Covid-19 has led to a fundamental change in the way people work around the world. Many employees, in some companies the vast majority of employees, work in home offices. These workplaces are not only located in their own homes, but also in rented workplaces (co-working spaces), at second homes, or on vacation. International companies must therefore ask themselves how work can be distributed, how work performance can be retrieved, and how teams can be managed in a cross-border manner.
Data protection is playing an increasingly important role. After all, the data that employees process on mobile devices outside the company is much more at risk of being accessed by third parties. And it is not just personal data of employees, customers, or third parties that are at risk. Often almost more important is the protection of the company and trade secrets of these companies, which are exposed to access by competitors or different countries. In addition, there is the threat of cyberattacks that can completely paralyse the company in its network because servers become unusable and data is deleted.
In our second roundtable, IEL welcomes leading lawyers to discuss how multinational employers can protect their sensitive data in home-working environments.
Els: What are the risks to the confidentiality of company information stemming from an increase in remote-working patterns around the world?
Mathilde and Yasmine: Remote-working environments do not provide the same security safeguards as when employees are working in the office where all security measures have been designed to provide protection. If security measures are not adapted to new remote working patterns, the confidentiality of company information can be put at risk in many ways.
Hackers and thieves take advantage of times of crisis or trouble to invent new scams and profit from events. They may try to access company information, sabotage a system for their amusement or hold information for ransom either by threatening to leak it to the public or by demanding money for its return. This can have a substantive impact on a company.
The primary target are employees who, in a remote environment, are more likely to:
- connect to different wi-fi – which may not have the same level of security as office wi-fi;
- use personal devices for professional activities – if employers do not provide the necessary tools to employees they might have to use their own devices, the level of security of which is not managed by the employer (anti-virus, software updates and password protection;
- work in an unsecured environment – at home or outside others could be able to view what appears on the screen of the computer, the phone or on documents that contain company information or listen to employees’ conversations. The loss or theft of devices or documents with confidential company information are also much more likely to happen given the increased mobility of employees. Some people are even going through trash containers to access company confidential information; and
- be subject to Phishing Attacks - the ENISA (European Union Agency for Cybersecurity) has stressed an increase in phishing emails and scams since the beginning of the pandemic. Outside of their common work area, employees can be less attentive to such emails and click on suspicious links or open any suspicious attachments.
Björn: Ruben, do you think that we are talking about new risks companies have to face or is it just more relevant as more people are working remotely?
Rubén: Risks to the confidentiality of company information because of remote work are not new. Employees were working remotely before the pandemic; eg, when they spoke on their cellphones in public places or read internal documents while flying or taking a train. However, although those risks remain largely unchanged, the increase in remote work over the past year because of the covid-19 pandemic has multiplied them.
At the beginning of the pandemic, most companies were forced to implement full remote work in barely 24 hours. Consequently, they were not fully prepared to take this step without assuming certain risks regarding confidentiality.
There are risks associated with employees’ bad faith, which mainly consists of employees deciding to disclose confidential information. However, those risks are not directly associated with remote work, as they exist regardless of where employees carry out their services.
To reduce those risks, companies must train their employees and use appropriate resources (eg, secure internet connections, firewalls, and anti-virus software), something that many companies were unable to do when the pandemic first broke out.
Björn: David and Iris, do you feel the same development in Asia?
David and Iris: As a result of the covid-19 pandemic, many companies have been working remotely through video conferences, cloud computing, and intranet platforms.
While it is right to say that there is a risk no matter where the employee is working (at the office or from home), the risk grows at home or other places. A typical home network is unlikely to have stringent protections in place. Attackers have seen an opportunity to steal user credentials from personal devices, which are now being used for work and likely do not have the same security protections as corporate devices.
Due to space constraints in Hong Kong, it is not practicable to expect an employee to work or conduct confidential discussions in a secluded area. Employees may also share their work laptop with family members. As a result, non-employees may overhear confidential discussions or see confidential documents.
Els: So, when I think about it, you all agree that the risks have always existed, but they have come to fore the through Covid. How can these risks be mitigated?
