knowledge | 5 May 2020 |
COVID-19: Data Protection Issues in the Employment Context
This briefing aims to highlight some of the many issues that businesses might face from a data protection perspective, as well as provide employers with practical tips on how these issues could be addressed.
Back in March, the Data Protection Commission (DPC) issued guidance about data protection issues and COVID-19. You can find our briefing in relation to the guidance here. Over a month has passed and a lot has changed since then. With the country going into lockdown and remote working becoming almost universal, a myriad of additional data protection issues have come into focus. Even in these unusual times, and perhaps especially so, it is important to remind businesses of their ongoing obligations under the GDPR.
What are the issues?
One of the effects of the lockdown as a response to contain the spread of COVID-19 was the large scale move to remote working by organisations. Many businesses were not initially prepared for moving most (if not all) of their workforce to a homeworking arrangement and did not have the proper infrastructures in place. Organisations had to adapt and respond quickly in an attempt to lay down the necessary means for their employees to continue working with as little interruption as possible. Measures that carry some obvious risks from a data protection perspective had to be introduced, such as permitting employees to use their personal devices to access work systems or rolling out new software which employees might not have had a chance to use before.
How can these issues be addressed?
With these new measures in place, employers should take the following practical tips into consideration in order to avoid potential data breaches:
- Remind employees that their confidentiality obligations do not end when working from home:
- Telephone calls and video conferences can be overheard by family, flatmates and neighbours, employees should make sure not to discuss sensitive information when they are around;
- Smart homes and virtual assistant devices (like Alexa) are constantly listening in; they can be accidentally triggered and store the contents of any conversation “overheard” on their servers. Employees should be advised to turn off any such devices while working if they will be taking phone calls or participating in video conferences and/or remove these devices from the immediate vicinity of the working space;
- Ensure that effective access controls are in place to protect employee’s access to the virtual working environment (such as encryption, multi-factor authentication, and the ability to remotely wipe data stored on company devices in case of loss);
- Remind employees not to use personal email accounts for work-related emails, particularly those involving personal data;
- If working with cloud services, remind employees to only use cloud services and data-sharing software that is approved and trusted by the organisation;
- Make sure to keep a written record of any paper records and files taken home by employees in order to maintain good data access and governance practices.
Further practical advice on how to ensure that personal data is protected when working remotely can be found on the Data Protection Commission’s website here.
What are the issues?
One of the consequences of the increase in remote working is the wide spread use of video conferencing software by workers in order to keep in touch with their colleagues, management and clients. This gives rise to two main issues from a data protection perspective. One is how can video conferencing be used in a way that ensures an adequate standard of data protection. The second issue concerns the data protection implications that arise if organisations decide to record the video conferences.
How can these issues be addressed?
Regarding the first issue, the Data Protection Commission published useful guidance on the secure use of video conferencing technology which can be accessed here. Some of the practical advice for employers includes:
- Avoid the ad-hoc use by employees of video conferencing services unapproved by your organisation. Instead, ensure that employees are using service providers contracted by your organisation for work-related communications. Verify that the privacy and security features of the video-conferencing service chosen will ensure satisfactory levels of data protection.
- Ensure that employees use their work contact information for work-related video conferencing in order to avoid unwanted collection of their personal data;
- Ensure that your organisation has clear and up-to-date policies and guidelines concerning the use of video-conferencing.
With regards to the second issue, if your organisation decides to record the video-conferences in which employees participate, be mindful that any such recording is likely to fall within the definition of “personal data” under the GDPR and will therefore attract the corresponding safeguards and protection. Before implementing the recording of video conferences, it will be important to consider whether this is actually necessary, particularly in light of the obligation under the GDPR to minimise the processing of personal data. If an employer decides to implement the recording of video conferences, in order to comply with the GDPR’s requirements for lawfulness and transparency, it must ensure that employees are aware of the fact that they are being recorded, and make sure to provide them with legitimate reasons for requiring the recording of the video conference. Ideally, this should be clearly reflected in your organisation’s guidelines and policy on the use of video-conferencing.
Monitoring of Employees
It is not only important to ensure that employees comply with the organisation’s data protection obligations, but it is also important to remember that the employer is a data controller in respect of personal data of its employees. If your organisation has implemented systems for the monitoring of staff (or is considering doing so) in order to ensure the staff’s productivity while working from home, which in turn results in the collection and processing of your employees’ personal data, ensure that this is done lawfully, fairly and in a transparent manner (i.e. with the employees’ knowledge) in accordance with the requirements of the GDPR. This should be clearly reflected in your organisation’s data protection notices and policies.
The GDPR contains strict obligations to identify and report personal data breaches to the Data Protection Commission (as well as to the data subjects if there is a high risk that a data breach might adversely affect the data subjects). In case of a personal data breach by an employee during the ordinary course of his employment, the employer is likely to be vicariously liable for same breach. However, with employees primarily working from home, identifying personal data breaches in a timely manner might be a challenge. It is therefore important to remind employees of the strict reporting obligations under the GDPR and provide them with the necessary instruction and training to be able to identify any personal data breaches. In addition, it might be beneficial for your organisation to adopt a “no blame” culture to prevent any data breaches from being “swept under the rug” by employees.
With the increased use of new technology in the workplace and remote working becoming common place, it is as important as ever for employers to be vigilant about their data protection obligations. Employers should endeavour to revisit their guidelines and policies dealing with confidentiality, privacy and data protection to ensure that they address the new risks that come to light with the changes in the workplace. Employers should further remind their employees of the increased risks of personal data breaches and ensure that their employees have the necessary knowledge and tools to mitigate these risks and address them when they materialise.
How can we help?
The Employment, Pensions & Incentives Group are available to answer any queries you may have in relation to the supports available to employers in the current climate and can provide guidance on the legal consequences of measures being considered by your organisation to respond to the challenges posed by COVID-19.
Also contributed by Ivan Gendelman
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.