Abstract

In the GCC region, some jurisdictions already have data protection legislation in place that addresses data protection concerns of employees. However, the need is to also address the requirements of those GCC countries that do not yet have specific data protection legislation in place. Until national legislation is drafted, companies are advised to incorporate best practices in order to be well-prepared. More importantly, companies should use this opportunity to build a culture of privacy within their organisation and build trust with their employees and create a better work environment by placing employees at the forefront of their policies. This will, in-turn, enhance the image of the company’s brand and go a long way in attracting and retain meritorious employees.

1. Landscape of Data Protection Laws in the GCC

Currently, the Dubai International Financial Centre (DIFC)[1], Abu Dhabi Global Markets (ADGM)[2], the State of Qatar[3], the Qatar Financial Centre (QFC)[4] have their own data protection specific laws or regulations. These regulations are generally consistent with data protection laws from other developed jurisdictions (specifically, the EU Data Protection Directive 95/46/EC). They apply to specific types of personal information relating to identifiable individuals and set out obligations requiring that personal data be processed fairly, lawfully, securely and for a specified and legitimate purpose. They also contain restrictions on data transfer from within the jurisdiction to places outside. The most significant point to note about the respective data protection provisions is that they are applicable only to activities within those jurisdictions–or transfers from that jurisdiction to places outside the jurisdiction.

More recently, the Kingdom of Bahrain enacted Law No. 30/2018 with respect to Personal Data Protection (PDPL) on 12 July 2018. The PDPL is the main data protection regulation in Bahrain and it came into force on 1 August 2019. While Oman does not have any dedicated law on data protection,[5] both, Oman and Qatar have laws relating to e-Commerce which contain provisions relevant to data protection. Oman’s Electronic Transactions Law (Sultani Decree 69/2008) and Qatar’s Electronic Commerce and Transactions Law (Law No. 16 /2010) relate to e-commerce and electronic signatures but go beyond these domains to include specific provisions relating to data protection. Specific data protection regimes in the GCC region in respect of particular sectors like the telecommunications sector requires telecommunications service providers to conduct their business activities with due regard to the privacy rights of their customers. However, data privacy or protection of personal data is increasingly being addressed across various pieces of legislation- be it the national law of the GCC countries or the law of each Emirate or the Free Zones.

2. Addressing Employee Data Protection Concerns

Employers collect and use employee personal data (previous, existing or prospective) for various purposes, including recruitment, benefits, salary, personnel files, sickness records, monitoring and appraisals, personnel reports and severance. Employers may have to collect employee data in order to comply with employment law obligations or to protect employees. In dealing with employees’ personal data, employers should always consider any obligations under the national law or under laws of free zones that apply to the situation.

Typically, the employment contract between employer and employee includes a provision stating that the employee to the employer using his or her personal data. Often, the employment contract does not simply direct the employee to the employee handbook or a data privacy notification that explains in more detail how personal data collected about employees will be used by the employer.

The purpose of this article is to provide a set of ready-to-implement best practices that employers can follow in the absence of a data protection law. Care has been taken to refer to the EU law—the General Data Protection Regulation (GDPR)—while drawing up these best practices, but they may be also found to be useful in the jurisdictions of DIFC, ADGM or State of Qatar, albeit with some adjustments as per their respective pieces of legislation.

3. How Employers Can Ensure a Lawful Basis for their Employee Data Processing Activities

Employers should, as a matter of practice, always place reliance on one of the following grounds for processing employee personal data:

1. The employee has given consent — Although obtaining the consent of the employee appears to be an easy solution for processing employee data, it is recommended that it be avoided. What is also important to bear in mind while relying on consent as a legal basis is that employees may feel pressured into providing consent to the use of their data because they may fear that to refuse would have a prejudicial effect on their employment. Therefore, employers are advised not to rely solely on consent other than in cases where a subsequent withdrawal of consent would not be problematic. It is important to recognise that the processing of employee data may be unlawful or unfair under national or specific law even if the employee has consented. An employee may have consented to the collection of particular piece of personal data, for example, even when a national or specific law stipulates that consent cannot be given for this type of processing. Alternatively, the consent given may involve the collection of data that is disproportionate to the purpose the employer is pursuing. Consent should effectively be a measure of last resort to which an employer turns only when absolutely necessary.

1. Processing is necessary to fulfil the employment contract between the employer and the employee — Certain processing of employee personal data by the employer is necessary in order to fulfil the employment contract. For example, to pay the employee, the employer must process the employee’s name and bank details. Similarly, by virtue of using the employer’s communication system, certain information about the employee may be captured and processed by the employer.
2. Processing is necessary for compliance with a legal obligation to which the employer is subject — Specific laws may place specific obligations on employers that may require the processing of employee data. For example, an employer is usually required to provide details on salaries to the local tax authorities.
3. Processing is necessary for employer’s legitimate interest — In many cases, an employer will be able to rely on the legitimate interest ground to process personal data of employees. For example, when an employer carries out a structural system change to migrate employee data from an old payroll system to a new one, this is likely to be processing on the basis of legitimate interest.