Mathilde and Yasmine: Good question, but you can’t start mitigation on a “one-size-fits-all” approach. To mitigate these risks, companies should work at identifying all the risks caused by these new remote-working habits; assess them depending on their risk level and their likeliness to occur; and address the issues starting, as a priority, with the ones that have been labelled as the most threatening to the confidentiality of company information. There are several ways for employers to mitigate the risks:
- take the necessary measures to maintain an adequate level of security (eg, installation of a VPN, providing employees with the necessary IT tools);
- define or update their information security strategy by taking into account new remote working patterns; and
- adapt IT policies with rules that employees must comply with when working remotely to ensure information security. An IT policy dedicated to remote work could also be created.
That being said, the security and confidentiality of company information is mostly a matter of collective responsibility and all employees at every level should play a part in safeguarding it.
Employers should encourage employees to be more mindful of how they interact with confidential and sensitive information and raise awareness around potential risks. It can be done via training, to inform employees about how the confidentiality of information could be put at risk, the common red flags, the applicable policies within the company and to provide them with tips to protect data when working remotely at home and out of the office (eg, lock the computer when you step away, use only your work email to conduct business. be mindful of what others can see when using a computer or phone, and store printed documents in a secure location where others cannot see them).
Having employees adhere to a security strategy is the best way of mitigating the risks created by remote working.
Rubén: As explained above, those risks could be mitigated through two main measures:
- Providing appropriate tools to work remotely or in the office in the safest way. Those tools must focus on avoiding external attacks (eg, anti-virus software) and on identifying any inappropriate use of confidential information (eg, massive downloads or prints).
- Implementing specific and periodic training on how the above tools must be used, how employees should act to avoid disclosing any confidential information, and how they should act once it has been detected that confidential information has been disclosed.
Unexpected cyberattack simulations or phishing email tricks are also useful to complement this training.
Another option that combines the above measures could be to use software that blocks the company’s internal network and database when an employee’s scheduled working hours end. This would also comply with the right to digital disconnection, which is mandatory in countries like Spain and France.
The responsibility to mitigate the risks must be shared between the company and its employees. The burden cannot fall entirely on employees, and companies must prove that they have acted diligently to avoid confidential information from being disclosed. In short, they have to provide their employees with appropriate tools and training.
The way companies address the above risks should be similar to how they address occupational risks.
Björn: On a technical level, this means that several possible actions can be taken to protect the company network from an external attack, even when working from home. David and Iris, in your view, does it make sense to explicitly regulate employees’ use of these systems?
David and Iris: Good point. From our point of view, employers could formulate a work-from-home policy, and include a list of “do’s” and “don’ts”. For instance, employees should avoid connecting to public networks, sharing corporate devices with others, or using corporate devices in public places. Employers can also develop a response framework to be followed by employees should data loss or leakage occur. Further, employees should be instructed that confidential conversations should take place in private and relatively secluded areas. If this is not practicable, instruct employees to use headphones instead of speakerphone when conducting confidential conversations.
Els: How can employers, technically, control the handling of business secrets by employees?
Mathilde and Yasmine: The measures that can be taken by employers to control the handling of business secrets by employees are varied and mostly depend on their expected goals. On the one hand, measures can be implemented to protect companies’ information from an employee breach like:
- managing access to the information and limiting the number of employees who can access it;
- blocking data transfers from the computers of employees to other hard drives;
- blocking employees from installing new software before it has been validated by the company;
- refusing access to certain websites through which company information could be shared;
- regularly checking access logs for remotely accessible services to detect suspicious behaviour; and
- installing an IT alert when documentation above a certain size is downloaded from the company servers and sent to an external email address.
