Co-author: Deirdre Crowley and Eimear Boyle

Deirdre Crowley and Eimear Boyle take a look at some of the frequently asked questions by employers navigating the new challenges of the remote workplace.  These topics (and more) will be discussed in detail at the Data Protection Ireland Update 2021 event on 3 June 2021. At this event, Deirdre and Eimear will be joined by Meg McMahon, Assistant Data Protection Commissioner to analyse the current data protection themes for employers in the remote working context and generally.

Remote working and data protection – what are some of the key considerations?

There are broadly two categories of specific data protection issues that arise for consideration where employees are working remotely. These include:

• New Processing Activities

New types of processing activities are being carried out to comply with public health guidelines. These activities must be scrutinised carefully before an employer implements them. This may delay a return to the workplace but is critical to ensure compliance with the obligation under the GDPR that data protection be ‘by design and by default’. If necessary, employers should undertake a data protection impact assessment (or DPIA), or if relying on the lawful basis of the employer’s legitimate interests a legitimate interests assessment (or LIA).

• Technical and Organisational Security Measures

Data is being stored and processed outside the office, in employees’ homes. This necessarily means that new software and hardware will need to be procured by an employer in order to not only functionally provide this capability, but also to secure it against loss or unavailability.

Even if files are not stored digitally, if they are in a ‘relevant filing system’ they are still within the scope of the GDPR. What exactly this means in the context of the GDPR is not clear, but it is certain that at least some of the work-related hard copy files that employees may have at home will be within scope. This can make certain exercises such as complying with data subject access requests, or monitoring personal data breaches, very difficult.

Businesses should take advice from information and technical security experts as to the measures to have in place and document these measures in a policy that is made available to employees. This should also be checked on a regular basis and updated to reflect the reality of the evolving circumstances.

• Another key data protection issue arising is the DPO v’s Privacy Officer analysis

Where an employer controller satisfies the tests set out in Article 37, GDPR then a Data Protection Officer must be appointed. All public authorities, other than the Courts, must appoint a DPO. A DPO is required where, for example, a controller engaged in regular and systematic monitoring of data subjects on a large scale or where large categories of personal data are processed. There is no exemption for appointing a DPO where an employer processes large scale special category data – this is particularly relevant during Covid-19 where large volumes of health data may be in scope for employers who process data regarding PCR testing, for example.

Where Article 37, GDPR is not triggered, an employer controller must appoint a privacy officer. The role of privacy officer is generally less onerous than that of DPO, as the DPO has specific roles and obligations as set out in Article 38 and 39, GDPR.

What does the DPC identify as some of the key operational and practical data protection considerations for remote working?

• Employers may need to send workstation equipment to employees (especially new hires) and as such will need to provide the IT and logistics department (and perhaps third-party delivery service providers) with employees’ addresses. The employee needs to be informed in advance that the department will be sending out the equipment and using their home address (their personal data) to do so, on the basis that the employer has a legitimate business need and therefore a legal basis for data processing.
• Another consideration is that of monitoring employees’ emails and activity on employer-owned IT equipment and/or over employer networks. Any such monitoring must firstly be justified on the basis of strict necessity and proportionality. Employers must adhere to the principle of data minimisation. Any monitoring or surveillance must not be excessive and must be flagged in advance to employees, typically in an employee privacy statement.
• Employees also need to be reminded of the applicable policies in your organisation around the use of email. Employee awareness campaigns and training sessions on email etiquette should include reminders on:
  • Avoiding using work email for personal matters;
  • Ensuring employees are sending an email to the correct recipient, particularly when the email contains a lot of personal or special category (sensitive) data;
  • Warning of the dangers of accessing work information over public networks which are not secure and can easily be intercepted; and
  • The steps involved in your internal data breach notification procedure, as employees are often the key.

• Ensure all IT devices are routinely secured, encrypted and updated by your IT department and such efforts are recorded.
• If employees are handling physical files and papers containing personal data from their home or remote workspace, ensure they are aware that data protection and confidentiality also applies to these. They must take steps to protect the confidentiality of these papers and store them securely when not being used and destroyed appropriately when no longer needed.
• Regarding recording information on the employee’s health in relation to Covid-19 – information regarding a Covid-19 test is considered to be an employee’s special category personal data and must be treated accordingly. If an employer wishes to record such information it is best to anonymise it to avoid any potential data breaches.

