Legal Duties: Managing Employee Data & IT Systems

Within the working world, changing data protection laws have placed legal obligations upon the management of employees’ personal data - including the set-up, configuration and management of the IT devices, systems and services.

“Modern technologies enable employees to be tracked over time, across workplaces and their homes, through many different devices such as smartphones, desktops, tablets, vehicles and wearables. If there are no limits to processing, and if it is not transparent, there is a high risk that the legitimate interest of employers in the improvement of efficiency and the protection of company assets turns into unjustifiable and intrusive monitoring”

Article 29 Working Party - Opinion 2/2017 on data processing at work

In summary, employers having greater tools to detect or prevent the loss of both intellectual and material company property. They also have the ability to improve the productivity of employees and use technology to protect the personal data for which they are responsible (in terms of the organisation being a Data Controller or Processor).

Employer Vs. Employee: The Imbalance of Power

There is potential that this could result in a situation where employers have greater power in the use of employees’ personal data, creating an imbalance in the expectations of privacy for the employees. The law requires organisations to determine where these imbalances may occur and that mitigating actions are put in place in compliance with the obligations of the GDPR.

Concurrently to identifying any imbalances, organisations must also assess the risk of discrimination to their employees, as well as the risk of identity theft or fraud, financial loss, damage to reputation, loss of confidentiality, and the wider requirements of managing the confidentiality of natural persons.

9ine's Work Fighting Against Cyber Fraud

Over the summer we have supported schools who have been at risk of fraud after suffering from various methods of cyber attack. This ranged from the more commonplace phishing attacks, to the quite unusual methods of sextortion - where a staff member is accused of accessing inappropriate online sites and held to ransom with evidence unless the attacker is paid in bitcoin. We have also helped with more complex methods of cyber exploitation, including a situation where every school computer had to be rebuilt because an employee’s inbox was compromised. This resulted in a PDF with embedded malware being sent to an internal all-staff distribution list.

Each of these incidents placed employees at significant risk, specifically with the case of sextortion, where the school and employee are notably forced into a difficult situation given the potential consequences of such activities (if they had been true). Given the circumstances of not doing so, it is more pertinent than ever that organisations like schools take steps to protect the data they process.

What the ICO are Saying

Within the past week, the ICO (UK Supervisory Authority) has made some very clear statements in the approach organisations should implement to be compliant with the law. Elizabeth Denham, the Information Commissioner said last week: “The loss of personal information particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” and that, “boards [senior management / trustees / governors] need to ensure that internal controls and systems work effectively to meet legal requirements.”

What Your School's Board Need to Do

All managing boards, from every type of organisation, need to have visibility on the processing activities undertaken by their own organisation on their employees, and how this might potentially impact upon them. Summarised from the Article 29 Working Party guidance on data processing at work, non-compliance with the following steps leaves you vulnerable to potential breach under employment law, in addition to a breach under data protection law:

1. Employers should configure their IT systems so employees have certain private spaces to which the employer may not gain access to, such as private document folders

2. Where an employer has chosen to use a cloud based system for employees to use, the employer must ensure there is an adequate level of protection to that data, if the data crosses borders to a third country

3. Employers cannot assume that a contract of employment is a suitable legal basis for processing anything other than the personal data needed to employ that individual. E.g, accessing an employee’s email or laptop without a genuine reason. Without a suitable policy and process, it could be seen to be a breach of law

4. IT personnel must not be solely responsible for, or have solely drafted acceptable use policies for IT systems and services without wider input

5. Monitoring of employees through IT systems or software, such as firewall / filtering (iBoss, Smoothwall, Sophos) and desktop (Securus, Visigo, Impero, Lanschool, Netsupport), should be restricted, with clear policies and DPIAs developed to justify the potential privacy intrusion of employee data. Clear responsibility (not just IT personnel) is required to manage and monitor the configuration, use and access to data these systems generate

6. Where systems such as those above exist, employers have a legal obligation to inform and educate employees of the functionality and potential intrusion of their personal data - being clear and articulate on the administration and management of those systems

7. Employers using those systems must consider the proportionality of the measures implemented, even if the legal basis is linked to safeguarding / child protection, and document what actions have been taken to mitigate or reduce the scale and impact of the data processing

8. Where new systems or devices are chosen, the employer must implement ‘Data Protection by Design’(Article 25 of the GDPR). This means the employer needs to understand how the system / device will be configured, how it will be managed, how the employer will gain access to the device / system, and how the employee’s rights will be protected

9. Organisations where BYOD is available, will need to undertake a greater level of assessment in the potential monitoring of employees (and students), in addition to ensuring corporate data is safe and protected when being processed via those devices. BYOD includes individuals using the organisational WiFi for internet access

10. An employee’s device does not have to be owned by them to be classed as a personal device. Some organisations have very low levels of configuration, with the employee using the device and storing their own personal data on it as if they did own it. Where this is the case, the employer needs to have specific policies, processes and procedures in the management and administration of that device, so as not to inadvertently interfere, access, or process the personal information on that device (regardless of the device being owned by the organisation)

12. Employers need to understand the types of processing undertaken by employees away from the organisation network (e.g at home). They must have in place proportionate security measures to manage the technical and organisational risks associated with this.

How Compliant are You?

In considering your compliance with data protection law and the impact of not doing so with employment law, how confident are you that your organisation has adequately assessed each of the above twelve points? To what degree can you evidence that level of confidence through metrics or a risk assessment? Would you know where to start, or how this should be documented and presented?

The obligations of the GDPR will have a material impact in instances of misconduct, disciplinary investigation, and grievance. Consideration needs to be given to scenarios where employees identify the organisation’s non-compliance with data protection law for employment or performance related reasons.

How Can We Help?

To understand how to assess your current compliance with data protection law, how to determine the technical risks of a data protection breach, and how to report to your board; book a meeting with us:

If you are ever affected by a cyber security attack, 9ine’s Cyber Vulnerability Assessments and Security & Systems Essentials provide your organisation with an overview of the risk profile of the school to a successful cyber attack. We can evaluate, investigate and remediate the impact of any cyber attacks or breaches you may have had.