We'll make sure you rocketboost your efforts and stay on track
You need confidence that you're equipped for everything
We'll give you everything you need to accelerate your business
Take back more time and money. Do the work you love!
5 min read
Friday 18 Jun 21
The world of work has changed for many of us and for lots of industries, there’s no going back to the times where home working and absenteeism were synonymous. It’s extremely likely that even once the pandemic is a distant memory, home working won’t be a thing of the past.
Whilst we won’t be seeing a complete return to central working locations, it’s possible that many employees will choose to adopt ‘hybrid working’ where they work from home for a select few days in their week.
With this, comes data protection considerations that we’ve summarised in this guide to help employers manage their workforce and comply with their legal duties.
In a recent survey in November 2020, the Trade Union Congress found that 1 in 7 workers have experienced increased monitoring since the start of the pandemic and that 54% of those workers felt uncomfortable with that level of monitoring.
Thus, whilst employee monitoring is usually driven by good intentions, it’s important to be cautious about taking it too far, leaving employees feel paranoid and unhappy.
Employee monitoring can materialise in various forms. This can span from computer software which records task time and measures of output, to more intense applications which monitor mouse clicks, emails sent and screen time.
Using AI can present an exciting business and technological opportunity but employers should be aware that it can also expose them to new risks. Steps must be taken by employers to minimise their exposure to these risks in light of the emerging US and EU regulatory developments.
The EU have published their proposed Artificial Intelligence Act (AIA) which will have extraterritorial effect and will apply to businesses physically located outside the EU (including the US). This is likely to set the benchmark for regulation in this area so it would be prudent for employers to read this carefully.
In summary, the AIA will introduce penalties for non-compliance i.e. those who fail to fulfil their obligations under the Act. These penalties are likely to be incredibly harsh of up to 30 million euros, or if the offender is a company, 6% of their total worldwide annual turnover.
Liability will be allocated to the technology company i.e. the ‘provider’ of the AI, rather than the user but this doesn’t mean employers are let off scot-free as there will probably be regulatory changes elsewhere. Further, by using AI, employers take risks under data, anti-discrimination and employment law. Employers should therefore think carefully about the interplay between AI intervention in their business and employee rights.
Employers should take a risk assessment to decide whether the monitoring activity fulfils each of these requirements – reasonable, proportionate and necessary. This will depend on the context and nature of specific roles in the organisation. In terms of employee monitoring, remember that home workers don’t always follow the same working pattern as office workers.
Article 8 of the ECHR gives individuals the right to a private and family life which triggers risk around video surveillance as employees as monitored in the workplace and at home as a result of Covid-19. Whilst employers do have a legitimate interest in ensuring that their companies run smoothly, monitoring must be proportionate to this interest.
Ultimately the European court of Human Rights found that home video surveillance is a disproportionate invasion of private life. However, office video surveillance to enforce social distancing is likely to be deemed acceptable where it helps employers to abide by Government Covid health and safety guidelines.
This proportionality assessment will depend on a number of factors including (but not limited to):
In recent times, there has been an increased interest in employers collecting diversity data as part of their equal opportunities monitoring programme.
The UK has fairly advanced data protection legislation (the Data Protection Act 2018), under which there are two limbs to fulfil to meet the ‘public interest’ condition under Schedule 1. This means that collection of diversity data is only permitted when focused on:
Article 6 of UK GDPR also requires there to be a lawful basis for collecting the information i.e. having a legitimate interest or consent from employees or potential employees.
International projects may be more tricky in terms of collecting this data as there is significant jurisdictional variation in the law – some countries even restrict the collection of this data completely!
We recommend taking a detailed analysis to identify a relevant legal basis and condition to rely on, on a case-by-case, jurisdiction-by-jurisdiction basis. Put together your evidence and reasoning within a Data Protection Impact assessment to evidence accountability.
Remote working has undoubtedly opened up the scope for cyber attacks especially as many businesses have established remote connections over the internet.
To combat the risks, employers should keep in mind:
The leniency displayed during the start of the pandemic seems to have passed. The message is now that things are returning to normal and the ICO are picking up their investigations that have laid dormant for as long as 6 months.
The ICO are now asking more questions about remote working equipment and asking data controllers to explain the decisions they’ve made and reference the DIPA’s that have been carried out.
The ICO now has an increased technical understanding with officers being better trained and some even having security intelligence backgrounds so expect to have your ‘technical’ and ‘organisational’ measures probed in detail.
Following a data incidence, the ICO won’t just be looking what happened and the risk to data subjects, it’ll also be looking to understand whether the measures you had in place were sufficient and appropriate. They’ll want to know that you’ve complied with your GDPR Article 5F obligations and that you can justify any differential security protection i.e. ensuring that more sensitive personal data has a higher level of protection. These questions are also being asked in reference to HR data.
There is however, guidance on technical measures that you should consider:
These set out lists of publicly available guidance from the ICO itself and other vendor specific guidance as a great starting point
These give examples regarding data breach notification. These guidelines haven’t yet been formally adopted but they contain a list or organisational and technical measures that can help to mitigate risk.
It’s important to ensure that video conferencing is GDPR compliant. Check the terms and conditions of any video conferencing software that you use and carry out a conflict impact assessment.
In compliance with Article 13 of GDPR, it’s essential to signpost the attendees of meetings to information about processing of their personal data in the context of video conferencing. We recommend including this information in the email invite that you send out to your attendees.
If you do need to record a meeting, be transparent about it. Most video conferencing applications notify participants about recording. However, this can easily be missed so it’s unlikely to comply fully with GDPR obligations. Its therefore good to have practices around hosts telling attendees at the beginning of the meeting about recording and direct them to privacy notices (even if this has already been stated in an email).
Data Protection Officers should be involved in the choice of video conferencing software that is used.
Invest in good technology and deliver regular preventative training – assume that your employees have little knowledge about technology. This is also likely to make employees work more responsibly, especially when working from home.
Conduct effective due diligence on collaboration tools and have good policies and procedures in place – you should ensure that employees are fully aware of what is expected of them and regularly review and update any policies and procedures that you have to ensure that they are fit for purpose.
Adopt and stress the importance of incidence response plans and maintain reporting lines – it’s essential to maintain this wherever staff are located, especially because there is a strict ICO reporting timeframe for any incidents. If there are any data breaches or incidents, employers are required to promptly escalate the issue internally.
5 min read
Thursday 5 Aug 21
Farillio members have full unrestricted access to all our online content.
Step-by-step instructions to guide you through everything you need to achieve your objective including a progress bar
Knowledge when you need it, served up fast in plain English
Expert Q&As with industry professionals to start you on the path
Create, share, edit, e-sign, duplicate legal documents
Easily manage legal documents for your business
Expert answers to legal questions without hefty feesTry for free