4. Can Employers Process Sensitive Employee Data?

Sensitive personal data on employees would include data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data or data concerning health or sex life. In the event sensitive personal data of the employee is collected and processed, the employer must ensure that it complies with national employment laws in this area. Some jurisdictions prohibit the processing sensitive personal data, even where an employer obtains consent from employees. The extent to which sensitive employee data can be processed depends on the applicable employment or labour law. An employer may also resort to relying on the explicit consent of the individual, but again, this option should be an employer’s last resort, because of the difficulties inherent in obtaining the valid consent of an employee in an employer-employee relationship. It is strongly recommended that the employers carefully examine the grounds available under local law, including any relevant employment rules that apply.

5. Best Practices that can be Applied to Your Business
   1. Providing Notice – As a part of best practices, it is necessary to provide appropriate notice to employees in addition to having a lawful basis for processing personal data. The notice should clearly carve out the use of the data and inform the employees for the purposes for which the data sought to be used, whom they may contact with queries, and what their rights are in relation to the data. Employers can choose to do this through an employee handbook, or have it enshrined in the company’s code of conduct through a specific primer provided to new employees and can also make it available on the company’s intranet. This primer must be kept up to date and subject to periodic reviews, and employees should be notified when any new purpose is added. Care should be taken that the notice provide the required level of detail so that employees can understand the purposes for the processing, the legal basis, what the legitimate interests are when that ground is relied upon, the recipients of their data, where the data will be transferred to, and for how long their employer will be retaining their data.
   2. Storage and retention of personnel records – The journey of an employee’s personal data records commences the day an individual applies for a position with an organisation. Typically, a wide spectrum of activities, from onboarding, recruitment, records of sick leave and medical certificates, medical insurance, salaries, appraisals, performance evaluations and severance involve sharing of personal data with the employees. The rule of thumb for ascertaining the storage and retention policy for employee data is that the employer has a legitimate reason to retain that employee’s personal data for as long as the individual is in employment with the employer. However, once the employee has left that job, these reasons are likely to diminish, unless there is an obligation under a national or special law to retain employee data (e.g., taxation or labour law). One aspect that will still be have to be taken care of is the fact that personal data that is retained following the exit of an employee must be securely archived, such that access to the data is restricted to specific human resources personnel and only accessible under the requirements of the aforesaid special law.

1. Monitoring employees at work – An employee spends a substantial time of his or her life at the workplace. In such a scenario, it is imperative that the employee not lose the right to privacy in the workplace. Since at the same time, there are legitimate rights of an employer to operate its business and protect the company or organisation from any rogue actions of employees, the employee’s right to privacy must be balanced against the legitimate rights of the employer. Some guidance can be provided below in this regard:
2. Background checks – Background checks can operate on a host of levels, from verifying a prospective employee’s educational background to checks on past criminal activity and most recently checking a person’s status on social networking websites, to name a few. It has transpired over time that most often, data breaches or related untoward incidents are caused due to human errors rather than technical errors. It is often a routine practice to outsource such background checks to certain third-party vendors. Employers should be extremely careful to follow data protection principles, employ lawful bases for processing data such as any applicable special employment laws, and also ensure that the third-party vendors also honour the data protection rights and provide security safeguards while undertaking background checks.
3. Employee monitoring – Employee personal data generated in the workplace should still be used by the employer in accordance with data protection rules. An employer should also comply with relevant local employment laws and any specific rules that relate to the privacy of electronic communications. An employer may decide to monitor its employees for a number of different reasons, including employee use of employer equipment or suspected unauthorised activity. Any personal data on employees collected through monitoring activity must be held securely and accessed only by those within the company who have a legitimate reason to view it, such as those deciding whether the employee has breached company policy or the law. Such data should be deleted when there is no longer a need to hold onto it. Of course, there may be a business need to retain it. One example where a company might have a need to retain data would be in the case of an employee who is dismissed due to information obtained through monitoring, and the former employee then challenges the dismissal. If an employer wishes to carry out workplace monitoring, it should ensure compliance in particular with the following core data protection principles:

