The UK’s GDPR was set to be scrapped by the government. The Prime Minister, Liz Truss, has now resigned so will we see a U-turn on that policy? Firms are using platforms like Teams and Zoom to meet with staff, but are they at risk of breaching data laws? The regulator thinks some are and has published new guidance. We’ll consider all of that.
First the GDPR. Last month the Culture Secretary, Michelle Donelan made an announcement at the Conservative party’s annual conference, which came as something of a surprise. She said: "We will be replacing GDPR with our own business and consumer-friendly British data protection system… it will be simpler, it will be clearer, for businesses to navigate. No longer will our businesses be shackled by lots of unnecessary red tape… we will co-design with business a new system of data protection …we will look to those countries who achieve data adequacy without having GDPR, like Israel, Japan, South Korea, Canada and New Zealand.”
With that statement, far-reaching as it is, she left open two possibilities. One, is the scrapping of the UK GDPR completely. The other is a substantial rewrite designed to keep the EU onside and protect the UK's adequacy determination. Since that announcement Liz Truss has resigned and that is relevant because she appointed Donelan to her current post. Donelen might stay in that role, or be moved on by the next PM or, either way, the entire policy might change again under the new administration. So, in short, there’s a lot of uncertainty and we will have to wait and see what happens. Meanwhile, for employers, for clients, should they carry on as normal? It’s a question I put to data specialist Harriet Dwyer:
Harriet Dwyer: “Yes, absolutely. I think, at the moment, we should be carrying on as normal. These changes aren't going to happen overnight, and it is probably going to be some time before we get any further information and clarification on what the new legislation might look like. It's been something that has been on the government's agenda since Brexit and, obviously, we are a little further down the line now. So yes, it's not going to happen overnight. It's very much a watch this space topic.”
The other news. The ICO has published new draft guidance on employee monitoring - they’ve opened a consultation to get the views of stakeholder and then, when it’s finalised, it will replace the ICO’s guidance on monitoring contained in the employment practices code of 2011. They say they want it to reflect the new ways of working that have really taken off since the pandemic, especially the use of platforms like Teams and Zoom. Their concern is a number of firms are using it not just for meetings, but to monitor their staff – the software allows you to, quite easily, record the screen, take screengrabs, and capture all sorts of data.
So, it’s a case of employers potentially using Teams and Zoom for a wider purpose. Is that a risk? I put that to Harriet:
Harriet Dwyer: “Yes, definitely. So obviously, apps like Teams and Zoom are much more commonplace in the workplace at the moment, especially since COVID when we all had to start working from home but, obviously, there was still a need to connect and meet virtually. But, as you say, employers aren't necessarily just using these apps for meetings. They also have functions such as recording which employers are thinking about using, or are using already, in the context of monitoring and where they are doing so it's really important that employers are thinking about the lawful basis and justifications from a data protection perspective to ensure that they're doing so lawfully. Really, the starting point should be that recording is switched off, that should be the default position, and the guidance does also state that screenshots and images that can be, obviously, taken from recordings and much less likely to be justifiable. So, it is something that employers need to tread carefully with and be thinking about their data protection obligations before doing so. One of the other points that the guidance talks a lot about is the idea of transparency. This is one of the fundamental principles of the GDPR. So again, where employers are thinking about monitoring employees through recordings on Teams and Zoom and things like that, it's really important that they are documenting this and their internal processes regarding it in a monitoring policy.”
Joe Glavina: “Final question on this and it's, it's to do with using evidence that's collected through remote working for disciplinary purposes, because I know we've seen a number of examples of this. Generally speaking, not a good idea employers could get into hot water. Is that the view still?”
Harriet Dwyer: “Yes, absolutely. One of the other key principles of the GDPR is the idea of purpose limitation. So, that's essentially the idea that where you are collecting and processing personal data, you're doing that for a purpose which has been clearly documented, and employees have been informed of that purpose. Now, obviously, if you start to use personal data for other reasons there is a risk that this could cause problems for the employer. So, for example, if you're monitoring employees and as a result of that you identify problems with absence or, perhaps, performance, and you would like to use that data to assist with a performance or absence management process this could cause complications for you. So, what's really important is that you keep a clear record of all data collected through monitoring and that you keep your record of processing activities up to date. Then one final point that employers should bear in mind in this context is, obviously, employees could seek to make a data subject access request and then this information is most likely going to have to be shared with them unless an exemption applies.”
The ICO’s consultation on draft new guidance for employers on monitoring at work was published on 12 October. It runs until 11 January. We have put a link to that in the transcript of this programme.
- Link to Information Commissioner’s Office consultation on draft new guidance for employers on monitoring at work