INSIGHT ARTICLE

Data protection matters to consider when analysing commuter data

By Ben Seretny, Head of DPOs, The DPO Centre

The DPO Centre

The DPO centre has worked with clients across almost every industry – finance, life sciences, tech, third party utilities, and the public sector. We therefore know how multiple types of employers can manage the potential data protection challenges that can arise when they process employee data for items such as commuter analysis.

I’m therefore well aware of the range of considerations that can be high up on the list of employer priorities. So, over the course of this insight article, I hope to cover, in an accessible way, the key priorities for you to consider when you are looking at a shift in your approach to analysing and managing employee commuter behaviours.

DPDI Number Two

It’s firstly worth referring to the elephant in the room, which is the impact of potential forthcoming legislation changes within the UK and how this may affect our approach to processing all personal data. The potential legislation is the data protection digital information bill, known as the DPDI Number Two, which is currently making its way through Parliament. Currently, it’s still to progress through the committee stage, where we’ll probably get a better idea of what potential alterations might look like in practice as we deviate away from the UK GDPR.

Now, although this legislation has the potential to rewrite a lot of our current data protection framework, which was implemented by the UK GDPR, it’s still subject to a great degree of scrutiny and alteration. It’s a political hot potato as well and the title number two gives it away; it’s been withdrawn and reissued before, so speculating is unlikely to be wholly useful to you with your current data processing operation. So, this article will stick to the law as it stands today. Watch this space though, as we can revisit this article if the new law comes in and requires us to do so.

Analysing commuter data

Employers already act as controllers under the UK GDPR, so many of the steps required to handle employee data for commuter analysis are already going to be in place. However, they may need adjustment to incorporate this. You are unlikely to need to reinvent the wheel, but it’s important to understand which steps alight with the practices you already undertake, and how you can weave these new processing activities into the existing process.

With that, let’s move on to processing personal data in an employment context. In terms of the UK GDPR, ‘personal data’ is any information that could be related to an identifiable living individual. This includes common details such as names and emails but, in this context, it also includes postcodes and potentially any travel information that you derive from your analysis. In this instance, we’re clearly processing personal data and as an employer you are determining the means of this processing (e.g., to analyse the data), so we act as controllers. It’s also a standard process to use employee data in the employment context, to enable management oversight, performance reviews, payments of staff and so on, so this is just an additional use of employee data in an employment context.

A question that often arises with some clients is the notion of involving third parties to assist with commuter travel analysis or any other processing. As employers, it’s a wholly common practice to use external third parties to process certain elements of personal data on your behalf. We commonly outsource services for things like payroll, IT and pensions, engaging a vendor who will act as a processor (we, the employers, are controllers). When we enlist the assistance of a processor as a controller, it’s important to remember we do remain wholly liable for the acts and omissions of these third parties. As such, it’s the core obligation for us to conduct adequate due diligence to ensure processors understand their own obligations under the law and, equally importantly, that they can facilitate compliance with these and assist us with our compliance.

Engaging processors

Once you’re able to conduct your risk assessments and record your outcomes, you should ensure that appropriate data processing terms and contracts are in place, and they should ideally reflect with some detail the processing activities and risks involved. There are some mandatory terms that all processors must agree to prior to handling personal data on behalf of the controller, and these are clearly set out in legislation to make it easy for all parties. So, as a minimum, make sure that these terms are present.

If you want to judge how sophisticated any potential processors are with their data protection obligations, it’s always a good indicator to ask a few questions about how they would acknowledge each of these mandatory obligations throughout the duration of the processing. If you can open up a dialogue with them and run through what they have in place, that is probably your quickest shortcut to understanding if they know what’s upon them when they’re undertaking processing of your data.

Conversely, one of the core benefits of giving your data to a third party and listing a processor to undertake tasks on your behalf is that they should have specific and detailed knowledge of the main risks that are inherent to that area of processing. Therefore, you would expect specific and detailed approaches to recognising and mitigating these risks within their operations. And then, of course, ensuring that a third party has done this will help you comply with your obligations under the UK GDPR. Needless to say, the key to making all of this work effectively is to ensure that you are communicating with processors, understanding how they protect information, and then making sure you’ve got good pre-contractual discussions and a good assessment of existing policies, procedures and other controls.