How to handle some of the new data processing in the workplace in light of Covid-19, including health data

• Under Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018, companies may process health data. However, they must use suitable safeguards such as adequately training their staff and time limits for the retention.
• Under the Safety, Health and Welfare at Work Act 2005 all employers are legally obliged to protect their staff. Employers may process personal data (where necessary and appropriate) to comply with this obligation and Article 9(2)(i) GDPR.
• Employers must keep this data confidential, for example, employees who have received a positive Covid-19 test should not be named.
• PCR testing

As of now we have no government guidance or law requiring employers to test their employees for Covid-19. Because of this, it will be a high threshold to meet to prove that such testing is necessary from a data protection perspective. Inevitably many workplaces will require such testing to operate, and there are some potential options open in this regard, for example, relying on the employee to source their own test and report back.

Employers need also be aware of core constitutional principles that are relevant in this area, including the employee’s right to bodily integrity and their right to privacy. The Covid-19 swab test is far more intrusive than the previous practice of checking temperatures and this will need to be considered and the risks assessed.

• Contact Tracing Logs

The data protection implications of the Government’s Return to Work Safely Protocol recommends that employers keep a log of contact/group work to facilitate contact tracing. They note that this information is to act as a memory aid for identifying close contacts. Personal data held in a contact log should generally not be processed by an employer for any other purpose. The data should only be retained for as long as is considered necessary for this purpose.

• Vaccination Records

This also relates to vaccination records. Another issue may arise where an employee may refuse to get the vaccine or refuse to return to work without it. In all cases, the first step is to listen to the employee and work together to find a solution, all the while being aware of your duty of care to provide a safe place to work and complying with the data protection obligations around health data.

Some of the challenges of complying with a data subject access request in the current environment

• A Data Subject Access Request (“DSAR”) is a process guaranteed by Article 15 of the GDPR. A data subject:

“shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”

• There is no particular method prescribed for making a valid DSAR. A request may be made by an individual in writing or verbally. Regardless of Covid-19, employees should be trained in understanding whether a DSAR has been made.
• Given the pressure placed on many businesses by Covid-19, it is inevitable that the challenge of responding to DSARs has increased. The DPC has acknowledged the impact this pandemic may have on organizations’ ability and resources to action access DSARs; however, the strict timelines for responding to requests under the GDPR remain unchanged.
• Organisations facing difficulties in processing access requests should consider the key points from the DPC’s practical guidance on this issue:

(a) An organisation that receives a DSAR needs to be proactive and engage with the data subject. The controller should communicate the current difficulties the organisation is facing and keep the data subject informed as to how they intend to handle their request.

(b) Organisations should ask the data subject to specify the personal data they are seeking if it has not been already provided in the original DSAR. Once an organisation knows the relevant date, subject matter or types of data being requested, they can allocate resources appropriately and provide the data subject with their request within the legislative timeframe.

(c) Organisations should consider is if it is possible to respond to the DSAR in part. As a result of Covid-19 offices may be closed. If a request can be access electronically, the organisation could send the hard copy after as soon as reasonably practical.

(d) Organisations should establish current capabilities when a DSAR is received, in order to evaluate the progress it can make in complying with the request of the data subject.

(e) Organisations should consider that, in order to avoid potential personal data breaches, that they have the means to securely respond to the DSAR.

(f) In the event that an organisation office is closed and has no means of accessing physical or electronic data relating to the request of the data subject, it should be communicated to the requester that it will be processed as soon as possible thereafter. In this event, organisations should record reasons for such delay.

The DPC has confirmed it will take into consideration any “organisation specific extenuating circumstances” if a complaint is brought to the DPC in respect of a controller’s response.

Forthcoming Event | Data Protection Update in Ireland 2021

Covid-19 and WFH has transformed workplaces and the data protection landscape. Remote working makes recording meetings easy, for example. Cyber criminals are very happy – lockdown has seen a massive increase in phishing attempts.

We focus on the data protection issues that matter to employers and HR professionals – remote working, monitoring home workers, DSARs, grievance and disciplinary transparency, and minimising the risks of data breaches. We also have a session from the Data Protection Commission looking at the data protection trends most likely to impact on employers.

Learn more >