On the other hand, some measures can be implemented to protect the companies’ information from an external breach through the employees’ use of IT tools, like:
- equipping all employees' devices with at least one firewall, anti-virus and a tool to block access to malicious sites;
- setting up a VPN to avoid direct exposure of company services on the Internet and enable two-factor VPN authentication if possible;
- providing employees with a list of communication and collaboration tools suitable for remote work that guarantee the confidentiality of exchanges and shared data. For example, the French administration discourages the use of certain software like Zoom to share confidential information but recommends the use of videoconferencing software Tixeo;
- applying the latest security patches to the equipment and software used (VPN, remote desktop solution, messaging, video conferencing etc.); and
- implementing two-factor authentication mechanisms on remotely accessible services to limit the risks of intrusion.
Rubén: Before implementing any technical resources to control the handling of business secrets, companies must define what information, data, and documents are business secrets and list the people who can have access to them, both internally and externally.
Then, every time an employee wants to share this information, a warning must appear on the screen reminding the employee of the confidential nature of the information and the people who are allowed to access it.
Companies must also implement security passwords that can change periodically to open a document, prevent recipients from printing the content of the document, and, where possible, track the recipient of the information. In some cases, companies could also create temporary documents that are destroyed (or saved in a specific and reserved digital space) after being used.
In the event of employment termination, no matter the reason, companies should be able to block the employee’s access to any internal information, data or documents; and if the employee is in a termination notice period, companies must implement a technical solution to limit access to certain information. This blocking option must also be implemented when the employee reports the theft of any work-related device.
David and Iris: The first step would be for the employer to identify which documents and information are trade secrets. Once the employer has identified and itemised them, the employer could password-protect its trade secrets, and limit access to trade secret and confidential information to selected employees. Further, prohibiting employees from transferring or transmitting trade secrets to any other device, unless prior, express, written permission has been obtained.
Employers may consider installing software to help monitor their systems and flag suspicious activity, such as downloading large amounts of data or emailing attachments containing confidential information.
For physical objects containing or constituting trade secrets, they must not be left in plain view and must not be accessible by any unauthorised person, and must be kept in secure locations, locked away where possible.
For departing employees who have access to trade secrets, employers may consider suspending computer access as soon as notice is served.
Björn: How can employers adapt IT policies to mitigate the increased risk of cyber breaches with more people working from home?
Mathilde and Yasmine: IT policies are a valuable tool for companies to mitigate the risks of breaches. Their purpose is to contribute to preserving the security of the information system and makes the employee an essential player in achieving this objective. It thus makes it possible to control and above all to limit, under certain conditions, how employees can access and use the professional IT tools and resources made available to them for their work.
Considering the increased risks of cyber breaches with people working from home, an IT policy must provide for the rules to be applied in this context. It could be done via the updating of existing IT policies or the creation of an IT policy dedicated to remote working. In any event, the employers should follow the habitual procedures when setting up or modifying such policies to make sure they would be enforceable against employees - for example in France the Social and Economic Committee (CSE – formerly called the Works Council) must be consulted and the document must be filed to the Labour Tribunal and communicated to the Labour Inspector.
Employers should particularly ensure that the IT policy provides a framework for new practices that are now widespread, such as BYOD (Bring Your Own Device), establishes a process to be followed in the event of a security breach or the violation of data, and informs employees of the potential new tools put in place to control their activity when working remotely.
David and Iris: It is likely that many employers will already have IT policies relating to working from home in general circumstances (for example, in Hong Kong, if a typhoon signal number 8 is raised, people are required to stay indoors, and so some employees would be required to work from home). Such IT policies are already likely to cover areas such as making employees aware of the risks of bringing confidential information home, or accessing confidential information from home (for example, through remote access to employers’ IT systems, or bringing home a work-issued laptop (or other devices such as smartphones or USB data sticks) or papers from work). In this case, a cyber breach has always been a risk, though the risk does increase somewhat in line with the increase in the number of employees working from home. Further, the risk of a cyber breach will differ between employers and the type of work they do, as well as the types and amount of personal data being collected, used, processed, or stored by employers.
