How does a return to work challenge societal behaviors?

By

Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.

4 minute read 5 Oct 2020

New "normals" have clear implications on future privacy and data protection policies.

In brief
  • The privacy challenges that arise from bringing employees back into a working environment must not be underestimated.
  • Privacy professionals say that employee health monitoring and COVID-19 data sharing are their biggest challenges in the foreseeable future.

A global health pandemic has no respect for borders, and organizations across the world are being confronted with a series of challenges in terms of working practices. Remote working – working from home – has rapidly become part of "the new norm" but has given rise to a new set of privacy and security issues. And however much working from home will likely form part of a more permanent employment strategy in the future, it is unlikely ever to replace working from a physical office in its entirety, and the "normal" that existed pre-COVID-19.

As businesses orchestrate a safe return to their "usual" routines, it is clear that life will be anything but "usual". The likelihood that employees will have to accept their health being tracked and monitored – with daily temperature checks as a minimum – has clear implications on future privacy and data protection policies, and the legal, moral and emotional impact that such policies may provoke.

Attitudes to privacy do appear to be changing.

Before the pandemic, the use and sharing of personal data by several social channels for their own commercial ends was the story that dominated the global media. Twelve months on and the focus has shifted to the more serious issue (most would argue) of sharing data to save lives and stop COVID-19 in its tracks. Indeed, early findings of a recent EY survey of over 1,900 global consumers suggests that altruism is emerging as a driving force.

EY Global Consumer Privacy Survey 2020

50%

of consumers surveyed say the pandemic has made them more willing to share their personal information, especially if they know it is contributing toward research or community wellness.

It is as though a new societal contract has been agreed upon, with people accepting that if everyone gives a little, the cumulative effect will be a lot. In restaurants before the crisis, for example, we could choose whether to leave our cell phone or email contact details in return for news on special events or offers. Now it is no longer about marketing. Today you may be asked about your health and the health of everyone in your party. In the short term, we may feel comfortable about this, but over time there will be concerns over how our data is kept and used, and doubtless comparisons drawn with living in a surveillance state.

All privacy professionals agree that employee health monitoring and COVID-19 data sharing are their biggest challenges in the foreseeable future.

And it is not just individuals who are concerned. Governments are also understandably grappling with the challenge. New rules are being formulated around anonymizing location data, for example, and on how contact tracing apps are being applied to exclude the further processing of data for purposes unrelated to COVID-19 management. But not all government health bodies are aligned.

COVID-19 data sharing

Imagine you arrive back at work, but before you are allowed to enter your building, your body temperature is measured, and you are required to fill out a health questionnaire to be shared with the company doctor. In France, CNIL (“Commission nationale de ("informatique et des libertés”) guidelines do not allow for temperatures to be taken, or automatic temperature measurement tools to be installed. In Spain, however, the AEPD (“Agencia Española de Protección de Datos”) does allow for such data to be recorded, as long as the tests are undertaken by a medical professional and the data processed in accordance with the regulation that it must fulfil the purpose of containing the spread of COVID-19.

If, by sharing data with other organizations or governments people can save lives and stop COVID-19, then the transaction – and the intrusion on their personal lives – is worthwhile. But people must be told of the true purpose of the data being captured and stored, and they must know that such data is safe.

Filling out a health questionnaire is similarly fraught with difficulties. Information related to the identification of contamination or symptoms - obtained via a questionnaire - constitutes health data for the purposes of GDPR. CNIL guidance, again, does not allow an employer to record such data; it can only be recorded by a healthcare professional. The main guidance from the Irish Data Protection Authority, however, says that it is possible for employers to capture the data themselves so long as they can demonstrate "strong justification" for doing so.

While governments may disagree on a unified response, no-one underestimates the privacy challenge of bringing employees back into a working environment. All privacy professionals agree that employee health monitoring and COVID-19 data sharing are their biggest challenges in the foreseeable future. According to a recent report by EY and the IAPP (International Association of Privacy Professionals) report (Privacy in the wake of COVID-19), 60% of employers are already keeping data on employees that have contracted COVID-19 virus and 19% have shared that data with other organizations or governments. 

A new value exchange

For the main part, people seem prepared to embrace this "value exchange." If, by sharing data with other organizations or governments they can save lives, then the transaction – and the intrusion on their personal lives – is worthwhile. But to succeed, trust and transparency will be critical. People must be told of the true purpose of the data being captured and stored, and they must know that such data is safe. Further early findings from the EY Global Consumer Privacy Survey 2020 reveal that security is paramount and non-negotiable for most consumers. Respondents say that security (63%), control (57%) and trust (51%) in the organizations they share their data with are front of mind.

There are many imponderables. Most of our often long-held beliefs, behaviors, and practices are being re-evaluated, and there are many huge practical, moral and ethical issues to confront. But confront them we must, for they are issues that are here to stay, and are part of a new fundamental societal discussion.

Summary

As COVID-19 restrictions ease and businesses return to their "usual" routines, it is clear that life will be anything but "usual", and the need for organizations to track employee's health will have implications on future privacy and data protection policies. This article discusses the acceptance of a new value exchange – if sharing data can save lives – and the changing attitudes to privacy in light of the COVID-19 pandemic. But it also warns that for this to be effective people need reassurance that their data is safe and secure.

About this article

By

Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.