GDPR for HR | The gig economy, DSAR tips and data protection abroad
Published on 3rd Oct 2022
Welcome to this fourth edition of our GDPR for HR newsletter - bringing you a snapshot of developments, cases and insights relating to privacy in the workplace
Deciphering Data: our monthly hot topic
GDPR in the gig economy
Disputes over working conditions in the gig economy – work characterised by short-term contracts or freelance work rather than permanent employment – have become increasingly prominent in recent years. Gig economy workers have complained about a range of issues including pay, job security and a perceived lack of employment rights. These issues have predominantly stemmed from gig economy workers being labelled as self-employed.
The self-employed label is one which these workers have frequently sought to dispute through legal challenges across the industry. There has also been an increased use across the gig economy of monitoring technology aimed at tracking productivity and enabling employers to make streamlined decisions based on gathered data; for example, Deliveroo recently encountered controversy where they used an algorithm to determine its workers' priority to access delivery time slots. A number of workers have even found themselves unable to continue working as a result of decisions made by tracking algorithms. One of the key issues with these algorithms is that factors influencing decisions are often unclear, both to the individual workers and users.
Gig economy workers have begun to utilise their rights under the GDPR (for example, the right to access their data) to both challenge their self-employed status and to gain a better understanding of how their employers use their data to inform any automated decisions. Information gathered using the GDPR has led to challenges being brought against employers by unions and other worker representative groups when practices have been uncovered that are in breach of employment and data protection laws.
We expect to see further use of employee data protection rights across the UK gig economy as workers become more aware of the potential to challenge their self-employed status in this way. Employers operating in the gig economy sector should be aware of the possibility that they will have to deal with large volumes of subject access requests on short notice and their staff should be trained how to recognise and respond to such requests.
In respect of automated decision-making (ADM), the GDPR already requires that employers conduct impact assessments where they use the kinds of automated systems used in the gig economy. Given the consequences that such systems can have on workers, it is likely that we will see increased protections being implemented to ensure that any automated decisions are fair and transparent. The EU is currently seeking to implement regulations which would obligate employers to inform gig workers of any ADM systems in operation and it is possible that the UK could implement similar requirements on businesses in future with this being an area of concern for the Information Commissioner's Office (ICO).
In the news
Data Subject Access Requests: ICO tips
In a recent blog post, the ICO has set out some common pitfalls organisations fall foul of when responding to Data Subject Access Requests (DSARs), as well as some tips explaining how organisations can avoid such pitfalls. DSARs are frequently used by employees against their current or former employers where there is a dispute. Therefore the ICO's guidance in this area is useful to ensuring that your processes for handling employment DSARs meet the desired standards and to avoid related complaints being made to the ICO.
The ICO has indicated that the key themes they encounter in the course of dealing with DSAR complaints include:
- Delay. The ICO states that individuals frequently complain about long wait times to obtain requested copies of their personal data. Although delay sometimes cannot be avoided where a request is particularly complex (for example, where a large amount of personal data is held by the organisation), requested data should be disclosed as soon as practicable and any delay should be communicated to the data subject once any complexity comes to light.
- Relationship break down. A lack of response from organisations regarding queries or updates throughout the DSAR process has also been cited as a common issue.
- Trust. The ICO states that individuals often do not trust what they are being told by organisations. Again, this can often be mitigated by clear communication throughout the DSAR process.
- Understanding. Frequently individuals are not being adequately informed about their rights or the DSAR process which leads to unclarity. It is important that organisations provide a clear explanation of the process that will be followed once a DSAR is received to avoid these situations.
The tips provided by the ICO to mitigate these issues focus on having clear communication with individuals throughout the DSAR process. Communicating effectively ensures that you understand any concerns your employee may be having about the process and allows you to explain the process that you are undertaking to obtain their information internally. This dialogue can also narrow the scope of the DSAR request and build trust with your employee.
If you would like any assistance or advice on handling DSARs, please get in touch with one of our GDPR for HR experts or click here for more information on our DSAR offering.
Osborne Clarke round-up
Distance working: data protection issues
A study has found that more than half of UK employees have flexible working arrangements in their current role. This is likely to lead to increasing demand from employees seeking to work from abroad as the need to have a physical presence in the same jurisdiction as their employer will continue to decrease. In our recent article, we discussed some of the tax implications of allowing employees to work from abroad. It is equally important that organisations bear in mind the data protection considerations of any employees working from abroad where they seek to grant such requests.
Employers seeking to implement a policy that enables employees to work from another country must first ensure that they are not in breach of any data protection laws in doing so. Of particular relevance here will be restrictions on data transfers and data security. Employers need to be confident that they are permitted to transfer any personal data to and from the particular jurisdiction in which their employees reside.
This should be of particular concern where there is or will be any remote access to personal data by self-employed contractors working from abroad (as the ICO has indicated that they are less concerned about transfers to "employees" internally). Adequate data security will also need to be in place to ensure that any personal data being transferred to overseas employees or contractors is not at risk.
Your IT teams may need to conduct a review any hardware or software being used by any overseas employee or worker to ensure that they meet the required security standards. Employers should also be aware of any local data protection requirements in the jurisdictions that their employees are located as this could impact the standards of protection that they are required to meet.