< Back

Share |

A mobile workforce: The HR and data protection challenges

April 2013

Over the past decade, there have been fundamental changes in our working habits, driven by commercial, technological and lifestyle factors. For a number of reasons, many employers now choose to arm their employees with the tools required to enable them to work from any location at any time. These changes have provided employees and employers with flexibility and freedom but the concept of a mobile workforce creates new risks and challenges to employers and their HR teams, particularly in relation to data protection obligations.

Practical considerations

Monitoring data protection compliance (including the monitoring of employee communications) where employees are office-based, is certainly not-risk free, as outlined in one of our other articles this month.

Clearly the employee's physical presence in the office makes compliance and monitoring of communications easier from a practical perspective so a mobile workforce creates significant additional challenges.

House keyThe use of mobile devices and/or personal computers at home or on the move, will inevitably complicate the process and increase the risk of data protection breaches. This is especially true where an employee is using a device or computer for personal as well as work related activities.

Some key issues for HR teams to consider in this context are:

  • Are the devices being used as secure as office-based computers?
  • Have appropriate checks been undertaken to satisfy you that the risk of data protection breaches is at an acceptable level, as compared with your office-based terminals?
  • Where breaches are detected by home-based or mobile employees, do you have specific systems in place which can be implemented with appropriate speed and effectiveness?
  • If employees use corporate-issued mobile devices, are there controls and policies to prevent them from installing their own applications?
  • If personal applications are allowed on corporate-issued devices, are you satisfied that they are legitimate and not malware?
  • Are employees travelling to other jurisdictions using their mobile devices? If so, have you considered the data protection implications?

PersonalThe risks and challenges become even more acute where employees are using their own devices for work purposes. These arrangements will inevitably result in an increased risk of third party access to sensitive corporate data. This is clearly more difficult to regulate and avoid as employees cannot be visibly monitored in the workplace.

If your business has adopted a ‘Bring Your Own Device’ (BYOD) policy, it is crucial that appropriate safeguards and procedures are put in place and clearly communicated to employees. Many questions arise in the context of BYOD including:

  • Are the devices shared with the employee's family members?
  • If so, what safeguards are in place to ensure data/confidential information is protected (for example passwords/encryption)?
  • Do you have a dedicated policy detailing the ‘do's and don'ts’ associated with BYOD?
  • If your employee has consented to monitoring of communications for work purposes, are you satisfied that an appropriate line can be drawn between work and private communications?
  • Does the device have a "private/work" switch function which can be used to draw such a line?

BYOD policies can work but it's important that employers remain tuned in to (and implement appropriate protections to deal with) the associated data protection issues, particularly protecting sensitive corporate data such as emails, critical documents and valuable intellectual property.

We expect that the often blurred line between private and work related activities will become an even more thorny issue in the context of a mobile workforce so it's crucial that business are one step ahead and have tailored policies in place which employees understand and acknowledge.

While the trend appears to be moving in the direction of increased mobility and flexible working, Yahoo! recently announced a requirement for employees to be physically present in the office. The stated aim was to ensure speed and quality of work and to facilitate collaboration between colleagues. Whilst such a requirement raises a number of significant HR and employment law issues, one clear benefit of this approach will be Yahoo!'s ability to centralise and focus the monitoring of data protection compliance. It remains to be seen whether more business will follow Yahoo!'s lead.

Location tracking and monitoring

ButtonMost business will already have employee monitoring policies in place, but with the advent of mobile workforces, an added issue arises around the extent to which location tracking can/should be used for monitoring purposes.

Data gathered from location tracking/monitoring should be used by employers solely for legitimate business purposes, for example:

  • to ensure legal obligations are being complied with, such as rest breaks and VOSA requirements for maximum driving periods;
  • to provide clients/customers with accurate information as to timescales for delivery of service or products, with a view to increasing customer service quality; and
  • to monitor employee compliance with the company policies and procedures (including in relation to data protection compliance and or breaches).

The key point to note is that, as a general rule, monitoring at work is considered to be highly intrusive, so before embarking on such a practice caution is required.

If any location monitoring is being considered by your business, it is essential that:

  • the monitoring can be justified (which will usually necessitate a privacy impact assessment listing the benefits of monitoring and the potential adverse impact on the employee);
  • the purpose of the monitoring is clearly identified as well as the benefits it will deliver;
  • consideration is given to alternative methods of achieving the objectives in question;
  • employees are made aware of and consent to the monitoring; and
  • monitoring applies to work related matters only to minimise the risk of privacy intrusion.

Setting aside the data protection issues associated with location tracking, it is essential that HR teams have the opportunity to assess the employee relations impact associated with any proposal to use location tracking. If such a practice is implemented, communication with employees will be crucial and must be handled sensitively to avoid damaging trust and confidence.

MarkQuestions will also arise where the results of monitoring could give rise to a basis for disciplinary action. In such circumstances it is imperative that HR teams are given the opportunity to consider whether or not it is lawful and appropriate for the relevant information to be used. We expect this will only be the case in exceptional circumstances where no reasonable employer could be expected to ignore the relevant information.

The next steps for an employer to follow if they are considering tracking and monitoring employees are:

  • develop a clearly defined policy dealing with the company’s rights to access and/or monitor employees activities and build privacy safeguards for the employee into the policy;
  • ensure the monitoring is not applied in a discriminatory manner;
  • disseminate the policy and update it annually;
  • inform employees when they will be monitored, how the information will be used and explain why they are being monitored;
  • determine whether you will agree to self-imposed restrictions on monitoring, such as not monitoring outside working hours; and
  • reassure employees that if they have any concerns, these should be raised with HR.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Mobile
Amy Sinclair

      

Laura Piper

Laura Piper      





Amy and Laura look at the HR and Data Protection implications of an increasingly mobile workforce, and how businesses can plan ahead.

"If your business has adopted a 'Bring Your Own Device' policy, it's crucial that appropriate safeguards and procedures are put in place and clearly communicated to employees."