Hybrid working and data protection

5 min read

Friday 18 Jun 21

The world of work has changed for many of us and for lots of industries, there’s no going back to the times where home working and absenteeism were synonymous. It’s extremely likely that even once the pandemic is a distant memory, home working won’t be a thing of the past.

Whilst we won’t be seeing a complete return to central working locations, it’s possible that many employees will choose to adopt ‘hybrid working’ where they work from home for a select few days in their week.

With this, comes data protection considerations that we’ve summarised in this guide to help employers manage their workforce and comply with their legal duties.

Employee monitoring

In a recent survey in November 2020, the Trade Union Congress found that 1 in 7 workers have experienced increased monitoring since the start of the pandemic and that 54% of those workers felt uncomfortable with that level of monitoring.

Thus, whilst employee monitoring is usually driven by good intentions, it’s important to be cautious about taking it too far, leaving employees feel paranoid and unhappy.

Employee monitoring can materialise in various forms. This can span from computer software which records task time and measures of output, to more intense applications which monitor mouse clicks, emails sent and screen time.

Using AI can present an exciting business and technological opportunity but employers should be aware that it can also expose them to new risks. Steps must be taken by employers to minimise their exposure to these risks in light of the emerging US and EU regulatory developments.

Regulatory developments

The EU have published their proposed Artificial Intelligence Act (AIA) which will have extraterritorial effect and will apply to businesses physically located outside the EU (including the US). This is likely to set the benchmark for regulation in this area so it would be prudent for employers to read this carefully.

In summary, the AIA will introduce penalties for non-compliance i.e. those who fail to fulfil their obligations under the Act. These penalties are likely to be incredibly harsh of up to 30 million euros, or if the offender is a company, 6% of their total worldwide annual turnover.

Liability will be allocated to the technology company i.e. the ‘provider’ of the AI, rather than the user but this doesn’t mean employers are let off scot-free as there will probably be regulatory changes elsewhere. Further, by using AI, employers take risks under data, anti-discrimination and employment law. Employers should therefore think carefully about the interplay between AI intervention in their business and employee rights.

Key things to remember when introducing AI into your business

1. The processing of data must be reasonable, proportionate and necessary

2. The usual rules still apply on processing data

3. Review the staff privacy notice

4. Consider what the impact will be (if any) on employee relations

Employers should take a risk assessment to decide whether the monitoring activity fulfils each of these requirements – reasonable, proportionate and necessary. This will depend on the context and nature of specific roles in the organisation. In terms of employee monitoring, remember that home workers don’t always follow the same working pattern as office workers.

NB: UK GDPR imposes a legal obligation to carry out a deeper Data Protection Impact Assessment (DPIA) if the processing of personal data poses a high risk to the rights and freedoms of individuals

Article 8 ECHR and video surveillance

Article 8 of the ECHR gives individuals the right to a private and family life which triggers risk around video surveillance as employees as monitored in the workplace and at home as a result of Covid-19. Whilst employers do have a legitimate interest in ensuring that their companies run smoothly, monitoring must be proportionate to this interest.

Ultimately the European court of Human Rights found that home video surveillance is a disproportionate invasion of private life. However, office video surveillance to enforce social distancing is likely to be deemed acceptable where it helps employers to abide by Government Covid health and safety guidelines.

This proportionality assessment will depend on a number of factors including (but not limited to):

  1. whether the employees been notified of the scope of the monitoring
  2. the purpose of the monitoring
  3. whether the monitoring intrudes on the employees privacy
  4. whether less onerous measures can be taken

NB: Employees must be told if and when they are being monitored and why. We can probably expect a CCTV code of practice to be published later this year.

Collecting data on diversity

In recent times, there has been an increased interest in employers collecting diversity data as part of their equal opportunities monitoring programme.

The UK has fairly advanced data protection legislation (the Data Protection Act 2018), under which there are two limbs to fulfil to meet the ‘public interest’ condition under Schedule 1. This means that collection of diversity data is only permitted when focused on:

  1. Equality of opportunity or treatment
  2. Racial and ethnic diversity at senior levels of organisations

Article 6 of UK GDPR also requires there to be a lawful basis for collecting the information i.e. having a legitimate interest or consent from employees or potential employees.

International projects may be more tricky in terms of collecting this data as there is significant jurisdictional variation in the law – some countries even restrict the collection of this data completely!

We recommend taking a detailed analysis to identify a relevant legal basis and condition to rely on, on a case-by-case, jurisdiction-by-jurisdiction basis. Put together your evidence and reasoning within a Data Protection Impact assessment to evidence accountability.

