May 2021

Lucy Lewis: Hello, and welcome to the Future of Work Hub’s ‘In Conversation With…’ Podcast. 

I’m Lucy Lewis, a partner in Lewis Silkin’s Employment Team and in this podcast series, I’ll be hosting exclusive discussions with innovators, business leaders and thought leaders to explore their perspective on what the future of work holds. The pandemic has accelerated longer term, societal, economic and technological trends, giving us a unique opportunity, a once in a generation challenge to re-think who, how, what and where we work and today we’re going to explore our technology megatrend; we’re going to look at the perspective of data privacy to identify what are the challenges in that area for the future of work. 

Data privacy has become a really important trust and reputational issue for business – that’s because there’ve been a lot of high-profile data breaches and of course, the introduction of the GDPR. But alongside that, the pandemic has been shaping our attitudes to data privacy; we’ve been having to make significant trade-offs between things that we consider established freedoms and our health, our wellbeing, our safety, and so, the implications of that and how long the impact of that might last are the sorts of things employers are having to think about as they look ahead to the future of work. So, to talk to me about that today, is our guest speaker Alexander Milner-Smith. Alex is a partner and Co-Head of Lewis Silkin’s Data Privacy Group. Welcome Alex.

Alexander Milner Smith: Thank you very much for having me Lucy and hello everyone.

Lucy Lewis: So, Alex, you’re a Data Privacy practitioner, you’re totally at the forefront of this evolving field to data privacy and we know that’s got huge implications for how we work now but particularly about we might work in the future and I talked a bit about the pandemic; we will come back to that but what I’d like to do is just put that to the side for one minute and think about some of the trends that you were seeing emerging even before the pandemic;

uk data privacy

What are the kinds of trends that we’ve been seeing in data privacy over recent years?

Alexander Milner Smith: Yeah, that’s a very interesting question and as a first point, very apt as we’re discussing the future of work; data for a long time has been focused on the marketplace as it were, on consumers and B2B, 100m, 300m, 1 billion data subjects but recently everyone has realised that data is very much everywhere, including in the workplace, so workers are more aware and interested in how their employers or their engagers are processing personal data about them and equally, their employers and their engagers are more interest in mining, using, exploiting – whatever term you might wish to use – the data that they have on their workers to improve collegiality, performance, engagement – dare I say it, possibly even look at disciplinary issues and so on. So, that duality of interest can produce and is indeed producing and probably will continue to produce conflict as well as progress and innovation. So, one example of conflict; data privacy has progressively been viewed as a human right and something that is just expected as a human right in the workplace, as other human rights are. Indeed it’s listed as a right in the EU Charter of Fundamental Rights and of course, the right to privacy generally is in the European Convention of Human Rights and of course, the Human Rights Act.

On the other side of the coin, we’re obviously seeing employers and engagers exploring new technologies in the workplace, most relevantly artificial intelligence. We, at Lewis Silkin, must get one or two queries a week about artificial intelligence in the workplace in terms of monitoring or use of biometrics, but new tech brings new challenges from a privacy perspective as it challenges both GDPR and UK GDPR compliance, but also pushes up against ethics and human rights, so if a business gets it wrong, it can have a significant impact on employee and worker experience – trust can be eroded, and once it’s gone it’s hard to get back; you talked about trust Lucy in your intro and I know we’re going to talk about trust a bit later, so I’ll leave it there for now, but a second big trend that I have seen and frankly what’s really struck me over the last six to eight months is the rise of data imperialism from the European Union and what I mean by that is the European Union attempting to widen the reach of their data rules through judgments such as that that came in July 2020. I won’t go into that now – we could do a whole hour or two on that, but broadly the Court of Justice of the European Union has almost demanded that data can only be transferred outside the European Union – the countries that essentially have the same rules as the European Union. So, the EU wants to be a rule setter for the whole world in terms of data and this is interesting and is difficult. We all know that the standard maxim that the ;’US innovates, China imitates and the EU regulates’ – whether that’s true or not, the question is for the EU “is the regulation fit for purpose?” and when we think of AI, do we need over-regulation from a European perspective or do we need more of a common law outcome style of regulation as we might be more used to in the United Kingdom and in the United States?

The EU’s already made its own call with its very recent AI Framework paper which sets out very, very onerous potential future laws on AI. The question is what will the UK do? What will the US do? And I think it will be fascinating to watch how this develops over the next two/five/ten years and it could have a direct impact on the workplace, bearing in mind the prevalence of AI solutions across the board. I could see in ten years’ time workplaces in the UK and the US for instance looking very different to workplaces in the EU.