How do you know if a processor is legitimate? You always have to run your own due diligence. For instance: Do they openly discuss how data protection is facilitated on your behalf? Are they transparent about their controls? Importantly, are they willing to engage with you and discuss these on request or do they just have a standing page on their website and don’t really want to correspond or deliver any further information?

Once you’ve run all of this and you’ve satisfied your due diligence, it’s always smart to review the contractual documents. Make sure that any of the representations regarding to their data handling practices and security, and how they manage compliance, are included in the written terms or referenced in the contract between the parties. Finally, ensure that the responsibilities and liabilities are understood and apportioned appropriately. At that stage, your vendor control is at a good initial point. All that’s left is to ensure you have audit rights and know how you’re going to action those to ensure that you’re monitoring throughout the whole of the processing.

Lawful basis: Think buckets!

You have to identify the appropriate lawful basis that you’ll rely upon for the purpose of processing your employee data. To simplify things, I was always told to think of these options as buckets. You have six available to you, and each of these buckets represent one lawful basis. If you cannot fit your processing into one of those buckets, it’s highly likely it is unlawful, which would indicate a breach of one of the key principles under the UK GDPR.

The six buckets are:

– The data subject has given consent to processing
– The performance of a contract… or to take steps… prior to entering a contract
– For compliance with a legal obligation to which the controller is subject
– In order to protect the vital interests of the data subject
– Performance of a task carried out in the public interest or official authority vested in the controller
– For the purpose of the legitimate interests.

Consent tends to come up quite commonly, especially in this context, as it’s certainly one of the better-known lawful bases. However, consent is not often an appropriate ground for processing in an employment context. It is tempting to rely on the simplicity of consent – it’s nice and binary, yes or no, it’s recordable, but it can be very difficult to substantiate the absence of coercion when any imbalance of power such as an employer-and-employee relationship exists. Any consent that you rely upon as your lawful basis must be, among other things, freely given. And, although we may often wish to tell our boss to go and jump whenever they make certain requests of us, in practice we’re likely to inevitably comply with their request. Therefore, any such consent is not given freely or perceived to be given freely whenever you’re under an employment contract.

Legitimate interests

Assuming that consent is highly unlikely to be the option that you would rely on, the most likely option is to rely upon legitimate interests of the controller – which would be you as the employer – and that’s providing that these legitimate interests are not overriding the rights and freedoms to our employees, who are data subjects.

Using legitimate interests as a lawful basis is essentially a balancing act. The way in which we assess the appropriateness of using this interest is to simply complete a legitimate interest assessment, three-part tests that examine the legitimacy of your purpose. It asks what you’re undertaking the processing for, which in this context is the desire to collect and analyse commuting information, fulfil your own sustainability interests, and the provision of benefits to those employees who commute to the workplace.

Secondly, we tend to look at the necessity of the processing. Basically, is there a substantially less intrusive manner of achieving our purpose by using less data, or a less risky method of processing? Could we reduce the risk in some way by limiting things like the scope of the data or how we secure the information, or any other controls that might be available to bring that proportionality balance back?

Finally, it’s important to check that your actions aren’t infringing the rights of, or causing harm to, any individuals. It may all sound a bit scary but if you’re already an employer you’re likely to be using legitimate interests to process employee data already. Commonly, this will be things like CCTV, security, web traffic monitoring, holding emergency contact details on behalf of your staff (and you’re not even likely to be asking all of their contacts for consent). So you would therefore simply undertake the same assessment and recording and provision of rights as part of your current compliance activities dictate.

Should you have not done these before, it doesn’t have to be overly technical at all, providing that you are detailed and candid about the elements above. And in fact, the ICO provide a really good template for you to record and evaluate outcomes, so the material is all there and the instructions are very simple. It’s just a matter of getting it down there and running those balancing acts properly.

One you’ve defined your processing, you would update your record of processing activity. You may be exempt from making a formal record of activity, depending on the size of your company, but still choose to complete documents as part of your compliance framework.

So again, the message is about weaving this slightly different collection and use of personal data into your standard compliance activities as they already exist. There are other assessments that you can utilise when you’re considering a new processing activity, but as the processing in this context is highly unlikely to create a large risk to the rights afforded to your data subjects under the law -and we’re not utilising a wholly novel technology to complete the activity – then the threshold for conducting the data protection impact assessment is unlikely to be met. But, if you already have an existing system in place, then I would continue to utilise it without deviation.

