Taking into account a significant impact from the coronavirus (Covid-19) – large-scale transition to working from home – we have put together recommendations for the employer on what to do in the ongoing emergency situation in order to ensure effective, secure and lawful teleworking. Put briefly, the applicable laws and regulations, including applicable data protection rules, require employers to adopt a set of internal rules that would ensure compliance with the requirements established by the employer, effective continuation of work and the employer’s right to verify whether work is being performed.
Adopt a clear set of rules on when the employee must provide health information to the employer
The first question pertains to when the employee should be asked to telework. In today’s crisis, it’s the coronavirus that is forcing employees to work from home. However, asking people to work from home is not a suitable solution for all employers. If the employer also has need for employees at the place of work, the employer must assess whether to send the employee home or allow them to work. In making that assessment, the employer’s use of employee health data is inevitable. Data protection law imposes numerous requirements on how and under what circumstances can the employee be asked to provide their health data. You can read more about it here. In addition to asking about the employee’s health, it might also be necessary to enquire about the employee’s travel information and collect information regarding their family’s health. Furthermore, in case of on-location work, it might even be necessary to take the employee’s temperature, carry out tests or use the organisation’s cameras to oversee compliance with the “no handshakes policy”.
Regardless of the legal basis for the employer’s request for health information, it must be clarified as to when the employee is required to submit information about their state of health to the employer. The most pertinent solution is to impose a requirement to notify one’s direct supervisor when the employee shows symptoms of an illness, a person close to the employee exhibits symptoms, or the employee has come into contact with a person showing symptoms in Estonia or abroad. In the rules, it is relevant to reference the Health Board’s website, which lists the symptoms of the illness and mandatory rules of conduct.
It is important to inform the employees about the employer’s subsequent use of the collected health data.
Clearly inform the employees as to when they are expected to telework.
Every organisation has a specific work culture and way of working. Under the current circumstances, it would be reasonable to allow for teleworking either partly or fully where possible without completely halting the company’s operations.
While in most cases, it is the employee who wishes to telework or an agreement to that end is concluded with the employer, situations might arise in which the employee refuses to telework. In such a case, the employer has multiple options for protecting the safety and health of other employees, including, as a last resort, terminating the employment contract. You can read more about it here.
Establish a teleworking procedure for the employees.
The following is an example list of aspects that the employer should cover in the company’s teleworking procedure:
- Is the employee obligated to telework at a specific location/in a specific room?
- Is the employee obligated to inform the employer of their teleworking location? The aforementioned information could be important to the employer for reasons of cybersecurity;
- Is the employee only allowed to use devices provided by the employer, or is the use of personal devices also permitted?
- Is the employee permitted to use an open internet connection for processing work-related information, or are they obligated to use a virtual private network (VPN)?
- Does the information exchange between the employee’s location and the employer’s server have to be encrypted?
- What are the cyber hygiene requirements applicable to teleworking? If the employer has established an information security policy and other relevant policies, employees should be reminded of such policies (the Wi-Fi connection used for teleworking, automatic screen-lock of the computer, storing paper documents at the teleworking location, prohibition of storing electronic documents on the device).
- How is the employee’s occupational health and safety ensured (minimum mandatory working requirements)?
In the teleworking procedure, provide a detailed description of the employer’s right to monitor and verify an employee’s work.
Teleworking brings with it an employer’s need to “know” how the work is progressing and whether all security requirements are being complied with. The extent to which the employer’s verification and supervision are permitted depends both on the nature of the work in question as well as organisational culture. The rules of verification must be discussed with the employees and such rules must be established in writing.
It is important for the employer to ensure cybersecurity, protection of trade secrets and intellectual property, and compliance with data protection requirements. For these reasons, it might be pertinent to impose stricter information technology policies, e.g. by prohibiting the downloading of large quantities of documents from the server as well as printing them out.
Obtain an employee’s confirmation regarding their consent and their understanding of its meaning
If the employer and the employee meet face-to-face, such rules must be introduced to the employee, their content must be explained and a confirmation regarding the fact of having had these rules explained to them must be obtained from the employee. Under the current circumstances, a virtual “meeting” will have to do, but we also recommend introducing the rules via the document management system that the organisation uses or by e-mail where the employees are asked to confirm having familiarised themselves with the procedure in their reply.
Lastly, whether and how the rules are enforced is also important in case the rules are not complied with. In such cases, the Employment Contracts Act allows for agreeing on a contractual penalty, and demanding compensation for damage exceeding the amount of the contractual penalty. If this has not been stipulated in the employment contract, we recommend adding the contractual penalty and compensation for damage provisions to the teleworking procedure, and to also agree on and add these provisions as annexes to the employment contract, taking into account the restrictions regarding contractual penalties under the Employment Contracts Act, according to which a contractual penalty can be established for:
- breaching a confidentiality obligation;
- violating a non-compete agreement; or
- refusal to commence work or leaving work without permission.
If the employment contract already provides for a contractual penalty and compensation for damage, we recommend including an explanation in the procedure regarding the fact that the provisions, the violation of which entails a contractual penalty, also apply in cases of teleworking.
You can also read our data protection experts’ blog on how and when to collect employees’ health data regarding the coronavirus – here, and other guidelines and helpful materials regarding solutions that can be implemented in the current emergency situation can be found here. General data protection guidelines can be accessed at: https://triniti.eu/practice-areas/gdpr/
If you have any legal questions pertaining to the emergency situation brought on by the coronavirus COVID-19, or you need assistance with drawing up the rules described in our recommendations, carrying out an assessment of legitimate interests or a data protection impact assessment, do not hesitate to contact us!
