Data protection: how to protect your business with increases in recorded data

22nd April 2020

Many employees are now working from home and technology is playing a huge role in making this work. Senior leaders, managers and their teams are increasingly relying on video calls, messaging apps and other online platforms. Whether it is Zoom, WhatsApp, Microsoft Teams or another app, colleagues are making use of what modern technology has to offer during these exceptional times.

Whilst technology is vital to connect colleagues, amassing data on them in the process can expose employers to risk. Discussions that once took place at desks or in meeting rooms are now being recorded on video calls or being written in emails or instant messages. The content of these conversations can be highly confidential, from furloughing employees to carrying out disciplinary procedures and preparing for redundancies.

Although the informality of some of these platforms can make them feel private, they often will not be – for instance:

  • Where this data is personal in nature, it can be requested by employees under data protection law. This is referred to as a Subject Access Request (SAR) and it can cover personal data held on work and personal devices where it is relates to business matters. It can include all forms of recorded communications such as emails, videos and instant messages.
  • If an employee makes an employment tribunal claim, this information may also have to be provided as part of the disclosure process.

Top tips

  • Give employees guidance on expected behaviour online. It is important employees understand that messages and video calls can be disclosable in response to a SAR or tribunal claim and conduct themselves appropriately.
  • Ensure managers understand that their DMs and WhatsApp messages will be treated in the same manner as company emails. It is therefore important to be clear and measured in language.
  • There are many good reasons why certain discussions and matters should be recorded or written down, e.g. for record-keeping and to demonstrate compliance with your legal obligations as an employer. Make clear decisions about what will be retained and which should be routinely deleted. For example, it may be appropriate to retain sections of a board meeting as a minute of decisions, but not retain others.
  • Consider consolidating decision-making records into a single point of reference. Once you are clear you have documented everything which should be retained, it will be easier to identify excessive information.
  • Any information already held which is excessive and not required should be securely destroyed or deleted. If you then receive a SAR, the pool of data you will have to consider for disclosure will be considerably smaller, and it is far less likely to contain information you would prefer not to provide.
  • Consider which conversations should take place by telephone, rather than video call.

Related Blogs

View All