Pay Attention Episode 15: Data privacy and pay transparency - an unresolvable conflict?

Show Notes

The EU’s Pay Transparency Directive is about shining a light on salaries; the GDPR is about keeping personal data under wraps. Put the two together and you’ve got a legal paradox: employers are asked to build a glass house, but only if the blinds are firmly drawn.

In this episode, Tom Heys and David Lorimer are joined by Lewis Silkin partners Bryony Long and Ben Favaro to unpack the real tension between transparency and privacy. From pay reporting obligations that bump into data minimisation, to the risk of identifying individuals in “anonymous” averages, we explore how these two regimes collide, and what employers can do to stay on the right side of both.

Transcript

'Pay Attention Episode 15: Data privacy and pay transparency - an unreasonable conflict? 

 

Tom Heys: Hello and welcome to Pay Attention, a regular podcast coming to you from the Lewis Silkin offices in London. I'm Tom Heys.

 

David Lorimer: And I'm David Lorimer.

 

Tom Heys: And once again, we've gathered around the table to talk about all things pay transparency.

So today we are going to be exploring a paradox, so while pay transparency and the PTD is all about shining a light on salaries, pulling back the curtain, letting people know what's really going on, data privacy and the GDPR on the other hand is about drawing the curtain short, locking the door and politely asking you to forget what you just saw.

 

One of them is saying, here's your payslip, stick it on the fridge and swap photocopies in the canteen. And the other one is saying, shred it, wipe the hard drive, deny all knowledge. It's Europe's very own Schrodinger's cat. So it's everyone's salary, both simultaneously private and public until HR opens the box. And so this is the real tension you can't make transparency work without data, but you can't use data without privacy. So how can we make it all work? 

 

Luckily today we've got two people who are perfectly placed to help us untangle this mess. Bryony Long and Ben Favaro, both partners here at Lewis Silkin. Hello to you both.

 

Bryony Long: Hello. 

 

Ben Favaro: Hi, both.

 

Tom Heys: And I should add, listeners, that my pay attention co-host David Lorimer is also a card-carrying data nut. So while the PTD may be David's current obsession, it's not his first. First there was the GDPR, but now he's fully smitten with pay transparency.

 

David Lorimer: Yes, no topic too geeky for me, Tom, as you know, although I am now fascinated by whether Schrödinger's cat is in fact European in the first place. But let's move on from that and hear from our experts. Thank you for joining us. I guess let's just start by picking up where Tom left off on setting the scene. The Pay Transparency Directive is really all about transparency and openness. It should be a surprise to no one. And that might give rise to some concerns. Obviously, it involves processing of quite a lot of small s sensitive personal data. So, I mean, what do you see as the biggest issues and the biggest bits of the GDPR to navigate as a starting point here?

 

Ben Favaro: I think one of the primary focuses should be making sure that you have in place a lawful basis for sharing and using data when complying with the directive. So, the GDPR, it's not inherently conflicting with this directive. The GDPR is set up in a way that allows for the sensible, responsible use of data for legitimate purposes. So, provided that the employer can always point to a legitimate purpose for sharing data or using data to comply with the directive, I think they're going to be in clearwater.

 

Bryony Long: To add on top of that, I think, obviously having that lawful basis is absolutely key. But I think there is this sort of inherent sort of fairness point and making sure that, to the extent you are doing it, you're doing it responsibly, you're doing it with data subjects in mind, but obviously being mindful of your legal obligation. And you're doing it, you know, in a way that is going to cause a kind of minimal harm. So you've just got to be thoughtful about how you do it. don't think there is a one size fits all. I think each organisation is going to have to think carefully on a case-by-case basis and taking a number of factors. So, it's going to be what fits best for the organisation.

 

Ben Favaro: And I think minimisation as well is another key theme here. It's linked with fairness, it's linked with lawful basis, this directive will clearly involve a lot of quite sensitive data being thrown around, and I think it's imperative on employers to make sure that the data is being used in as minimalist way as possible.

 

David Lorimer: And perhaps one of the things actually that unites this pay transparency legislation and the GDPR and how it plays out in the workforces more generally is really this idea of culture. So part of the purpose of the PTD is to kind of break the taboo around pay discussions, change the culture in workplaces to a more kind of sharing culture. But actually, there is something to be said for how that might vary. Bryony, you've already said that the approach might vary from organisation to organisation depending on how transparent they've been in the past and even to be in the future. But also it might well vary from member state to member state in terms of quite how rigorously they want to apply principles like data minimisation versus the idea of open sharing. Is that fair?