Lucy Lewis: That’s fascinating.

artificial intelligence in business

Looking at the AI in the workplace, I wonder if you can share just some broad thoughts about the kind of innovation in AI you see in the workplace and you talked about workplaces might look different in ten years’ time; the kind of things that you think we might see if the regulatory environment allowed for it?

Alexander Milner Smith: I mean we’re already seeing AI now and it will just be building on that I suspect. So, we’re seeing at a very low level use of biometrics and facial recognition technology for security – that’s quite common in the UK now but that’s actually a nice example of the dichotomy between the UK and Europe; it’s rarely seen across Europe because EU regulators really don’t like that, whereas any of us who’ve been to an airport – probably not recently Lucy, but in the past – we’ll have occasionally seen at Gatwick and Heathrow those trials of artificial intelligence in terms of facial recognition and we’re seeing some of our clients talk about that in terms of workplace use. 

But we’re seeing it also come up a lot in monitoring; monitoring can be a totally pejorative word and I don’t mean monitoring in a negative sense, but we’re seeing certain data loss prevention tools employing artificial intelligence to maintain a vigil over potential loss of confidential information, people preparing to compare and compete and so on. So, those are the kind of things that I think we’ll see more and more of. I also think we’ll see more and more AI in relation to recruitment; we’ve advised some clients on AI, in terms of AI being used to sift through CVs, to search for various key words and so on; we’ve also had a look at certain solutions using AI which try to help with tax status and IR35 pieces, so really the world is your oyster in terms of AI and one of the beauties of new tech is, although I obviously deal with tech on a day to day basis, I can’t even imagine what’s coming in two years/five years, let alone ten years, but it will probably look very different.

Lucy Lewis: And I said we’d come back to the pandemic, so using that as an opportunity to because of course, we wouldn’t have anticipated ourselves being in this position 18 months ago;

Impact of the pandemic on data privacy

I said at the beginning that my assumption had been that the pandemic has changed attitudes towards data privacy – do you share that view? What do you see as being the impact of the pandemic on data privacy?

Alexander Milner Smith: I think it’s going to have an absolutely massive impact Lucy. The main points, as you alluded to there, have just been the shifting attitudes, both in terms of what I discussed earlier in terms of greater awareness of data in the workplace, but also in terms of the processing that is happening now that frankly never would have happened before, so for example, if we were having this conversation in April 2019 – it’s obviously April 2021 now for those that are listening in ten years’ time – if you’d have asked me in April 2019 if we could process temperature data or vaccine data or medical test data as a matter of course, as opposed to the exception, I would have said, “very unlikely, I would not recommend it, this is high risk”. But now of course it is par for the course. 

The journey started broadly 12 months ago with holiday questionnaires which soon became pretty defunct didn’t they, but holiday questionnaires if you remember Lucy, ‘can we ask people where they’ve been on holiday?’ and all that kind of stuff, then general health questionnaires – “how are you feeling? How’s your daughter feeling?”, then temperature data – then temperature data not just in terms of taking your temperature when you’re at home but actually automatic temperature stations at receptions, then of course, Covid test data becoming more and more common through the public proliferation for free from the government, and now of course we’re moving on to – and I’d like to say the last phase Lucy but who knows – a ‘vaccination or not’ status data.

So, these are enormously intrusive data sets in some ways from a 2019 or very early 2020 mindset, but now both in the marketplace and the workplace are just all pervasive, everyone has accepted them, we’ll have to see how it develops in the marketplace – obviously hub and passports and so on – but from a workplace perspective, I think everyone has got used to being asked health questions very regularly to protect their health and the health of visitors and the health of other workers and the ICO I think has been fantastic throughout – the ICO being the UK’s regulator, the Information Commissioner’s Office – because they’ve offered very practical advice along the lines “we trust you as a data controller” – and that can be an employer or an engager, or indeed, a data controller in a retail space or a consumer space – “we trust you; if you need to do something and it’s proportionate, and you’re not just doing it for a laugh, you have a health and safety or a public health basis, then you can. Just make sure you’re transparent, you’re proportionate, you only retain data for as long as you need to, you keep everything secure”. That’s a very grown up and mature way to approach things and it is actually an apposite to some of the things that we have seen from certain EU regulations who have actively banned certain processing within the Covid health sphere, which obviously makes it very difficult from a workplace perspective to quite work out how you can keep your workers healthy and safe.

