With the end of COVID-19 restrictions in sight, many businesses and their employees will be returning to the office within the next few months.

While some employers will expect their workforce to be back full-time, others will adopt a hybrid way of working with employees' time split between the office and home.

This presents an array of challenges and issues that employers need to prepare for to ensure safety in the workplace, as well as business continuity.

This podcast series, brought to you by Gowling WLG's Employment team, discusses the key issues and how employers should address them to make sure their return to the office runs smoothly.

In this first episode, legal director Anna Fletcher is joined by partner Jocelyn Paulley from our Data Protection team.

Jocelyn will be discussing the key considerations that employers need to focus on in terms of data protection compliance in this new workplace and how to make sure that confidential information remains secure.



Anna Fletcher:  Hello, I am Anna Fletcher a legal director in the employment, labour and equalities team at Gowling WLG and today I am delighted to be joined by my colleague Jocelyn Paulley who is a partner in the commercial IT and outsourcing team and one of our data protection specialists.

Today, Jocelyn is going to be talking about some of the data protection issues likely to impact on employers as we return to the office and in some cases introduce hybrid or blended working models post-Pandemic.  So, Joselyn, what are the key issues that we need to be considering as employers begin to return people to the workplace?

Jocelyn Paulley:  The issues will be probably slightly different for everyone depending on the particular working practices that you are changing.  The simple change from working in the office to working at home some organisations will have had quite a small privacy impact because you are still processing the same data, the same purposes as you were it is that everyone is physically now sat at home rather than in the office.

The obvious area there that most employers and companies have looked at is the security aspect.  Are people using company provided equipment?  Are people using their own personal equipment?  How secure are home WI-FI systems?  How does the access protocol work?  Do systems allow people logging in from IP addresses from different location potentially- even different countries as some employees have gone home if they are from overseas originally?

I think that the simple moving from an office to working from home has had less of an immediate privacy impact if companies are not collecting more different types of data.  Where we have seen a big impact is around, maybe, the return to the office as employers have had to put in systems to ensure health and safety of employees which has then necessitated collecting more data if you are asking people those COVID type questions about have you had a cough, have you had a fever, who have you been in contact with?  Organisations have had to think about how they are collecting that data.  Are they retaining it?  If they are, where is it being held?  Who can access it?  So, you would have had to look at maybe do a DPI around that to establish what the risks might be and make sure you understand your legal grounds of processing that data given that it is going to be held data and therefore special category data and you have a more limited list of grounds that apply that enable you to process and handle that data.

Then, as you sort of blend to a hybrid model and you have people in the office and out of the office. And particularly as the vaccination programme progresses, I know companies have been looking at understanding their obligations or their ability, maybe, to ask employees about vaccinated status and trying to manage the health and welfare of all employees as you bring people back into the office and maintain social distancing and looking at your risk assessment of all the working practice in the office. And maybe not in an office, maybe in a manufacturing plant where people have to come into closer contact, the risk assessment could become more difficult and you are trying to balance keeping your operations running alongside people's individual needs around their own vaccination status or if they are shielding or maybe the household is shielding, how those interact with each other and to what extent employers can ask questions about whether they have been vaccinated or whether they have other health considerations with family members, but employers need to take into account in order to be able to do their risk assessment from a COVID point of view to make sure that the working practices they are establishing are actually going to keep employees safe.

I think it is that when you start gathering additional data that all the data protection obligations begin and employers need to be thinking about doing EPIAs to establish they are doing these things in the right way and then the knock on effect that has, maybe updating privacy notices to employees, updating your statutory documentation like your record of processing and making sure you have all your accountability documentation in place.

Anna:  Was there any specific guidance in relation for this, in relation to the impact assessment that employers need to be carrying out if, for example, they adopt a much more flexible model where people are working from home and people are working in offices?

Jocelyn:  No guidance in terms of a piece of ICO documentation or policy that we can point to, but the documentation generally is very important for data protection.  I know that organisations can evidence that at the time they make their decisions, this was the thought process, these are the dataflows that they understood them at that time and they have done the risk analysis to understand the grounds of processing, check they are not processing more data than they ought to be, check they understand how it is going to be accurately stored, only access is appropriate et cetera.

But it is important that organisations create those records because increasingly we see the regulators focussing on the accountability principle under the legislation.  If you look back at the ICO's website now and the number and the volume of materials they have on accountability versus what there was three years ago there is a huge amount more as they have really drilled into practically what that means for organisations and the steps organisations should be taking to show that they are accountable for the day to day process and the way that they do it.

Anna:  Would you recommend that for anybody who is listening who is working within HR that there should be a collaborative approach between HR? The people who are responsible for the data protection where that is a data protection officer and perhaps you will know your health and safety managers, that people are working more closely together perhaps than in the past?

Jocelyn:  Absolutely. COVID has necessitated that and when I talk to clients about data protection one of the big challenges is that where you end up in terms of your legal analysis is completely driven by the context in which you are working, though as you say it is absolutely critical that you are talking amongst the HR specialists, the health and safety specialists and then people with the privacy knowledge because we are doing a risk assessment you have to understand the full picture. And any clients I have been talking to, it is often the privacy position is part of the health and safety risk assessment rather than the other way around, because health and safety risk assessment is trying to establish what are the working practices you need to set up. And that might say, 'well we need to gather data from individuals to understand if they have been in contact with anyone who has tested COVID positive, when they last had their lateral flow test et cetera and it feeds into the health safety risk assessment' ,then you justify the need to collect and process that data to do with linking to your obligations and employers to keep people safe at work.

So, absolutely these specialists in SMEs need to be working closely together to make sure that the overall balance of what the employer or the organisation is trying to achieve is going to be met, and that you are using the personal data you need to achieve that end but no more and using it in the right way.