• Necessity — The employer must be able to demonstrate that the monitoring is necessary.
• Legitimacy — The employer must have lawful grounds for collecting and using the personal data and, if appropriate, sensitive personal data, and the processing must be fair.
• Proportionality — Any monitoring that takes place must be proportionate to the issue that the employer is dealing with.
• Transparency — The employer must clearly inform employees of the monitoring that is being carried out.
  1. Unlawful monitoring by the employer — Workplace monitoring that involves the collection of sensitive personal data is extremely difficult to justify and it is recommended that such monitoring be avoided since it could also be unlawful. It may also be unlawful for employers to access the private communications of employees if such emails are marked as private, even if they are received through a work-related email account. Failure to comply with the rules can lead to serious consequences for the employer, including fines and/or criminal prosecution.
  2. Bring your own device — Many employers permit their employees to use their own personal devices like laptops/smartphones/tablets for communications in the workplace. Therefore, an employee may choose to integrate their work email onto their personal device so that they use one device for both personal and work communications. The phenomenon of “Bring your own device” (BYOD) creates data protection compliance issues, since the employer remains responsible for any personal data processed on the employee’s device for work-related purposes using the work email settings. However, the device also contains information about the employee’s personal life that an employer would not usually have a lawful reason to access. Yet, the employer has good reason to seek strong protection over the device given that it holds data that relates to the employee’s working life. Additionally, in the hands of the employee outside the workplace, a mobile device is vulnerable to being lost or misused. Ideally, companies that allow for BYOD into the workplace must establish a BYOD policy that explains to employees how they can use BYOD and what their responsibilities are. The policy should also clearly inform as to where the data processed via the device is stored and what measures must be taken to keep the data secure. It will also be helpful if scenarios like- the exit of an employee or the device being lost are envisaged and provided for in the policy.

6. Best Practices When Providing Information to Employees

It is strongly recommended that employers design and formulate policies through which systematic and periodic dissemination of information to employees is ensured, while also educating them on crucial aspects. Some illustrations:

1. Company email and internet policy, which should describe in detail the extent to which employees may use communication facilities owned by the company for personal communications.
2. Where the employer has allowed the use of the company’s communication facilities for express private purposes, such private communications may, under very limited circumstances, be subject to surveillance—for example, to ensure the security of the information system like virus checking or ransomware prevention.
3. Details concerning any surveillance measures undertaken: Who? What? How? When?
4. Details of any enforcement procedures, outlining how and when workers will be notified of breaches of internal policies and be given the opportunity to respond to any such claims against them.

7. Guidance for Monitoring E-mail

It is encouraged that the following be disseminated to employees:

1. Whether a worker is entitled to have an email account for purely personal use, whether use of webmail accounts is permitted at work, and whether the employer recommends the use, by workers, of a private webmail account for the purpose of accessing email for purely personal use.
2. The arrangements in place to access the contents of a worker’s email—for example, when the worker is unexpectedly absent—and the specific purposes for such access.
3. The storage period for any backup copies of messages. Information that concerns when emails are definitively deleted from the server.
4. The involvement of workers’ representatives in formulating the policy.

8. Guidance for Monitoring Internet Use

Employers should clearly delineate conditions in which private use of the internet is permitted while at work, as well as specifying material that may not be viewed or copied. These conditions and limitations should be explained to workers along with some practical illustrations.

Employers should provide employees with information about the systems implemented both to prevent access to certain sites (social media etc.) and to detect misuse. The extent of such monitoring should be specified—for instance, whether such monitoring may relate to individuals or particular sections of the company, or whether the content of the sites visited is viewed or recorded by the employer in particular circumstances. Furthermore, the policy should specify what use, if any, will be made of any data collected in relation to who visited what sites.

Where the employer detects any misuse of the employer IT asset by an employee, the employer should notify the employee immediately of such misuse, unless there is an important reason to justify the surveillance without notifying the individual.

9. Building a Culture of Privacy

As mentioned in the preceding paragraphs, some jurisdictions already have data protection legislation in place that address data protection-related concerns in employer-employee relations. However, the need of the hour is to also address the requirements of GCC countries that do not yet have a specific data protection legislation is place. Until the time national legislation is drafted, companies are advised to incorporate the best practices recommended in this article in order to be prepared. More importantly, companies must use this opportunity to build a culture of privacy within their organisation and build trust with their employees and create a better work environment by placing employees at the forefront of their policies. This will, in-turn, enhance the image of their brand and go a long way in attracting and retaining meritorious employees.

Author: Tripti Dhar

[1]  DIFC Law No. 1/2007, amended in December 2012 and January 2018 and supplemented by the Data Protection Regulations.

[2] ADGM Data Protection Regulations 2015.

[3] Law No. 13/2016 on Data Protection.

[4] QFC Data Protection Regulations, issued 17 October 2005.

[5] Sultani Decree 101/1996 Promulgating the Basic Statute of the State recognises an individual right to confidentiality in all forms of communication, but does not specifically recognise a right to privacy.