UK: Data Protection In The Workplace: What To Expect In 2022

The European Council's Data Protection Day is on 28 January. COVID-19, the gig economy and technological advances are all key data protection topics for the year ahead.

While the COVID-19 pandemic continues to dominate the agenda and will have an impact for data and privacy in the workplace in 2022 there are other developments that will also be of interest to global employers. We have considered some of the bigger Covid issues employers will be grappling with this year, as well as looking at the data and privacy aspects of the new proposed EU Directive on platform workers and the latest on technology and talent.

COVID-19

Inevitably as the latest variant of COVID-19 sweeps around the globe, employers will continue to review and assess the situation and ensure their policies and processes are up to date and conform with the latest guidance.

Areas of interest have centred around the following areas.

Vaccination

Vaccination, including mandatory vaccination (sometimes referred to as ‘no jab-no job'), whether limited to certain sectors such as health and social care or more widely required for whole populations (the recent Australian Open Tennis row shows how different countries approach vaccination!) are high on global employers' radar.

It is also important to remember not all jurisdictions have rolled out vaccination programmes to the same population of employment age so it will be important not to discriminate against sectors of the workforce, whether on age or medical grounds.

Another thorny issue centres around the principle of data minimisation when it comes to employers recording vaccination and booster data. Some regulators, such as Ireland's DPC, have made it clear that such recording and processing of vaccine data ‘is likely to represent unnecessary and excessive data collection for which no clear legal basis exists' with only very narrowly defined exceptions. This causes a headache for employers when trying to balance their GDPR and UK GDPR (and similar obligations) obligations with those of health and safety.

International travel

While it is commonplace to record dates of annual leave, details about holiday destination etc. might be a step too far (certainly in pre-Covid times). However, in current circumstances international travel plans can also cause issues, whether travel is for business purposes or leisure. Should an employee travel abroad and then the rules for their country of destination change they may need to quarantine on return and therefore require additional leave to do so. How this issue is handled and any data recorded needs careful consideration. As ever a well-thought out, fair, clear and transparent policy can help prevent any problems should this situation arise.

Long Covid

Some countries are recognising Long Covid and the medical complications and issues surrounding this condition. Will Long Covid be recognised as a disability for equality law purposes? If so, are there any concerns around holding this special category health data, especially if it is held in conjunction with vaccination data or the choice not to have taken up vaccination? As special category data it is even more important to be clear and transparent with your employees what data you are recording, for what purposes and what the legal basis is for doing so.

Remote and hybrid working

Although this is considered by many as the new normal, including the onboarding of new employees remotely, there are still workplace data privacy issues and risks to address. Whether at the start of the employee journey with adapted remote right to work checks, confidentiality issues with family or roommates in close proximity, flexibility for parents and carers, who may be home schooling while isolating or due to a lockdown, or due to a lack of respite care, let alone the need for diligence in applying security patches and updates in a timely manner to prevent vulnerabilities and potential breaches, there are many workplace data and privacy issues to consider and address. Many policies and processes will have been adapted and updated throughout the pandemic but perhaps our new year's resolution should be to take a look at these documents and refresh them in light of our experiences.

With more remote working has come the increase in monitoring employees remotely. For some countries this is considered perfectly normal while in others this is seen as unacceptable and a breach of their data and privacy rights. While employers may argue it helps them to monitor productivity and engagement, many believe they do so at the expense of employee trust. This in turn has been said to increase the potential of the insider threat where a disgruntled employee may cause any number of issues for an employer (think of the Morrisons data breach in the UK).

Gig economy

On 9 December 2021, the European Commission published a proposal for a Directive regulating platform work. It is important to note that the majority of platform workers will not be impacted and that 85-94% of platform workers will see their self-employed status confirmed.

What is of key interest from a privacy perspective are the proposals in Chapter III of the proposed Directive:

• Article 6: the obligation to provide transparency information in relation to any automated monitoring or decision-making systems to platform workers, in accordance with the requirements of the Proposed Directive;
• Article 7: the obligation to monitor and review automated decision making or monitoring carried out by systems which impact platform workers; and
• Article 8: the obligation to provide an explanation about any decisions taken as a result of automated decision making or monitoring systems.

The proposed Directive will potentially widen an employer's obligations to provide transparency about, and keep under review, and provide safeguards in relation to, any automated monitoring or decision-making system it uses in relation to platform workers. While this is only an EU proposal at present, and may take a number of years to be implemented, employers will need to review their privacy notices and ensure their Data Protection Impact Assessments for such systems are fit for purpose when the time comes.

Technology and talent

It is expected that the accelerated implementation of technology we have seen throughout the pandemic will continue, and drive workplace change in 2022. Chasing talent means that employers not only need the latest technology for efficiency and productivity but also to attract and retain the best talent. While this may be true it should not be at the expense of robust, secure and tested systems to ensure employers do not fall foul of Article 9 and 22 GDPR, unconscious bias in algorithms or safeguarding data.

Conclusion

As ever developments in workplace data and privacy impact employers around the globe and Ius Laboris will continue to keep track of them. Watch this space…

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.