Anna:  And so, for organisations that are looking possibly at introducing hybrid working policies so that employees understand their obligations again are there any specific data protection issues that should be picked up in those policies?  I am thinking particularly you mentioned earlier about people working from home, making use of their own equipment perhaps or employer provided equipment and are there things that employers should be thinking about there?

Jocelyn:  Yeah, absolutely. I mean, the ICO does have guidance on things like BYOD, bring your own device, if employers are looking to enable employees to bring their own devices.  There is also advice in the employers guide about things like remote monitoring so employers who have been maybe less familiar with hybrid working or home working coming into the Pandemic have had to understand what they can and cannot do in terms of understanding of employees are doing when they are not physically on the premises.  There is existing guidance on that and how far you can go and where you draw that line.

There is also guidance about a general security obligations under GDPR so there is security obligations to use appropriate technical and organisational measures.  The organisational measures are things like a physical environment, a physical security.  So, whereas companies did have things like lock door policies, clear desk policies, how do you translate that into a home environment, control of printed document, how are those going to be disposed of, those kind of issues, yes absolutely there is existing guidance on those and issues probably would not be branded as hybrid working but certainly issues that the regulators have thought about when just in terms of where data might be moved to as people go about their daily lives.

I suppose, now, if you are doing your risk assessment, and looking at volumes of data that might be outside of such tight company control because they are off premises, that will have increased dramatically with everybody working from home, and so from a risk point if you were thinking about well if that is now a greater risk, are there other things we need to be doing?  Ones which could, as you say, be giving training to employees about do not forget when you are working from home in other places how you should be acting, being conscious of conversations being heard, thinking about what you do with hard copy documents, all those kind of issues.

Anna:  It is very interesting because I know there has been quite a lot of research about the increase in the purchasing by employers of monitoring equipment reported during the course of the Pandemic.  So, obviously, it is really important for employers to know what their legal obligations and from what you have said not at all straightforward necessarily to navigate some of those issues.

Jocelyn:  Quite, yes. So, because it is always in a different context for every organisation it is quite dangerous I think when someone comes to me and says 'oh I know my friend in company X they do this' and you think, well they may well have a perfectly good justification for doing that even though I am telling you I do not think it is appropriate for you in your organisation because the extent to which you can monitor and so they employees like that again it is all down to what are they doing, can you reasonably justify that, are you doing it in a covert manner or an open manner et cetera.  So, that is a new topic that some people have had to look at.

Another interesting one I have come across which I think has come more to the fore now that employees are not at a default based in their offices, it is thinking about business continuity risks.  So, not particularly in light of the Pandemic, not the risk of lots of people suddenly becoming ill but from a location perspective there has been more enquiries about if people were to not be in the office be that travelling or working from home should the employer be keeping track of where individuals are so that if there was some kind of external risk, so I am thinking really unusual things like terrorist risk, or potentially natural disasters, an employer would be able to notify employees that they knew were in those locations and warn them about them and help them get themselves to a place of safety.

Again, that is quite a step away from where we have been previously which is that everyone is based in an office.  People, yes, travel but to what extent does an employer actually track that travel.  I have had people asking about can I enable a location device on a mobile phone so I know precisely where my employees are when they are on their business trips overseas is that justified or do I just need to know the hotel they are in, city they are in so if it was a country where civil unrest was something that was reasonably likely then I would be able to communicate with my employees and help them get themselves to somewhere safe.

Anna:  So, what you are saying is it is very much a very fact specific issue for each business to consider, weighing up its requirement and obviously bearing in mind of course the obligation that you have as an employer to ensure the health and safety of your workforce, very much about establishing that justification.

Jocelyn:  Precisely, yes based on your own specific facts and circumstances so to the extent that lots of employees work in offices, people probably come out in very similar places on those risk assessments and you vary much more when you get into people who have manufacturing facilities or warehouses where people are moving around more or have to base themselves around things and not desks essentially, and the extent to which they then have to come into closer contact or can be further away.Those are the facts that then vary to a much greater degree.

Anna:  And what are the consequences of getting this wrong?

Jocelyn:  As with any potential GDPR risk, it is the usual range of important action that the ICO has so everything from coming and asking to do some kind of consensual audit or asking for information about your process and practices all the way through to enforcement notices that you have to comply with as a matter of law or the big one that everyone knows about the fines that potentially could be imposed for a breach of GDPR.

The guidance that the ICO put out going back to the start of the Pandemic recognised that a lot of employers would be looking at some new issues particularly around understanding health information of employees and employers may be capturing more data if people had to go on site, so temperatures are being taken and those COVID questions were being asked. But I think the tone of the expectation has now changed in that we have been living with these kind of new considerations for some time now, they are no longer so new. So, I think if the ICO were to come across areas of non-compliance there would be less understanding now than they would have been 12 months ago, when companies and employers were understandably looking at a very wide range of brand new issues and having to make a lot of decisions really quite quickly, where you could understand if processes were less thorough or documentation not immediately put in place and the ICO is a very reasonable organisation in that regard and pragmatic but now will probably take a different view now that we are a year down the line.

Anna:  So, what I am hearing there is that having your paperwork in order is really important, ensuring that you have appropriate training in place that picks up any changes in approach, the best practice even if there is not a change in the law and a cooperation with the ICO is going to hopefully help you as an organisation, avoid enforcement notices and the potential risk of fines.

From my perspective, that has been really, really helpful, Jocelyn, I just want to thank you for taking us through those issues so clearly.  I hope that it has given our audience a really good insight into the plethora of data protection issues they need to be considering in the circumstances, but obviously, if any of you listening have any specific data protection questions, please do contact Jocelyn and her team, who would be very happy to help you.

"Read the original article on GowlingWLG.com".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.