Data Protection in the Workplace - Part 1

In the first of a three-part blog series covering Data Protection in the Workplace, Information Commissioner Paul Vane discusses the fundamental principles of the Data Protection (Jersey) Law 2018 and how workplace culture should play a part in every organisation’s data protection regime

Hello and welcome to this three-part blog series where I’ll be covering some key considerations about Data Protection in the Workplace. It’s almost impossible for me to cover everything there is to know about data protection in the workplace all at once but if you have a good general understanding of the law and how to apply it to other aspects outside of what we term ‘the workplace’, then actually you probably know a lot of what there is to know. The principles remain exactly the same. All you are doing is applying those principles to a slightly different environment.

As always, my best advice is to keep it simple. It’s a message that a former UK Information Commissioner told me 17 years ago when I entered the world of data protection, and a mantra I still hold firm today. Particularly in the more complex and highly digitised world we now live in.

Happy Birthday GDPR!

This year we celebrated the third anniversary of the General Data Protection Regulation (GDPR) and our data protection laws, and I think it’s safe to say that the profile of data protection has changed a lot in those 3 years. But what impact, if any, has this had on the workplace?

One of the core aims of GDPR was to put the individual back in control of their personal data. So perhaps the most obvious impact is that employers are taking a much tighter approach to information governance and employee privacy rights, with many introducing policies on ethical business practice, and new structures around how they collect and use personal data, both of their clients and their staff.

But it is also important to remember that data protection is not a new concept. We have had data protection laws in Jersey for 34 years, and there have always been obligations on organisations to safeguard the personal data of their staff.

Many organisations will have already had robust processes in place to ensure they comply with the law, so for them there was little change. What we have seen is a greater acknowledgement of the law from smaller businesses, clubs and associations and the charity sector.

So in essence, the higher profile of data protection has probably led to a more compliant business environment in the main.

In terms of what hasn’t gone so well in that time, my own view is that there is still a lack of clarity on some areas of the law and how it can be applied. Data Protection Authorities seem to spend much of their time looking for case precedent and clarity form the European Commission on areas of interpretation and application.

And there are concerns that with nearly 6 billion connected devices around the globe, managing device security has not become any easier, and there are already concerns that the current GDPR is already out of date and not fit for purpose.

Personally, I don’t subscribe to those concerns in their entirety. Data protection law is designed to provide the framework for compliance and information rights. It is never going to address every eventuality. As I’ve always said, the technology and the methods of data processing may change, the fundamental principles of data protection do not.

‘The Workplace’

When I was asked to cover this topic, it made me think of the word ‘workplace’ in a lot more depth than I would have done just 18 months ago. With the events of the past 18 months the term ’workplace’ has changed dramatically – and is no longer restricted to just an office building in the traditional sense of where we go to work. The workplace can now quite literally be defined as ‘the place you go to work’. And it can look very different from the stereotypical office we normally call ‘the workplace’.

As most of us have experienced over the last 18 months, the home became your primary workplace as Covid forced us to be apart. As is the case right opposite my office, cafes are now becoming more frequent places to work from as well as social hubs and the train or plane might be a suitable workplace for those regularly on the move. And similarly, when travelling away, our hotel room serves not just as a resting place at the end of a conference, but also a temporary office space to catch up on all those emails and answer urgent calls.

Fundamental Principles

Wherever the workplace happens to be, data protection law still applies and the fundamental principles an employer should be applying also continue to exist.

Transparency and accountability are the cornerstones of data protection law. But in terms of employer obligations this means ensuring good communication and good governance pervades right through your organisation.

  • Do you have appropriately robust policies and procedures setting out the importance of data protection and how, as an organisation, you expect personal data of staff and clients to be used, stored, accessed or disposed of?
  • Do you have clear, transparent, easy to read privacy policies for both your staff and your clients explaining how you will treat their personal data and the purposes for which it will be used, or shared with third parties?

A little more difficult is the culture change aspect. We talk a lot about office culture, but solely in terms of privacy and data protection, culture is often something we don’t think about.

So it’s really important to understand how culture plays a part in your own data protection regime, and also how good information handling can help shape a positive culture.

  • As an employer, are you aware of what drives changes in behaviour in your workplace?
  • Do your staff understand and appreciate the benefits (to the organisation and to themselves) of looking after personal data well and treating it fairly?

It should go without saying that in order to do all of what I’ve mentioned so far, you have to know your data. What have you got? What are you collecting and why? How long are you keeping it for? How do you keep it secure and dispose of it? Do you share that data? And if so, with whom and where?

It never ceases to amaze me just how many organisations are missing this very basic fundamental principle. A simple ROPA (Record of Processing Activity) will map out all of the data you hold and answer all those questions. The simple fact is, if you don’t know what you’ve got, you cannot and will not be able to comply with the law.

The last point here is strong leadership from the top. As a regulator, we’ve always maintained that good data protection should start from the top. It is the responsibility of the Board and the Chief Executive Officers to set the right tone and lead by example, because if they don’t, then how can employees be expected to treat the subject seriously? Leaders need to understand their obligations, give the matter credibility and show the way.

 

*The second blog in this three-part series will be published on www.jerseyoic.org/blogs on Monday 23 August 2021.