Ultimately, with the increased number of people working from home, employers should perform a risk assessment concerning their existing IT policies and practices to re-assess the risk of a cyber breach and to see how the practical effects of such increase may affect such risk. Perhaps the highest risk concerns device management, and so IT policies may need to be updated to include an increase in the frequency of system updates, updating of anti-virus and other anti-malware software, and setting up stronger access controls (such as multi-factor authentication).
Rubén: Despite already having an IT policy on remote work, most companies have discovered that their policies were outdated or incomplete, which leads them to implement substantial changes to their IT policies.
Any change to IT policies would require a three-party assessment between IT, Legal and Operational Departments. Companies should consider not only the current scenario, but also the work environment that will emerge after the covid-19 crisis, as most ways of working will likely remain.
These new IT policies should strengthen employees’ obligations to act diligently towards potential cyberattacks and take the necessary internal training to reduce any risks.
These policies need to include not only cyberattacks based on emails, but also involuntarily disclosing or sharing internal passwords or profiles as a consequence of working in public places, planes or trains, where it is easy for someone to look at a laptop or cellphone screen while employees are using them.
Depending on the degree and scope of such changes, companies could be forced to involve the employees’ legal representatives. Their involvement would mainly consist of informing and consulting them about the new policies.
Els: Considering that more than half of the security breaches in private companies are due to employees’ negligence or malpractice, how should the company address training and internal information on cybersecurity matters?
Rubén: A proper approach would be implementing these changes in a practical way. Employees should be as aware as possible of the risks of an attack and how these attacks could appear, and this could be done through exercises, tests, and drills. If employees are not aware of the damage that an attack can cause, they will likely underestimate it. Explaining the WannaCry ransom attack of May 2017 could be useful for this purpose.
Additionally, any training and information actions should be repeated in time, because employees may forget the lessons; and technology and attacks develop faster than one could think, and the training should also adapt at the same speed.
David and Iris: Employers should remind (or train if not already trained) employees of the risk of handling confidential information or personal data while working from home. In addition to training in device management (such as setting strong passwords, not using personal devices, not sharing corporate devices with family members, locking or turning off devices when not in use), employees should be reminded or trained not to work in a public place, and when working at home to use a wired connection where possible (or if not possible to adopt up-to-date security protocols for Wi-Fi access, such as Wi-Fi Protected Access 2 or 3) and to regularly check devices connected to the Wi-Fi network in question regularly.
Given the nature of working from home, it is possible to deliver such reminders and training through video-conferencing software, and this can be used as a means to provide advice about the use of such software. Such reminders and training should be delivered to all levels of an employer’s organisation to ensure uniform and complete knowledge of the risks and the measures that should be taken to minimise those risks.
Els: How should companies act before a security breach and what are the maximum penalties if personal data is revealed?
Rubén: Companies should implement an internal policy on personal data protection that must apply to everyone associated with the company. Besides, employees must receive specific training on this topic to be aware of the company’s obligations and risks.
Companies must also implement appropriate technical and organisational measures to ensure compliance with personal data protection obligations. The GDPR requires that companies act proactively towards personal data protection.
Depending on the personal data the company processes and the risks of such processing, companies could be forced to implement a data protection impact assessment before processing personal data.
Infringements of the GDPR could lead to penalties of up to €20m or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The people whose personal data was revealed could claim for damages as a consequence of the violation of their rights.
Mathilde and Yasmine: Per their obligation to ensure a level of security appropriate to the risk (eg, under article 32 of the GDPR), companies must put in place measures to prevent a data breach and respond appropriately to a breach (ie, stop the breach and minimise its effects). A lack of compliance could lead to actions by the data subjects or data supervisory authority. This could result in fines or damages claims.
Alternatively, the relevant data supervisory authority may require companies to comply with data protection laws concerning the processing of personal data or minimal fines and damages. The precise penalty would be dictated by the nature, gravity, and duration of the infringement. They will consider several factors in determining the amount of the fine: the amount of data subjects involved; the purpose of the processing; the damage suffered by data subjects; and the duration of the infringement (Article 29 Working Party: Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679).
As an example, the French DPA has already ordered a real estate company to pay €400,000 for insufficiently protecting the data of users of its website and implementing inappropriate data-retention methods.