Data security

Remote working has undoubtedly opened up the scope for cyber attacks especially as many businesses have established remote connections over the internet.

To combat the risks, employers should keep in mind:

  1. The attitude of the ICO hasn’t been particularly understanding.
  2. The ICO responses to remote working and data security issues.


The leniency displayed during the start of the pandemic seems to have passed. The message is now that things are returning to normal and the ICO are picking up their investigations that have laid dormant for as long as 6 months.

The ICO are now asking more questions about remote working equipment and asking data controllers to explain the decisions they’ve made and reference the DIPA’s that have been carried out.

The ICO now has an increased technical understanding with officers being better trained and some even having security intelligence backgrounds so expect to have your ‘technical’ and ‘organisational’ measures probed in detail.

Following a data incidence, the ICO won’t just be looking what happened and the risk to data subjects, it’ll also be looking to understand whether the measures you had in place were sufficient and appropriate. They’ll want to know that you’ve complied with your GDPR Article 5F obligations and that you can justify any differential security protection i.e. ensuring that more sensitive personal data has a higher level of protection. These questions are also being asked in reference to HR data.

There is however, guidance on technical measures that you should consider:

  1. Monetary penalty notice guidance – BA, Marriott, Ticketmaster

These set out lists of publicly available guidance from the ICO itself and other vendor specific guidance as a great starting point

  1. European Data Protection Board’s draft guidelines.

These give examples regarding data breach notification. These guidelines haven’t yet been formally adopted but they contain a list or organisational and technical measures that can help to mitigate risk.

Remote working issues:

  1. Increased attack surfaces via remote working
  2. Relying on third parties
  3. HR data

ICO expectations in response to remote working issues

  1. Passwords
  2. Staff training
  3. Multi-factor authentication – you’ll need to strongly justify any failure to have MFA
  4. Patches and updates (VPNs are not automatically immune from attacks)
  5. Vulnerability scans
  6. Penetration tests
  7. No undue reliance on third parties, especially in relation to contractual security obligations – see Ticketmaster Monetary Penalty Notice. The ICO will expect steps to be taken to validate the security of third party products (no sitting back and expecting security to be taken care of)
  8. Consideration on HR data i.e. are organisational measures appropriate for HR? This is dependent on your systems and environment
  9. Encryption – this is something that the ICO are increasingly focusing on and they will often ask HR why data was not encrypted

Video conferencing

It’s important to ensure that video conferencing is GDPR compliant. Check the terms and conditions of any video conferencing software that you use and carry out a conflict impact assessment.

In compliance with Article 13 of GDPR, it’s essential to signpost the attendees of meetings to information about processing of their personal data in the context of video conferencing. We recommend including this information in the email invite that you send out to your attendees.

Recording the meeting

If you do need to record a meeting, be transparent about it. Most video conferencing applications notify participants about recording. However, this can easily be missed so it’s unlikely to comply fully with GDPR obligations. Its therefore good to have practices around hosts telling attendees at the beginning of the meeting about recording and direct them to privacy notices (even if this has already been stated in an email).

Data Protection Officers should be involved in the choice of video conferencing software that is used.

How can employees mitigate risk?

  1. Invest in good technology and deliver regular preventative training – assume that your employees have little knowledge about technology. This is also likely to make employees work more responsibly, especially when working from home.

  2. Conduct effective due diligence on collaboration tools and have good policies and procedures in place – you should ensure that employees are fully aware of what is expected of them and regularly review and update any policies and procedures that you have to ensure that they are fit for purpose.

  3. Adopt and stress the importance of incidence response plans and maintain reporting lines – it’s essential to maintain this wherever staff are located, especially because there is a strict ICO reporting timeframe for any incidents. If there are any data breaches or incidents, employers are required to promptly escalate the issue internally.

Other posts

Become a member

Farillio members have full unrestricted access to all our online content.

Achieve Business Objectives

Step-by-step instructions to guide you through everything you need to achieve your objective including a progress bar

Easy-read Guides

Knowledge when you need it, served up fast in plain English

Expert In-depth Videos

Expert Q&As with industry professionals to start you on the path

100s of Templates

Create, share, edit, e-sign, duplicate legal documents

Document Dashboard

Easily manage legal documents for your business

Rapid Legal Advice

Expert answers to legal questions without hefty fees

Try for free

While we can connect you with some very fine advisers in the UK, and we collaborate with them to provide you with great materials, Farillio itself is not a law firm. We do not directly provide legal advice ourselves. All resources are available for you to use (according to our terms and conditions), but those resources are not legal advice to you and neither are they a substitute for you taking legal advice from a lawyer.