 

Bryony Long: Absolutely. And I think it is one of these things where people do obviously have a right to a private life. It's not even a sort of, you this is a kind of principle that's entrenched in our law. It's not just a GDPR point. And I think that there is a cultural shift between different organisations, different jurisdictions as to what can be shared. Certainly, in the organisations that we work for is quite open about who gets paid what because of the fact that spines are publicly available, spines being our pay spines that are all publicly available to employees. So in our culture, it might not be, or our firm, it might not be as an abhorrent a thought to people sharing actual salaries, whereas there are other organisations where actually you really don't want other people to know because it might breed unhealthy competition, it might breed distrust, it might breed all sorts of other harms, that even though that's not the intended purpose of what this directive’s been trying to achieve, it ends up being a knock on side effect. And I think that's when we're looking at data protection issues. 

 

For me, it's about, first of all, always allowing the data subject to be in control of their data and knowing what rights they have in it. But it's also about mitigating harms and making sure that if you're going to be using their data in a way that you always do it in a way that is not going to harm them or at least cause the least possible harm. And so I think, as I say, it so depends on the culture of your organisation and the nature of your organisation and the nature of the work that you do, which means that at the beginning, this one size fits all approach, unfortunately, is just not going to work. And likewise, we always get the question asked, you know, what are other clients doing? What's market position? I just don't think there's going to be quite the same ability to be able to advise like that on this particular issue.

 

Ben Favaro: Cultural attitudes can change as well in time. So, there might have been a culture of more secrecy and more of an expectation of privacy when it comes to salaries, but this directive is in place to change some of those attitudes. This implied right to, or this inherent right to privacy in the workplace does exist, but it's never been absolute. There's always been legitimate ways that right to privacy in the workplace can be basically infringed on by the employer.

 

Tom Heys: So  let's get into some of the detail of the pay transparency directive. Let's talk about the reporting and the disclosing and the explaining of gaps by category. So, what specific measures could employers take to mitigate the risk around the identification of individual employees, either to workers themselves or employee reps interrogating the data? So here there's lots of categories of employees and you're looking at the average pay of women compared to men and in some of those categories it's highly likely that there might be a very small number of employees so big potential to identify specific people. So, what can employers do to mitigate the risk around that?

 

Bryony Long: I mean, it is one of those million-dollar questions when it comes to kind of anonymisation. I mean, obviously, the key thing is to try and make it as anonymous as possible. That is incredibly difficult to do when you've got small data sets or data sets where it's pretty easy to work out even if there are a number of people, you kind of roughly know what sort of level of job someone has and therefore you can expect sort of what their pay could potentially be in, and so there is this ability to infer or link. So, it's actually incredibly difficult. With a large data set, it's much easier, but with small data sets, it's actually incredibly difficult, I think, to really fully anonymise it, given the other availability of other information. 

 

Ultimately, if you can anonymise it and do your very best to anonymise it, you know, that is, and when you're sort of looking at the data and how you're splitting it, if you can do it in a way where you divide it between men and women or certain job roles. But the problem is, that organisations are going to, you know, everyone is set up very, very differently. So again, there's not this sort of one size fits all. But I think if you're not going to be able to anonymise it, then, you know, there are challenges there.

 

And then I think you have to then look at your kind of data privacy impact assessments, you're going to have to look at trying to mitigate it. It's a bit of a tricky answer without seeing the data set right in front of you to be able to say exactly how to do it.

 

Ben Favaro: And there might never be a silver bullet to actually ensure  anonymisation. It might be that the outcome is that there is some risk of identification available, but I think employers need to weigh up also the benefits of this directive and what it's trying to achieve versus the impact on individuals that might be impacted by the sharing of data.

 

David Lorimer: Yeah, I mean, it's a really good point. And obviously, you know, kind of what we go to as legal advisors is the worst-case scenario. So, the idea that, for example, someone makes a request to exercise the right to pay information, they might be in a category of two, one man and one woman. And in the course of complying with that request, you have to, in theory, provide to that person or to some worker representatives, the pay of each of the people in that category. That is just transparently disclosure of individual pay information. And I think you're absolutely, nail on the head. We've really got to think carefully about that. And actually, we sort of start to come back to implementing legislation and keeping a really close eye on that because really, what organisations in our experience want to do is have a single playbook for compliance with every aspect of the directive. In theory that works. But if there is one member state who says, for example, the way that we're going to solve this conundrum is to say that you never have to comply with that right. If you have five or fewer people in a category and another member state says, well, actually, if it's a small category size, you just disclose it to the labour inspector, for example, you're not going to want to adopt that more permissive approach in the country that's taken a less permissive privacy approach, I think. So, probably it's one for monitoring and changing your approach per territory, is that fair?

 

Ben Favaro: Also considering the admin hassle for the employer as well. I mean, those types of considerations, we find that with lots of aspects of data protection, particularly across multinational businesses, often we're encouraged to take a consistent approach to the extent that the law allows for administrative ease as well. So, I think that's another consideration employers will have.