Björn: How have data protection authorities reacted to increased remote working; how might these approaches change as the pandemic eases and a new normal is established?
Mathilde and Yasmine: In France, the Data Protection Authority (CNIL) reacted to the increased remote working by issuing several documents to help employers and employees navigate through this brutal change in work habits. All these documents are centralised in a hub including a Q&A on remote work and data protection and guidance on remote working for employers and employees and the use of IT tools:
- the Q&A reminds the applicable principles (what is remote working, when it can be used, if the employer can control the activity of the employees working remotely, the precautions to take when using a personal device, the possibility for an employer to oblige an employee to turn on his video or not);
- for employers, the guidance is about how to secure personal data and to guarantee to security of the IT systems (IT policies, security tools);
- for employees, the guidance shares good practices to adopt when working remotely (follow the instructions of your employer, secure internet connection, prefer the use of devices provided by the employer, if a personal device is used make sure it is sufficiently secured, communicate with secured software); and
- guidance on IT tools and the use of video-conference calling - the CNIL reminds users of a few rules of vigilance and that the software used must always guarantee the protection of user privacy, and good practices for reconciling the security of company information and the protection of employee privacy when using personal devices to perform their duties (BYOD).
The approach taken by the CNIL will most likely remain the same as the documentation published is not specifically related to remote working in times of covid-19, but more broadly an increase in remote-working patterns. Employers and employees working remotely will still be able to refer to this documentation in the future.
David and Iris: In Hong Kong, in response to the covid-19 pandemic and the increased number of people working from home, the Office of the Privacy Commissioner for Personal Data issued several guidance notes about working from home from the perspective of organisations; employees; and the use of video-conferencing software (WFH Guidance Notes). For organisations, this includes guidance on risk assessment, policies and guidance for employees, staff training and support, device management, the use of virtual private networks (VPNs), and remote access. For employees, this includes guidance on device management, work environment, internet connectivity, electronic communications, and paper document management. Concerning the use of video-conferencing software, this includes guidance on policies and measures on security protection and the protection of personal data.
It is likely that the WFH Guidance Notes will remain, even after the pandemic eases and a new normal is established. Although the WFH Guidance Notes were created as a result of the covid-19 pandemic and the increased number of people working from home, the WFH Guidance Notes are drafted broadly and apply to all circumstances of working from home; they are not specific to working from home as a result of the covid-19 pandemic.
Els: What should be considered when letting employees use their own devices when working from home to protect company information?
Mathilde and Yasmine: Because it is more cost-effective, some companies choose to let employees use their own devices to facilitate remote working.
This approach is not without risks as employers, of course, remain responsible for the security of company data stored on devices that are not their own, including an employee's personal device.
For this reason, the decision to authorise the use by employees of their own devices in a professional context should be taken carefully and mitigation methods put in place to avoid data breaches.
To do so, the French DPA recommends that employers first identify the risks by assessing the specificities of each employee (devices, software, data), and secondly, determining the measures to be implemented and formalising them in an IT policy. Such measures could be:
- making users aware of the risks, defining the responsibilities of each person, and specifying the precautions to be taken in an IT policy with binding force;
- making the use of personal equipment subject to prior authorisation by the network administrator or the employer;
- requiring compliance with basic security measures such as locking the terminal with a password following the practices of the company and using up-to-date antivirus software;
- separating the parts of the personal device that are to be used in a professional context (creation of a "security bubble");
- implementing measures to encrypt information flows (VPN, HTTPS, etc);
- providing for a procedure in the event of the failure or loss of a personal tool (informing the network administrator, providing alternative professional equipment, remote erasure of professional data stored on the personal terminal); and
- controlling remote access to company software through a robust user authentication system (if possible using an electronic certificate, a smart card, etc.).