The question I think Lucy is how long will this type of processing continue and I can’t answer that question because I’m not a public health expert, but perhaps more interestingly is what impact has it had on the general perception of data in the workplace? Is it a temporary permission from employees or workers or will they forever accept more intrusion on their data and not just health data, but other types of data and we’ve obviously already discussed the rising interest from employees, from workers in how their data is processed and home-working monitoring practices, so for instance the use of surveillance and analytic technologies is one example where I don’t think the fact that an employee or worker will accept intrusion on their health data means they will accept such intrusion everywhere. In fact, there was a very interesting survey from Yougov recently, where it found over half of workers wouldn’t accept a job where tracking was used to monitor, but I imagine that if you had asked them “would you accept intrusion on your health data to protect both your health and your co-workers’ health?” they would probably would have said “yes”.

So, it’ll be an interesting dynamic just to see how that plays out over the next 12/18 months as the pandemic – fingers crossed of course – dies down and just as a final point, with the rise of home working, we have seen more and more emphasis on information security; we’re communicating now Lucy through our VPN – many, many organisations have duo factor authentication and so on, and employers and engagers are trying to work out how to ensure that data remains secure and we, at Lewis Silkin, as you know, have had lots and lots of questions not just on home working but on non-home country working, so I think that’s something that the pandemic has may be accelerated; I think home working has been on the increase for the last five/ten years; we’ve probably moved ten years forward in the space of one year and that raises data issues that aren’t going to go away in terms of information security.

Lucy Lewis: And the health data particularly is really interesting; I do want to come back to that but before I do, I’m interested in this idea of tracking and surveillance and home working because lots of businesses are at that point in their Covid or pandemic journey and having to think, “well what does the return to work look like?” and I talked about trading off established freedoms;

monitoring employees

I’m interested in whether really the future means we have much greater freedom about where we work but the trade-off for that is a greater degree of surveillance or tracking or remote oversight of what we’re doing – do you think that might be the future?

Alexander Milner Smith: I think it could be true. I think that’s a nice way of putting it Lucy. I’m not best placed to talk about how necessarily employees might take that, but from a very dry compliance perspective, I will start there and then get a bit more exciting! You know, it’s all about having a lawful basis and some monitoring is allowed as long as it’s proportionate and then it’s all about being transparent and limited dissemination and limiting access to those who need to know. 

So, if within that new paradigm, Lucy, of home working and even non-home working, a business needs to engage in extra or additional or more wide-ranging surveillance to ensure security of data, to ensure its workers haven’t gone into a jurisdiction where they’re not allowed if it’s a non-home working example, and then that theoretically could certainly be proportionate – it could be lawful monitoring, it could be lawful surveillance and as long as the business, the engager, the employer, however you want to frame them, are being transparent then I do think that that will be permissible under data laws and from a more broader human rights perspective. So, then it’s just a question of how will that be taken by employees and workers and I’m not sure about that. I know later on we’re going to talk about how to engender trust, and so I don’t want to pre-empt myself but I think that the employers and engagers that do that best, will be those that don’t just take a unilateral decision on that but bring their workers with them on a journey.

Now, you will know better than I that there are obviously formal ways to do that through works councils where you are mandated to talk to them about that, but even in the context where you don’t have a works council, I think it might be a foolish employer or engager who is thinking about putting in place new tech or survey or monitor employees, for no doubt valid reasons, but who doesn’t take their employees on a journey, their workers on a journey through transparency, through town halls, through clear FAQs, through clear and truthful and honest explanations about what the limits and boundaries of that monitoring are, because what we’ve seen from case law over this year – and I won’t mention any names and indeed, ICO investigations that are still ongoing and I really won’t mention any names because I don’t want to call out anyone because these investigations are still ongoing and in some ways, some of these companies have been very unlucky – but where we’ve seen problems are where people have done things where they haven’t taken the employees and the workers on a journey, they haven’t been transparent, and frankly, Lucy, also, some of the monitoring might be considered by some – I’m only saying this as a heuristic, it doesn’t mean that I actually think this – but some people might have thought some of the monitoring was a little bit creepy, so we always have this battle in data and I do, it’s not a legal term, but I probably use it every week, ten times – if something feels creepy in the marketplace or in the workplace, it’s probably something that shouldn’t happen. 

So, those are kind of a few points for people to think about. 

Lucy Lewis: Yeah, and actually, it’s a perfect segway back to what I wanted to talk to you about in relation to health data, because health data, but actually what you’re talking about in relation to whether something feels creepy, it goes, this idea, that actually data privacy it’s not really just a legal issue – it’s also, as you say, a trust issue, it’s an ethics issue and as part of this podcast series,

building trust in the workplace

one of the things that’s really interested me is how often the word “trust” comes up when we start talking about the future of work; how important it is in retaining employees, in incentivising employees, in recruiting employees and I am really interested in how you drive this culture of trust in data – so respect and trust within your organisation for data privacy whilst at the same time recognising that innovation is a critical way that we can meet the demands that are going to be placed on workforces of the future.