 

David Lorimer: Yeah, good point. I mean, let's just war game that scenario where you have that category size of two and the implementing legislation says you've got to still provide that information. You know, we're outside of being able to anonymise it, Bryony to your point. Are we just in territory where we need to be taking specific measures to mitigate? I suppose what's a flavour of what some of those might look like?

 

Bryony Long: I mean, again, very much depends on the nature of your organisation and the pay that is being disclosed, who's being disclosed, the harm that potentially it could be caused and the missive. But I think ultimately, if you are acting reasonably proportionately, obviously, as Ben said at the offset, you've got your lawful basis. You've been transparent about the fact that this is going to happen to data subjects. I think that's also really, really key. You  do your document, well, depending on what you're relying on, I mean, to the extent that you were relying on legitimate interest, and you would need to document your legitimate interest assessment. But even if it wasn't legitimate interest, I would still be documenting your decision process and the mitigation measures that you are putting in place to sort of like a, I wouldn't say a full form DPIA, though some people might say a full form DPIA is required, but certainly a document which we tend to call a kind of PIA, a privacy impact assessment, which is just a kind of, you know, what are the risks here? What are the mitigations? And that you've, you document those, you think about actually, well you don't think about, you actually implement them. And if you get to the point where ultimately you're feeling this is just creepy, this is just going to cause harm that we can't mitigate against, then I think at that point, then you do have to have a serious question with yourself as to, you know, what's the lesser of two evils here, compliance or do we, you know, run the gauntlet? But only you as an organisation know that with all the facts in front of you. 

 

So going back to your earlier point, David, I do think it is quite difficult to have a playbook each time. You can obviously have different principles, that you can all adhere to when you're making your decision-making process. But I think the decision will ultimately depend on the nature of the data and the purpose and who you're disclosing it to. Because I think as we've sort of talked about sort of separately, you know, that people that are receiving the data are going to need to, you know, we're going to be very conscious of the fact that they need to use it in a way that is appropriate and proportionate and for the intended purpose, which is compliance with the directive. But there may be recipients who use it for other ways to bring legal claims or to cause mischief. We've seen it's a completely different point, but we've seen with DSARs, that the most DSARs we get is by employees actually wanting to cause truck and not because they actually really want the information. And I know this is a slightly different context, but again, you just need to make sure that you are very clear that when you are disclosing, that you've got the right obligations on the recipients to ensure that they only use the data strictly for the purposes of which you have made the decision to disclose.

 

Ben Favaro: And I think just to remind you know, someone bringing one of these claims or making a request for this type of information, this is probably the first time they're ever doing it. I'd go above and beyond as an employer. The employer might be very on top of its own obligations, its obligations to keep data secure, to only share it with a lawful basis. But I think really going above and beyond and reminding or directing the recipient of this information that they are only to use it for specific purposes provided under the directive. I'd be putting that in writing and really reminding them perhaps of the consequences of misusing that information.

 

Tom Heys: So, there's one group of employees who are going to get access to a lot of very specific information, the employee representatives. They have a big role in the pay transparency directive. They've got to carry out the joint pay assessments where they're required, and they will get line by line employee data, very specific information where individuals will be able to be identified. And that information will likely include some sensitive things around leaves and you know, lots of different issues that are very particular to individuals. So, what are the issues there around employee representatives and the  data that they'll get access to?

 

Bryony Long: Well, I think for me, the big one there is security and the fact that they will be holding a lot of very sensitive information on their systems. So, the first thing that they need to be doing is making sure as an organisation that their systems are very, very secure. They do lots of security tests. They do lots of pen testing. As we know, nothing is completely bulletproof, but they will need to make sure that their systems are as bulletproof as they can be and should be making sure that they are not ignoring obvious warnings of intruders and that sort of thing, ransomware attacks. 

 

But actually, as Ben and I well know, when we talk about security, we obviously always talk about the headline grabbing ransomware attacks that's going on that is now particularly powered by AI. But actually, the biggest risk to security is the people risk. And we talk about it time and time again about the fact that it's just basic technical and organisational measures that are just not in place that allow people to do things that probably most of the time are not deliberate, so someone could just get all of this data in an email. They send it off to someone, to the wrong person. They don't encrypt it. And then everyone has access to all this really sensitive data. So for me, the key thing that they need to be doing is looking at their sort technical security controls, but then really training up their staff so that they know what the sort of organisational security control should be putting in place and just being responsible about data use and then reminding them that, you know, they've got responsibilities and that they shouldn't be misusing the data. And, you know, it's very intriguing, I'm sure, to have a sort of copies of files of files of people's pay information and not to have a quick peek at it and learn to do your own learning from it. But staff have got to be so disciplined  about not doing that. I think organisations or employees’ rep organisations need to be very clear on the fact that their role is very limited to taking this information and using it in compliance with PTD rather than any other purpose.