Rubén: For these purposes, a detailed bring-your-own-device policy is essential. This policy must include:
- certain technology requirements for devices (eg, security restrictions such as passwords to unblock the device, and installation of apps or software to provide the devices with additional security for company information);
- company authorisation before installing certain apps or software, even if they are not used for work-related purposes;
- the company’s right to monitor the apps and software used for work and access the information created in these apps or software;
- unaccepted use of non-labour-related apps or software while using the devices for work purposes, and vice versa;
- immediate reports if information is disclosed or the device is stolen; and
- remote control of certain apps or software containing the company’s sensitive data.
Without prejudice to these comments, we strongly advise providing employees with work-related devices, instead of allowing them to use personal devices. Otherwise, companies could lose a certain degree of control over employees’ use of these devices for work-related purposes. Also, if employees use their personal devices for work-related purposes, as a rule, the employer must compensate them for that use.
Björn: Can companies adapt their internal policies to remove any privacy expectations of employees when using company tools during remote work? Would this provision enable the company to unrestrictedly access the contents of the company tools used by the employees, including emails?
Rubén: No matter what the policies state, employees’ right to protect their privacy while using work-related devices is granted by law. Therefore, companies cannot remove employees’ expectation of privacy when using company tools to work remotely.
In addition to the company’s right to monitor or access the content of the devices provided in the policies, companies’ decisions to monitor or access the devices must pass the “constitutional test,” which applies when fundamental rights are affected by any company decision. A company’s right to control employees’ behaviour is not omnipotent, and neither are the employee’s fundamental rights.
The constitutional test means that the company’s decision must be:
- necessary to pursue a company’s legitimate interest;
- appropriate and the least invasive measure to pursue that interest; and
- proportional to the interest pursued.
This requires a case-by-case assessment depending on which rights of the employee and the company conflict.
Mathilde and Yasmine: Naturally, employers keep the power to supervise and control the performance of the tasks assigned to their employees even when they are working remotely. However, this power should not be exercised excessively (ie, infringe on employees' rights and freedoms, particularly the right to privacy) and the process put in place must be strictly proportionate to the objective pursued.
Therefore, an internal policy that will remove any privacy expectations of the employees when using company tools during remote work would most certainly be unjustifiable by the employer and considered as excessively infringing employees' rights and freedoms.
As an example, the French Labor Code and Case Law provide that if employers can monitor the activity of their employees, they cannot place them under permanent surveillance except in exceptional cases when it is justified by the nature of their tasks (an employee handling money for example).
Consequently, in the context of remote working, invasive processes such as permanent screen sharing; the obligation for an employee to perform actions regularly to demonstrate their presence; or hindering the use of a personal smartphone, because this equipment can be used to access company resources (prohibiting internet browsing, downloading mobile applications) do not comply with these principles.
Besides, no matter if the employee is working at the office or from home, the same rules apply when it comes to employer access to the contents of company tools used by employees. In France, a provision enabling the company to have unrestricted access would be considered unlawful, because files or emails tagged as personal benefit from a protection and cannot be accessed at will by an employer even if they are stored on company devices or in company email accounts.
Last, generally, employers cannot implement new monitoring systems without informing and consulting staff representatives and informed employees. In France, failure to do so means employers would be prohibited from using the information unlawfully collected to commence disciplinary action. In other words, employers cannot deliberately withhold the presence of a monitoring system to "trap" employees.
Els: How can employers process the personal data of their employees? What are the guarantees for the privacy of the employees when working remotely?
Mathilde and Yasmine: When working remotely, employees have the same privacy rights as when they are working at the office and employers must continue to process their data under the applicable data protection rules.
Employers must adopt a privacy by design and by default approach into every aspect of their processing activities, which in particular:
- has a clearly defined purpose and may not be used for any other purpose;
- is proportionate and appropriate to that purpose; and
- requires prior information of the concerned persons.
As remote working may require companies to conduct new processing of personal data of employees (working time monitoring, reimbursement of expenses, management of the IT tools), employers must particularly make sure to integrate data protection concerns and provide concerned employees with transparent information. Such information relates to how the employer is processing employees’ data (the purposes of the processing, legal basis for processing, recipients, retention period, etc) and the rights attached to this data (right of access, to rectification, to erasure, etc). The register for processing activities will also have to be updated and a data protection impact assessment must be conducted before the implementation of the processing that is likely to result in a high risk to the rights and freedoms of employees.
