Sinead Morgan: Key legal considerations for remote working
Sinead Morgan, senior associate in the employment team at DWF in Dublin, sets out the key legal considerations for any company offering remote working to its employees.
Remote working, flexible working or homeworking? Whatever term you choose to use the desire for, and drive towards remote working is on the rise.
With the costs of office space ever spiralling and the requirement for some staff to travel as part of their role, non-office based working represents a cost effective model for many employers. Working from home can also make economic sense for employees, particularly those with families, as savings can achieved through reduced commuting times, travel and childcare costs.
Arguably, improvements in technology also mean that employees can fully participate in the workforce from another location. On the face of it there appears to be limited barriers to a remote workforce.
However, as with most changes in work culture - risks can arise. From a legal perspective, the key risks of retaining a remote workforce fall into the following five categories:
Health and Safety
Under the Safety, Heath and Welfare at Work Act 2005 (as amended) an employer has a duty of care towards his employees. This includes providing and maintaining a safe workplace, preventing any improper conduct or behaviour likely to put the safety, health and welfare of employees at risk and providing instruction and training to employees on health and safety. Strictly speaking, this means that an employer should carry out a risk assessment of an employee’s home office space when they commence working from home and at periodic intervals throughout their employment. In order to comply with their duty of care, employers can require employees to complete online ergonomic assessments. It is necessary to have a flexible or homeworking policy clearly setting out employers and employees obligations. This should include an obligation on employees to report risks and work related accidents.
Employers are obliged to record working time information for each employee on a daily basis to include starting and finishing times, rest breaks, daily breaks and weekly breaks. This information must be retained for three years. The information can be recorded electronically or in manual form. This obligation is relatively onerous. Many employers may not have a system in place, nor the resources to implement one which will capture all data required. The difficulties of recording working hours for remote employees can present an even bigger problem.
Employers of remote workers should include clauses in employees’ contracts requiring them to record their hours to assist the employer in complying with their obligations under working time legislation. Those obligations should be repeated in a policy, which is rolled out to employees. These steps should assist employers in complying with their obligations under working time legislation. Given the practical difficulties in complying with the legislation and the rise in remote working, new and innovative methods would need to be considered by employers to ensure that they comply with their working time obligations regarding remote workers.
Since the introduction of GDPR regulation in May 2018, we have seen an increase in the reporting of data breaches. Data breaches can arise from the employment relationship in a number of ways, from the loss of physical data in transit to employees accidentally or deliberately leaking personal data. An employer will generally be held vicarious liable for actions of its employees regardless of motive. The Morrisons case in the UK  EWCA Civ 2339 ] was a clear example of the liabilities that can attach to a company when a data breach is executed by a disgruntled employee. In both the UK High Court and Court of Appeal cases Morrisons was found to be vicariously liable for a personal data breach caused by the actions of a rogue employee. Morrisons has been granted permission to appeal to the Supreme Court, which will be its final chance to overturn this decision.
Ensuring security of personal data remains a key issue for employees. This can only be achieved by implementing a robust data protection policy and ensuring ongoing training of staff. If workers are based outside the office extra measures may need to taken. Additional security can be ensured by providing office laptops with access to encryption to staff who work remotely. It is vital that homeworkers are provided with clear training on their obligations to protect data both inside the home and while travelling. Measures should also be put in place in case of accidental loss, destruction or damage of devices containing personal data. Employers can also consider limiting access to more sensitive data, if this is practical. As a fall back position, employers can consider investing in appropriate cyber insurance to cover the risk of data breaches.
Allowing employees access to valuable confidential information can be fraught with difficulties. The risks of loss or distribution of that data potentially escalates when it comes to remote workers. Some of those risks can be limited by implementing clear email and confidentiality policies and placing confidentiality clauses in employment contracts. Those policies and clauses should specifically address the risks, which an employer faces with home workers. Policies should clearly define confidential information and set out employees’ duties to protect that information. Those policies should also provide guidance to employees as to how best to maintain confidentiality while working from home.
In facilitating employees in working from home there is a fundamental reliance based on trust that the employee will complete their work in a timely and effective manner. Feedback from clients is generally positive and on the whole productivity does not appear to suffer because of remote working.
Employers are entitled to monitor employees’ activities in the workplace within limits. This can be achieved through monitoring email, internet and phone facilities or putting CCTV in place. The extent of this monitoring must always be balanced against the employees’ rights to privacy. Employers should issue a clear Information and Communications Technology Policy to employees putting them on notice of any monitoring. This policy should cover the employees’ use of the company’s phone, internet and email facilities (to include use of social media). All monitoring must be necessary, legitimate and proportionate. If employees are permitted to use their own personal devices for work purposes employers should have a policy in place allowing this use.
Given the Data Protection Commissioner’s robust stance on surveillance of employees and the ability of data subjects to lodge claims for non-material breaches of data protection legislation, employers would be well advised to carefully consider the necessity and extent of monitoring that is required before introducing surveillance of any kind into the workplace. Products are available to employers to facilitate monitoring employees working from home, however, any such monitoring would have to comply with data protection obligations and an employee’s right to privacy.
Feedback in respect of remote or home working is generally positive however proper care must be taken in relation to the above matters from a legal perspective. Employers should also reserve the right to amend a home working policy and oblige home workers to attend at the office on request. Employers should also be aware that if an employee works from home for an extended period that the right to work from home could become an implied term of their contract through custom and practice.