundamental right there are no direct developed guidelines on Data Protection.

As far Employment Law is concerned the legislation as well as the case law is quite extensive.

1.3. Supervisory authorities

The Pakistan Telecommunication Authority as well as the Federal Investigation Agency are the supervising authorities as far as the Prevention of electronic Crimes Act 2016 is concerned.

1.4. Applicable case law

In Tariq Liaquat Ali Khan vs the State the Sindh High Court described in detail the manner by way of which the concept of Identity Information is protected within the PECA. The accused was duly found guilty of and accorded punishment in distributing and maliciously using the identity information of a female who was also his co worker. The accused using the social media platform of Facebook uploaded her identity information in order to black mail her.

In Imran Khan vs the State, the accused was found guilty of distributing identity information of the complainant via WhatsApp.

In Junaid Arshad vs the State, an accused was found guilty of cyber staking and data theft under the PECA and accorded punishment. The accused in the matter, a senior police officer had created a fake Facebook page account in the name of the complainant using the data of the complainant and then used the page to blackmail the accused.

The case law above though has not found people directly on violation of data

protection however it has been instrumental in curtailing the offence of cybercrimes which emanates from the illegal use of identity data.

2. RECRUITMENT AND SELECTION

2.1. General requirements for collection, processing, and

disclosure of data

Sections 3 and 4 of the PECA provide that unauthorised use of data shall be a crime punishable under the PECA. The term Data has been defined as content data and traffic data.

The General requirement it appears from PECA is that unauthorised use of Data shall not be allowed and the same shall be punishable.

2.2. Advertising a position and requirements for data collection

regarding CVs, tests, evaluations

There are no specific rules or regulations regarding for data collection regarding CVs, tests and evaluations however section 14 of the PECA provides that who so ever obtains, sells, stores and transmits another person’s identity information shall be punishable with 03 years imprisonment and a Rupee 5 million fine.

2.3. Requirements and restrictions in relation to background

checks

There are no specific parameters within defined law on how background checks shall be conducted but it is expected that the privacy of a person as protected under the Constitution shall not be violated and the data so obtained shall not be used in violation of the provisions of PECA regarding identity data.

2.4. Obligations of the employer to protect candidates' right to

privacy during interview process

It is expected that the privacy of a person as protected under the Constitution shall not be violated and the data so obtained shall not be used in violation of the provisions of PECA regarding identity data. The overlying principle enshrined within the PECA for the use of Data is that the usage of the data should be authorised by the owner of the data.

2.5. Employer's right to ask questions/request references

No specific law on this. The Employer can ask questions and request references which they think should be required to be answered by a candidate. A candidate can of course refuse to reply but the same would negatively impact his/her chances of gaining employment and the employer would be within his/her legal rights in refusing employment.

2.6. Candidate's obligation to reveal information

There is no law which protects the right of the candidate in not revealing information which he or she do not want o reveal.

2.7. Retention of recruitment records

Since Recruitment Record falls in the category of content data under the PECA sections 3 and 4 of the PECA shall be applicable in the protection of the same. Ideally permission from the candidates should be sought for retention of the records.

2.8. Information to be provided when acting as a referee

Any information provided voluntarily will be considered to be authorised data under PECA.

3. EMPLOYMENT RECORDS

3.1. General requirements for collection, processing and

disclosure of data

The general requirements for data collection and processing are governed by sections 3, 4 and 14 of the PECA which provide that unauthorised data shall not be processed, stored and transmitted thereby meaning that permission should before hand be sought from the owner of the data.

3.2. Notification to the employee on collection, processing,

access and disclosure

Ideally the candidate should be a asked to sign a consent form for the use of data by the employer or third parties.

3.3. Retention of employment records

The general requirements for data collection and processing are governed by sections 3, 4 and 14 of the PECA which provide that unauthorised data shall not be processed, stored and transmitted thereby meaning that permission should before hand be sought from the owner of the data.

3.4. Employee rights to information

Article 19-A of Constitution of Pakistan; protects citizen's fundamental human right to know. It states that: “Every citizen shall have the right to have access to information in all matters of public importance subject to regulations and reasonable restrictions imposed by law.”

The Right to Information Act 2017 has been enacted in Pakistan however the same pertains generally to information sought by citizens from government bodies.

Though the right is enshrined within the Constitution however the same is not

practically enforced and the employee usually will not have any legal recourse except maybe trying to obtain a civil injunction in cases where he/she had been informed by the employer that they would be provided certain information which was later denied.

3.5. Disclosure to works councils, state authorities, arbitration

courts, etc.

4. INFORMATION ABOUT WORKERS' HEALTH

4.1. General rules on processing of workers' health information

and exceptions

Provisions regarding health provided in the employment agreement and employee handbook would ne binding on employees otherwise the law on health is provided within the Standing Orders and Factories Act however the same is applicable only on workmen and the law is rather outdated on this subject.

5. EMPLOYEE DATA TRANSFERS

5.1. Legal grounds

Where the PECA would protect unauthorised use of the employee’s data, the PECA similarly under the same provisions accords protection to unauthorised use of employer’s data by an employee.

5.2. Mechanisms for the transfers of data

Data can transferred electronically but the activity as well as the data content needs to be authorised by the owner of the data.

5.3. Sensitive data

Removal and Blocking of Unlawful Online Content (Procedure, Oversight

and Safeguards) Rules, 2021 strcitly prohibit removal or use of any data

that maybe sensitive to the security of the Sate of Pakistan.

5.4. Information provision requirements

No such requirements.

5.5. Notification requirements

No such requirements.

6. SANCTIONS

6.1. Criminal and civil liabilities

Unauthorized use of data including its storing, transmission and processing entails imprisonment of at least 03 years and up to Rupees 5 million fine or both.