Rubén: Working remotely does not usually entail a big difference in personal data protection. Consequently, employers can only process personal data that is:
- freely provided by the employee (eg, personal mobile phone);
- necessary to perform the labour contract (eg, name or ID number);
- necessary to comply with the company’s legal obligations (eg, personal social security number); and
- necessary for the company’s legitimate interest (eg, employee’s performance).
Before processing personal data in any of these cases, companies must inform employees of the purpose of the data processing, the lawfulness of each processing, the retention period, any eventual recipients, and any rights granted to the employees as data subjects (e.g. information, access, rectification, and erasure).
When working remotely, certain personal data that otherwise would be evident in the office must be processed remotely. For example, complying with the working hours or measuring the employee’s performance in a remote work environment obliges the company to process specific personal data. As this personal data could be considered new (at least regarding how it is collected), strictly speaking, companies must inform employees of this new way of collecting personal data, its purpose, its legal basis, and the other issues referred to above. Employees’ guarantees regarding this are equivalent to those that apply to on-site work.
If employees think the company is abusing its position regarding collecting and processing personal data, they could file a claim with the Labour Inspectorate, the data protection authorities or the court.
Björn: What are the points to consider for employers to safely use chat and videoconference tools?
Mathilde and Yasmine: Video-conferencing and chat software or apps became essential when working remotely, particularly when it comes to holding meetings and discussions with colleagues or clients.
Employers should provide their employees with communication and collaboration tools appropriate for remote work, which guarantee the confidentiality of exchanges and shared data.
In Europe, Data Protection Authorities have provided guidance on these issues. They stress that one key element is transparency; the user must receive clear information in how its data will be processed and be able to check privacy and security settings to have choice and control over it.
They also mention that employers should make sure that video-conferencing software or apps are kept up to date to maintain effective security measures.
Finally and importantly, they emphasise that employers should inform employees of good practices around the use of video-conferencing software and apps. For example:
- on your computer or phone, close the application when you are not using it, especially if the microphone or webcam is on;
- turn off your microphone and webcam when not in use; and
- do not click on links or attachments you were not expecting or from meeting attendees you do not recognise.
Based on the principle of data minimisation that requires personal data to be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (article 5.1 (c) of the GDPR), the CNIL recommends that employers should not require employees working remotely to activate their cameras when participating in video conferences. It considers that although video can contribute to conviviality, in most cases, participation via microphone is sufficient.
Els: Should or could a company gather health information of its employees during remote working to identify stress, isolation, or other psychological or physical issues?
Rubén: Yes, they should, as this information is necessary for the company to comply with health and safety obligations, within certain limitations.
First, when gathering this information, companies must observe the data minimisation principle under the GDPR, which means companies must justify the extent of the information they are gathering.
Second, if the information does not refer to an occupational risks assessment, but to the individual, psychological status of employees, this information must be gathered and kept by an internal or external health and safety service provider. In this case, the information received by the employer is limited to knowing if the employee is fit to work; if the employee is fit to work but with certain restrictions and what these restrictions are; or if the employee is not fit to work.
Employers should also offer employees a medical evaluation, but they cannot force employees to attend a medical evaluation; they must agree voluntarily, or when there are significant risks that may represent a serious danger for employees (which is residual).
Therefore, employers are not allowed to gather as much information as they want on the health status of remote workers.
Mathilde and Yasmine: Health-related data is sensitive data; as such, their processing is in principle forbidden as per article 9 of the GDPR, except in the limited instances listed in article 9(2) of the GDPR. In an employer/employee relationship, employers cannot rely on the consent of their employees as a legal basis for data processing, because such consent would not be considered as being freely given. However, employers can process their employees' health data when such processing is necessary for carrying out their obligations under employment, social security, and social protection law (e.g. in the context of remote working) to ensure the safety of their employees and to protect their physical and mental health.