The absence of a necessity to run such an assessment doesn’t necessarily prevent you leaning on your existing practices to ensure you’re satisfied, prior to commencing any new processing activity. If your compliance team or your framework operate a standard approach to all new processing or vendors, which requires completion of a privacy impact assessment or a formal DPIA, you can easily wrap this form of new processing into your operations as you would any other. Once again, don’t necessarily deviate, just add it to the system you have already.

Transparency and employee rights requirements

Once you’ve started a new processing activity, you’re legally obliged to inform employees of the activity prior to processing. The standard, when relying on legitimate interests, is to notify as opposed to seek affirmative permission. Under the law, however, we must clearly state that we intend to rely upon legitimate interests to process the data. Equally, we need to state the presence of the employee data subjects’ right to object to that processing at any time. It’s essential that you consider how you would afford this right if your employees chose to object. Would you need to adapt any established processes?

There are minimum levels of information that you’re required to issue to your employees. Usually, this comes as an update to your existing employee privacy notice, including a description of the personal data you intend to use, the reason for the processing, the presence of any third parties receiving the data as part of the activity, and then the intended retention periods for the data. Those items, along with other details that you’ll already be providing in your privacy notice, constitute the minimum data to be provided to employees.

However, I would always very much urge for best-practice approach, which is to explain as much as possible regarding the use of legitimate interest activities. Not least of all, you should ensure complete transparency in the processing, which is one of your requirements under the UK GDPR, but do try and bring your employees along for the ride and empower them to understand, as best as possible, why their data is being used for a supplementary purpose. In my experience, when we’re looking at change, management and alterations of processing, this not only reduces the volume of objections – which obviously enhances the power and quality of your data – but also assists you with building trust with regards to employee personal data processing, which is incredibly important.

Once you’ve attended to all those matters (which you’d be doing anyway regularly with all your other processing activities), ensure you update all of your internal processes relating to things like subject access rights, what’s afforded to individuals, and how you will access and engage those rights. Potentially, you may also need to add or update breach management procedures if there’s new data being utilised, or another vendor. Finally, update any other policy or procedure where a change of processing activity or third party might alter your standard protocols.

Review your obligations

To illustrate how standard these adjustments would be, I often try to distil personal data processing change management into the ‘three As’. This is not an ICO thing, but my ‘Noddy’ way of explaining it to people. The first A is to assess – so complete all of your reviews, your due diligence, considerations of legality and proportionality, identify your mitigating controls, and anything else I’ve listed above.

Once you’ve assessed, you secondly advise. Ensure you consult with all your stakeholders and inform your data subjects of the processing. Also inform them of their corresponding rights and, importantly, how they can engage them.

Thirdly, you act. Once you’re happy with the above points, you start implementation. If you’ve thought it all through and aligned it with the existing processes, it shouldn’t be too much of a departure from what you’re already doing. With the ‘three As’ and a bit more detail, we ensure adequate lawfulness by correctly assigning and then recording our lawful basis.

Summary

When you rely on legitimate interests, you’ve conducted an appropriate legitimate interest assessment, recorded the outcomes, and then implemented any mitigations or scope reduction to reduce the risk. You’ve transparently notified employees with at least the minimum amount of information required, either as an update to an existing privacy notice or as part of the campaign to raise awareness of commuter activity. Those two go hand-in-hand together. Your purpose and data minimisation should have been addressed in your very candid legitimate interest assessment. And you’ve verified how you, potentially in partnership with any vendors, really ensure data accuracy and adequate security measures are implemented and maintained throughout the entire duration of the processing. Again, you will be reviewing your contractual controls, due diligence, and any necessary auditing.

Importantly, you have identified at the very beginning how you’re going to document each of those measures by way of assessment, record of processing, due diligence, contract policy, and notifications, to ensure you can demonstrate ongoing compliance. That’s the accountability principle there, the mock seventh principle. It’s also worth considering that staff receive any relevant training to ensure that they’re aware of any additional risks or responsibilities that might impact their process and operations in their role, and importantly, how they manage these.

Awareness and training are things that you can wrap into your existing awareness and education programmes that you’re either establishing or already providing as controllers. Once more, these obligations already exist for processing in any employment context. The data itself shouldn’t be sensitive in nature, and therefore the addition of commuter data analysis should represent a very manageable adjustment to your existing data protection practices.

You might also enjoy:

How to track modal shift through annual CO2e emissions on the Mobilityways Dashboard

Understanding Offsetting

Download your free Commuter Census Guide

You may also enjoy reading