Data Protection in the Workplace - Part 3

In the final of a three-part blog series covering Data Protection in the Workplace, Information Commissioner Paul Vane discusses Lawful Bases, the impact of Artificial Intelligence and Privacy during the pandemic.

Consent has been a hot topic throughout my data protection career and I doubt that’s going to change any time soon.

It surprises me how many organisations get so hung up and focus on consent, whether that’s specific consent for certain types of processing, or, as I’ve seen quite often in a number of organisations, a blanket consent applied to ALL processing activities they conduct. So, in other words, you can do what you like with all the personal data you hold because the staff member has ‘given their consent’.

But have they? Have they really given their permission? Remember that for consent to be valid it has to fulfil a number of criteria:

  • Freely given.
  • Specific – not freely given if it doesn’t allow separate consent for different processing.
  • Concise and intelligible.

So given the above, you can see that consent carries with it it’s fair share of issues and with all that in mind I would say that ‘consent’ is probably the last lawful basis for processing you should be using. And of course, there is another major reason not to rely on the consent condition, and that’s because with consent comes the right to withdraw that consent. If an employee withdraws their consent for you to hold certain personal data, what are you going to do?

Why not use some of the other lawful bases set out in Schedule 2 of the Data Protection (Jersey) Law 2018? For example:

  • Employment or Social Fields – Where the processing is necessary for the purposes of exercising or performing any right, obligation or public function conferred or imposed by law on the controller in connection with employment, social security, social services or social care.
  • Other legal obligations – Where the processing is necessary to comply with a legal obligation (other than contractual) to which the controller is subject.
  • Avoidance of discrimination – Covers processing of information that consists of any protected characteristic as defined in the discrimination law, a person’s disability or a person’s religious beliefs.
  • It all comes down to being clear on the purpose of the processing and which condition for processing fits best. Consent should only be used when there are no other lawful bases available.

Briefly on the subject of Artificial Intelligence (AI), will AI be a job killer? Some commentators on AI would suggest it will be. But there is an equally strong counter argument that AI will actually be a job creator and enabler, helping us to work better and more efficiently, and also helping us do things we’ve never been able to do.

In terms of the uses of AI in the workplace, it probably starts right at the outset of recruitment, with more companies using AI to assist with recruitment and shortlisting. The law makes specific provision for automated processing activities such as these, but the truth is the issues lie much deeper than just the automated processing aspect.

One of the wider concerns around the use of AI in circumstances such as these is the issue of bias. At the end of every AI system or process is a set of ‘rules’ programmed in by a human. So, the big question is how do you avoid either conscious or unconscious bias creeping into AI systems that effectively select people on the basis of a pre-programmed criteria? There have already been a number of cases where allegations of bias and discrimination have arisen as a result of AI-determined decision making.

Where you might see more use of AI in the workplace is in places where the jobs are human labour-intensive, highly repetitive or subject of regular human error. Why would you have a human doing those jobs when that job could be done more effectively and efficiently by a machine, and the human resource can be better used elsewhere in the business? This is no different from what has happened historically where humans have made way for machines in the manufacturing industries into professional services.

To finish, I can’t write a Data Protection in the Workplace blog series without mentioning the recent impact of Covid-19. Of course, just because there is a pandemic doesn’t mean that privacy and data protection falls away. One does not trump the other.

What it does mean, is that as an employer, you need to consider a number of factors:

  • Security: Internet security, paperwork transportation, use of devices, breach reporting, access to laptops/computers/devices.
  • Videoconferencing: Is the platform you use safe and secure? What do they do with the data? Where is it hosted? Have you done your due diligence before selecting a provider? Do the other people on the call know you might be recording the session?
  • Staff communications: For example, can you tell your staff that a colleague may have contracted Covid-19? You may have Health and Safety obligations to comply with, but does that mean you essentially disclose special category (medical) data about a member of staff to the rest of the organisation? The same rules apply. The same can be said about collecting health data from employees about Covid-19 testing. Always think data minimisation and only collect what is needed.
  • Returning to the workplace: Considerations around returning equipment and devices, updates to policies and procedures regarding how you handle Covid-19 health data. How are you going to handle workplace testing? Can you share this information if someone tests positive?

The resource room on our JOIC website provides a wealth of guidance about all areas of data protection and my team is always on hand to answer any questions.