Employers need to find the appropriate balance between their employees' safety and privacy. Employers will need to consider cautiously the implementation of any technology to ensure compliance with this proportionality principle. Employers may only collect and process data that is relevant to the preservation of their employees' health and safety and should not use it as an opportunity to obtain information about, for instance, their employees’ lifestyle (by collecting data regarding employees’ personal circumstances). Furthermore, employers would need to ensure that data collected in this context is deleted as soon as it becomes irrelevant to the purpose of preserving the employees' health and safety and that such data is not reused for other purposes.
Björn: Considering health information is sensitive personal data, what are the guarantees for employees’ privacy when processing personal data by the company? Should employees give their consent?
Rubén: Except for undergoing a medical evaluation, employees should not give their consent when the personal data is necessary for the employer to comply with their health and safety obligations. The main guarantees for employees, apart from standard guarantees under the GDPR (e.g. opposition, rectification, and right to file claims), are:
- the involvement of employees’ legal representatives for health and safety purposes - Spanish law specifically provides for a legal representative body specialised in health and safety matters. These representatives are entitled to be informed and consulted before any decision that may have an impact on employees’ health and safety is implemented;
- companies’ obligation to have an occupational risk services provider, except for companies employing more than 500 employees or 250 employees if their work is considered especially hazardous, in which case they are obliged to have an internal department for health and safety with staff specialised in this area; and
- companies’ limited access to personal information on the health status of employees - under Spanish law, employers are not entitled to know the reasons for employees’ sick leave, just the duration and whether it was because of a work-related or non-work-related issue.
Els: Many software applications are in the market of assessing employees’ performance during remote work (ie, connection time, web traffic, emails sent or managed, productivity, etc), using a huge amount of personal data in the process. What are the limitations (if any) to these software tools from a legal, data protection perspective?
Rubén: Software tools like these are an invasion of employees’ privacy, even if they are tools to control the employee’s work or performance.
Since this leads to a conflict between employees’ fundamental right to privacy and an employer’s right to control employees’ work, before implementing a tool like this, the company must assess whether it passes the constitutional test referred to above.
The employer must inform and consult with the employees’ legal representative, and then individually give notice to the employees.
The company must inform the employees of the purposes and legal bases for implementing these tools, their function, the data they collect, and the decision the company may make depending on the information gathered by this tool (eg, disciplinary penalties).
During this procedure, the company must observe the data-minimisation principle.
Björn: What role do you expect for works councils and unions regulating data privacy rules regarding remote work?
Mathilde and Yasmine: French employers have an obligation to inform and consult the Social and Economic Committee (CSE) - the equivalent of a works council - on the implementation of any new technology or the implementation of any new process that affects the work conditions of the employees (e.g. the creation or updates of IT Policies).
In this context and more generally, staff representatives will be expected to discuss their concerns with the employer and to propose ideas and alternatives for the measures regarding remote work.
Rubén: Generally, works councils and unions do not want companies to gather more personal data than before. Spanish law entitles them to be informed, consulted, and to draft and issue a non-binding report before implementing new organisational and control systems. Therefore, they will likely object to invasive control systems.
Because of this, we recommend, to the extent possible (even though it is not mandatory), reaching an agreement or at least having a transparent dialogue with the employees’ legal representatives before implementing any of these measures.
Otherwise, they would likely threaten companies exploiting the fact that some of these companies’ decisions have an impact on employees’ privacy and personal data, which could lead to significant penalties and damages.
Els de Wind is a partner in the employment department of Van Doorne, Amsterdam; Björn Gaul is a partner in the labour and employment practice of CMS, Germany; Yasmine Tarasewicz is a partner and co-head of the French and EU employment group, and Mathilde Pépin is an associate at Proskauer Rose, France; Rubén Agote is a partner in the employment team at Cuatrecasas, Spain; David Swain is head of intellectual property and Iris Chin is an associate in the employment, immigration, and reward division at Lewis Silkin, Hong Kong