As employees increasing skip the office and work in coffee shops or ‘coffices’, Tom Moyes, Partner at Blacks Solicitors LLP, looks at what employers need to know about the so-called workplace of the future.
Open-plan offices don’t work – there are too many distractions – and the workplace of the future is the ‘coffice’. That’s according to Dr Nicole Millard, an expert in data, analytics and emerging technology.
She predicts that employees will soon become ‘shoulder-bag workers’ carrying their offices in backpacks and working in coffee shops or ‘coffices.’ However, this can throw up any number of concerns for businesses, from confidentiality to data protection. So, what do employers need to know?
Background
Most contracts of employment now contain wording to some effect that expressly provides for an employee to not disclose confidential information or permit such information to be disclosed to third parties. The same goes for numerous policies that are often contained in Staff Handbooks. However, even if a Contract or Handbook doesn’t contain an express provision an employee will still be under a duty to not “shout from the rooftops”.
All employees have a duty to their employer known as the duty of fidelity. This is more commonly known as the duty of good faith. One of the major aspects of this duty is the duty to not misuse confidential information. Employees are to keep confidential any “confidential information” they learn in the course of their employment. So, in the context of the ‘coffice’ this applies and it means that employees shouldn’t be disclosing confidential information over their turmeric lattes.
But what can employees say and when?
There are some areas of the business that employees, workers and contractors and consultants are able to discuss fairly freely. In law, there are generally four categories of information, the first two are those generally accessible by the public, these being 1) information largely incidental to an employer’s business which is available from public sources; and 2) information that amounts to general knowledge and skill acquired by an employee during or prior to his employment.
The latter two categories are those not accessible to the public: category three constitutes “confidential information” and category four information deemed to be so confidential that it amounts to a trade secret. An example of the latter would be the secret recipe for certain products such as Heinz Tomato Ketchup or Coca Cola.
By and large, staff and consultants are well within their rights to publicly discuss information pertaining to categories one and two, categories three and four not so much. While the content of such information will depend on a case by case basis, personal data of customers and clients are likely to constitute private information attracting category three status if the information is not already in the public arena. Examples may include details of private expenses, lists of suppliers, price lists, details of future business plans etc.
Spilling the beans
Disclosure of confidential information, either purposefully or through sheer carelessness, will amount to a breach of the duty of fidelity which can be the basis for disciplinary action. Employers would therefore, be well advised to provide training for employees, consultants and workers to do their best to ensure they are complying with the policies.
If employees are making such calls, i.e. discussing confidential information in public locations, be it from a coffee house or elsewhere then discretion is paramount. Anyone making these calls should understand that they are expected to speak quietly and refrain from using specific names or identifiers until they can speak in a secure environment.
What about data protection/client confidentiality?
The well-known Data Protection Act 1998 will shortly be repealed and replaced by the General Data Protection Regulation (known as the GDPR). This new all-encompassing piece of legislation is now being rolled out across Europe and will come into the effect here on 25 May 2018.
The Government has just passed the Data Protection Bill 2017 which will implement the GDPR into domestic law. This GDPR is set to radically change the data protection landscape.
Under the current regime, employers are under a duty to comply with the eight data protection principles in relation to all personal data with respect to which they are the data controller i.e. information relating to their employees, clients, suppliers etc. These principles, to name a few, include the fair and lawful processing of data, ensuring that data obtained from employees and/or clients is adequate, relevant and not excessive and that data is to be collected for a specific purpose in mind. The sharing of such data is also regulated.
Often employers will have policies requiring staff to keep personal data secure against loss or misuse and failure to comply with this can often lead to disciplinary action. Working from the coffice should not affect the processing of data to a great degree however it may lead to unauthorised sharing of such data. This could result in a breach by an employee of their duty not to disclose confidential information and may carry the repercussions with it set out above.
Stolen material and equipment
In an office, the chances of anyone stealing your computer/tablet/smartphone (full of work information) are fairly low. In a coffee shop, they’re much higher. So, again, this is an issue that employers should consider.
Employers should include the appropriate policies into their Staff Handbooks and make it clear to their employees what the standards are that they expect in terms of securing any such device. Simple requirements such as never leaving a device unattended to and installing basic security software should be a pre-requisite to allowing an electronic device to be used for business purposes.
When devices are used for business purposes, the employer should place the employee under an obligation to protect the device from loss, theft, misuse, inappropriate access, modification or disclosure especially when the employee uses the device to deal with confidential or sensitive information.
An appropriate security and/or bring your own device policy can ensure that the electronic device is vetted prior to work being carried out and any confidential information is stored on it. By only allowing access to IT systems, work emails and databases after such an authorisation process the employer can keep tabs on what is going on with each device (including the ability to monitor whether it is really being used for business purposes rather than personal use during hours of work).
Password protected
Thereafter, other simple and easy to adhere to obligations may be placed on employees such as a requirement to make sure the device is password or PIN protected. Employers may even work into provisions into their electronic device policy permitting them to remotely erase data on the device if there is a data breach or the device (or its password) is lost or stolen. Despite the initial outlay for the software such a provision in the Staff Handbook can prove priceless in terms of protecting confidential information.
Act fast
The same goes for device detection and/or tracking or monitoring. An obligation on employees to immediately inform their employer of potential breaches of data and/or theft of a device by the end of the same working day; such a quick turnaround may allow the employer to act quickly and either track the device or destroy the data.
An employer can enforce failure to comply with such polices through disciplinary action including, where appropriate, revocation of access to company IT systems, suspension, dismissal and criminal prosecution (where applicable).
To really sharpen the senses, an employer can even include provisions that stipulate that disciplinary action may be taken whether the breach (or suspected breach) is committed during or outside of office hours and whether or not use of the device takes place at the employee’s normal place of work (wherever that may be).
