What data protection principles should employers take into consideration regarding remote working?
The first thing to consider with remote working is having a secure Virtual Private Network ("VPN") in place. That is an absolute must.
The second thing is to have Remote working policies. Such policies should include guidance on physical security, especially if an organisation’s processes are manual i.e. a lot of data on paper, then the employees should be provided with lockable cabinets or drawers to store the papers. Make sure to include in the policy ‘not to leave the cabinet/drawer’s key on display’, you would be surprised how many leave the key on their desk in full view. You should also insist that remote workers follow your lock screen and clear desk policies. When working from home there are other members of the household who are not authorised to access the data, so locking the screen when moving away from the desk must be applied. Consideration should also be given to the disposal of data, especially data on paper. It might be that the remote workers can be asked to use the employer’s disposal facilities at the place of work, it might be that the employee is provided with a shredder and/or confidential disposal bin. Or it could be that due to the geographical distance of the remote worker, it’s not possible for them to use the employer’s disposal facilities and therefore the employer might have to arrange for an approved waste disposal by 3rd parties to collect directly from the employee’s home address.
If the employee is able to allocate a room in their home specifically for work they should be encouraged at the end of the day to not only shut down the computer but also to shut the door to prevent unauthorised access by other members of the household. If on the other hand, the employee's working station is in a more communal area, such as the lounge or kitchen, then they need to be more vigilant as those rooms tend to have more traffic and so locking the screen and putting away paper in lockable cabinets becomes even more critical. From a work-life balance perspective shutting the door and logging off the computer may also have a positive psychological impact as it allows the individual to detach from work mode.
A work-life balance is important and whichever initiative the organisation is using to promote a work-life balance there is always an element of data that needs to be considered. Therefore, it’s important for all members of staff to be aware of their surroundings and determine if anyone is listening, who shouldn’t be listening, to the conversation. This could easily turn into a data breach.
During the lockdown, we saw a shift in remote working and an increase in the use of telecommunication systems such as Zoom, Teams, etc. A lot of employers insisted for the employee to have the camera on forgetting that the employee was working from home. We are fortunate in this country that we have Human Rights and one of those rights is Privacy, in particular at home. This means that while the employer can insist that the employee joins a Zoom/Teams call, they should not insist on the camera being on, as that could be a breach of privacy. However, most telecommunication apps, if not all, have the ability to either change the background or to blur it. So long as the employee is able to do that then it’s fine to insist that the camera be switched on.
Organisations that heavily rely on telecommunication devices may wish to consider adopting a policy for telecommunication devices that captures this point to ensure that managers do not overstep the mark.
Privacy does not only apply in the home environment but also at work. This means that organisations need to be mindful that whilst they have a duty of care towards their staff, they also have a requirement to respect privacy. Employers should be mindful, when running wellbeing initiatives, that consent in an employer/employee situation, due to the power imbalance, may not be a valid, lawful basis for processing personal data. As such it may be better to notify staff of initiatives that they can opt in or out of. It’s important to build trust with the workforce and what better way to do that than by being transparent? Let them know why you are introducing the initiative, what’s in it for them, what data is going to be collected and why (bearing in mind that any mental health data is medical data), what you are going to do with that data, where you are going to store it, who you are going to share it with and how long you are going to retain it and that they can withdraw at any time.
One of the corporate organisations, I worked for, prior to starting my GDPR consulting business, used to provide us with a bowl of fruit every Friday, as part of the wellbeing initiative. Some people liked it, some didn’t and thought it was patronising. So why not ask your workforce what they want? You will have higher participation and higher chances of success.
It is important to understand that mental health data is about an individual's emotional and mental state and therefore this type of data is considered medical data. Under the GDPR medical data is defined as ‘Special Category data’. Art. 9 states that “the processing of Special category data shall be prohibited,” unless certain conditions are met. One of these conditions is explicit consent. When it comes to consent, we need to watch out because for consent to be valid, it needs to be Freely Given. In an employer/employee scenario, due to the power imbalance, the freely given criteria cannot be met, and therefore consent may not be valid by itself. For the criteria of Freely Given to be achieved the only way is through the voluntary approach of opting in or out of an initiative.
Cristina Vannini-Goodchild is the owner of CVG Solutions Ltd a multi-award winning GDPR consulting agency and is also the owner of the ‘Why such a Fuss’ podcast which features on Spotify, Amazon Music, and Alexa. Cristina is a fully qualified CIPP/E and C-DPO data protection specialist coupled with over 25 years of C-level experience of top-tier corporations (EDS/HP, BSi, General Motors, and Serco) in data processing and risk management. Cristina focuses on supporting small and medium-sized businesses to strengthen their reputation and increase their revenue through her own unique formula ‘Educate, Empower and Enable’.