Alexander Milner Smith: Yeah, so trust is absolutely crucial. I mean you can be slightly non-compliant in what you’re doing, you know, you might not have crossed every T and dotted very I; but just to go back to what I was talking about before; if you have got the trust and you have been transparent with your employees and workers, you’re so far ahead in terms of avoiding – obviously I’m focused on legal risk, I appreciate we’re being a little bit more intellectual on this Podcast and thinking about other things – but you know, if you can bring those employees on a journey and they trust that what you’re doing is honest and you’re being transparent with them, it can be an enormous boost to them believing in you as a company and believing in the way you process their data and I imagine, although I’m no expert in this and it’s more your area, but it will help with generally ER issues, it will help with morale and worker behaviours, and obviously the way I come to trust and look at trust is through the prism of compliance with data rules but I like to, when I talk about dry UK GDPR, GDPR compliance with clients, I like to try and put it through just the general prism of transparency; transparency is crucial – why wouldn’t you be transparent? If you’re trying to hide something, that’s when you’re not going to be transparent, so be transparent about everything you do – tell employees and workers what you’re doing because then they will trust you because they’ll see everything under the hood, they will trust the monitoring as we were talking about it before, that you’re doing because they’re seeing everything that’s happening, they’re seeing that you’re using some AI – tell them how the AI works, tell them as far as you can how the formulae work, what decisions are being made because then they will believe in the process more. 

Similarly, I’ve mentioned a number of times today already proportionality – proportionality and necessity are absolutely crucial to engender trust; if you are an engager or an employer that collects vast data lakes of data on employees that you keep for years and years and years for no reason whatsoever, then you might need it at some point in the future that you can’t work out why, that is never going to engender trust; whereas if you are thinking about all the processing you do of employees’ data through the prism of necessity and proportionality, while being transparent, you are then already miles ahead from a trust perspective and of course, keeping data secure is absolutely crucial. You might have built up all this wonderful trust, but it only takes a momentary lapse of concentration, a moment of non-encryption of a document, sending an email to the wrong person, deciding not to spend £100,000 on additional security that year which then results in an incursion in your system which results in 10,000 payroll data details being hacked and sent around the dark web, then you have lost trust forever. So, those three things – transparency, proportionality and security – very, very boring, very, very simple, but if you do all that, you are going to be so far down the line of engendering trust in the workplace and no doubt that will help with employee relations and so on. 

I’ve mentioned it already before, but the crucial thing that I always talk about with clients is just to involve employees from the start in any project. That will involve a material element of processing data, so if – just to carry on the theme – if a client listening to this or an engager or an employer listening to this is thinking in the next two/three years “we are going to have put in place some kind of extra surveillance technology to ensure that we can keep our data safe as it travels round workers’ homes or around the world” – don’t spend a year developing that without engaging employee reps and talking to them about what they think will work, what they think the boundaries are of acceptability, because it might seem like a hassle, but what it means is that the end product, for want of a better word, that you have, will be one that is trusted by the workers and employees that you need to trust it to avoid complaints.

Lucy Lewis: Thank you Alex, that’s really, really helpful and practical advice. I’m going to finish up with a question that I’ve asked everybody on this podcast series, and that’s

The future of work

what you personally think is the biggest and most radical change for the future of work that we will take forward with us from the pandemic?

Alexander Milner Smith: Thanks Lucy, that’s a very interesting question. Not to repeat myself, but going back to the first question that you asked me, I just think the rise of innovative technology will continue in the workplace; be that with enhanced surveillance techniques, use of AI will be all pervasive – in fact our Data and Privacy team at Lewis Silkin have been upskilling themselves on AI with a series of courses and the number of potential utilisations and uses that there are in the workplace or the marketplace are quite astonishing considering in some ways how simple AI can be, but I think Lucy, what we should do is in ten years we should have this discussion and see quite what kind of workplace we’re living in and what kind of processing is happening of our personal data, and then we’ll see whether I’m right!

Lucy Lewis: We will see indeed. Thank you very much Alex. Alex has contributed to other discussions, particularly around trust and our Data Privacy team have also put a number of different materials on data privacy on to the Future of Work Hub so if you’d like more information please visit www.futureofworkhub.info.

Thank you Alex.

Alexander Milner Smith: Thanks Lucy, very good to speak to you.