 

Tom Heys: What about situations where employee reps realise they don't have all of the skills that they need to be able to really interrogate the data properly? So we've talked before about the type of analysis that will need to be done with quite sophisticated and technical statistical analysis, regression, model selection, various different aspects. Where employee representatives know that they don't have the technical skills to be able to do this and interrogate the employer's data and they want to or they need to get some third-party advice. What can be done in that sort of situation to minimize data risks?

 

Bryony Long: Again, we do a lot of this. I mean this is the same sort of issue you would have when you're getting any kind of HR payment contractor or payroll contractor or HR software tool, because you would always need to do really vigorous sort of vendor due diligence on them. Now, I'm not saying you should do vigorous gendered vendor due diligence on employee reps, but you should be asking similar type questions, particularly around their security, and you should be asking for certain contractual warranties or guarantees that they will be only using the data for the strict purpose that you're sharing it. And ultimately, you should have recourse against them if they don't do that. I mean, ultimately, we can put all the contractual paperwork in place to tie someone up in knots but, if you have a mistrust of them or you don't think they're a reputable recipient of the data, then in that scenario, you just shouldn't be sharing it full stop. But obviously, with these sorts of things, you probably would think that they are going to be honest. But I would nevertheless have contractual paperwork in place, but do your risk assessment and making sure that you're comfortable that they are not using cowboy operations to store their data and that they are going to use it in a safe way.

 

Ben Favaro: And just a reminder, the employer is ultimately responsible as data controller for this information. This is their staff, they're responsible for the collection. It may be being disclosed for specific purposes, it may be being disclosed outside the business, but if something goes wrong, all eyes are going to be on the employer from the employees and there's not going to be much sympathy if the right safeguards haven't been put in place.

 

Tom Heys: So, remind us again then what potential risks we're talking about. The GDPR, what are the consequences of data breaches that the GDPR sets up?

 

Ben Favaro: The GDPR came in in 2018 and with it brought the potential for eye-wateringly high fines in the tens of millions or potentially higher, depending on the nature of the breach, so there’s the obvious very high fines that can be imposed, but there's even more. There's other regulatory action. The regulators have lots and lots of power in terms of enforcement notices. And on top of that, private claims from individuals. I think we're seeing a little bit of an uptick in those types of claims and it's always risky territory. The risk is magnified, the higher the workforce as well.

 

Tom Heys: So given then that the PTD doesn't contain penalties  to nearly the same degree as the GDPR, do you think employers are going to be more likely to, you know, when all things are equal and they've got GDPR on the one side and PTD on the other side, you know, leaning in favour of, you know, a more restrictive data approach given the potential massive fines there versus, what they might have to do for the PTD?

 

Ben Favaro: I don't think it's always a numbers game, so fines are one consideration in terms of compliance, but there's so many other considerations, particularly as an employer, there's the relationship with the staff. So, I mean, as an employer, I'd want to be doing the right thing by my staff and basically trying to achieve both, keep people's data private and secure, but also complying with the transparency directive, which is, at end of the day, intended to create a more fair and balanced remuneration for the workers.

 

David Lorimer: All really interesting thoughts. Just before we wrap up, one thing on that, that we've been banging the drum on in terms of PTD compliance is that all roads lead back to good communications and in particular, good training. Lots of people need to know lots of new concepts. Presumably, Ben and Bryony, you'll agree that training for people like managers who are rolling out some of these rights, reward team members who are at the coal face, worker reps and others, it's going to be really important to make data protection compliance an aspect of that training, yeah?

 

Bryony Long: Absolutely, when it comes to your pay transparency directive compliance, to ensure that the people risk is mitigated and the way to do that is going to be with really good data protection training. So absolutely you will need to ensure that data protection very much forms part of that training program.

 

Ben Favaro: And preparation as well. Employees don't want to be thinking about these issues for the first time when they receive one of these claims or a request for information. I think putting the training in place well before a claim has come through, perhaps even investing some time into preparing some protocols. You've got lots of moving parts, you mentioned David, you want everyone to be basically reading from the same playbook.

 

David Lorimer: Great. Well, that's a really good place to end. I've been really enthused by the idea that we've talked about loads that actually PTD and GDPR don't need to be at loggerheads and there is a way through. Lots of complicated individual organisation-based thinking to do, but happily we're all well placed to do it and we'd love to support clients through it. And all that really leaves me to say is thank you so much, Bryony, and Ben for joining us and Tom, as usual, we'll hopefully be back in your podcast feeds before too much longer with some more exciting PTD updates, but until then, thanks for joining.