Data Processing at Work: Resources for Data Protection Day

World Data Protection Day, observed annually on January 28, commemorates efforts to raise awareness about the importance of safeguarding personal data in an increasingly digitized world. It serves as a global initiative to promote privacy rights, emphasizing the significance of responsible data processing and protection.

Data processing is intimately involved with every aspect of daily life, including at work. The growing ubiquity and complexity of processing techniques, contexts, and scale, particularly the use of algorithmic management—and the increasing granularity and intimacy of the personal data collected—raises serious concerns for workplace environments. This necessitates heightened regulation and proactive measures to deal with violations of privacy as well as other related harms, such as economic risks (eg unfair dismissal and loss of within-job economic opportunities); physical risks (eg injury due to repetitive strain; illness due to stress); and psychosocial risks. Effective regulatory measures can also protect workers, managers and organisations from ‘bugs’ in the software systems they build or buy—the dramatic consequences of which have been most recently on display in the UK in the recent return to the headlines of the tragic Horizon/Post Office scandal.

On World Data Protection Day, we at iManage—Sangh Rakshita, Six Silberman, Halefom Abraha and Jeremias Adams-Prassl—bring back our annual selection of resources that deal with issues of data protection and privacy at work. This compilation of resources is aimed to help raise awareness on issues around data processing, surveillance, and algorithmic management at workplace from a data protection and privacy lens. These issues, along with their interrelated challenges, are explored weekly in our Algorithms at Work Discussion group, held in a hybrid format. If you are interested in participating, please don't hesitate to get in touch (ai.work@law.ox.ac.uk).

Reports and Policy Documents

1. Christina Hießl, ‘Case Law on Algorithmic Management at the Workplace: Cross-European Comparative Analysis and Tentative Conclusions’ (2023)

This is the most comprehensive report available today that takes stock of cases on algorithmic management in the workplace in 11 European countries as of April 2023. It provides an analysis of 13 judgments and five administrative decisions, as well as references to pending and settled cases. The analysis includes all cases in which algorithmic management and decision-making were used in the employment context and claimed or found to have violated labour law and/or privacy protection.

2. Amba Kak and Sarah Myers West, ‘AI Now 2023 Landscape: Confronting Tech Power’, AI Now Institute (2023)

This is a comprehensive report analysing the landscape of adoption, use and regulation of AI across various sectors. While the report pays special attention to policy interventions aimed at large tech companies, it dives into issues of worker surveillance and algorithmic management with robust policy recommendations to tackle the same.

3. Artificial intelligence and employment law, Commons Library Research Briefing, (2023)

This research brief not only explains the ways in which algorithmic management is being adopted across workplaces but also looks at the challenges from the lens of common law, data protection and privacy law, and equality law, and places it in the context of AI regulation debates in the UK.

4. Guidance on AI and data protection, ICO (Updated 2023) and Guidance on Employment practices and data protection: information about workers’ health, ICO (2023)

The ICO has updated its guidance on use and adoption of AI in the workplace, further clarifying the role of data protection law in this context. The guidance is aimed at helping organisations adopt new technologies while protecting people and vulnerable groups. The ICO also released new guidance directed at employers, offering support in grasping their responsibilities with respect to data protection law when managing the health information of their workforce.

Academic Analysis

5. Jeremias Adams-Prassl, Halefom Abraha, Aislinn Kelly-Lyth, Six Silberman, and Sangh Rakshita, ‘Regulating algorithmic management: A blueprint’ (2023) European Labour Law Journal, 14(2), 124-151

This detailed policy blueprint offers a regulatory framework for governing the increasingly common phenomenon of automated decision-making and algorithmic decision support systems in the management of workers and self-employed persons. It presents eight policy options to regulate the use of algorithmic management that will allow legitimate uses of automated decision-making technologies at work while protecting fundamental rights using individual and community led mechanisms. These policy options aim at addressing some unique and novel problems posed by algorithmic management, exacerbated by the precarious nature of employment relationships: privacy harms, information asymmetry and loss of human agency. The main concepts are summarised in a short article in Wired. A companion paper, ‘Towards an international standard for regulating algorithmic management’ offers policy proposals conceived as an international labour standard that could be developed through the International Labour Organization (ILO).

6. Halefom Abraha, ‘Regulating algorithmic employment decisions through data protection law’ (2023) European Labour Law Journal, 14(2), 172-191, and Halefom Abraha, Automated Monitoring in the Workplace and the Search for a New Legal Framework: Lessons from Germany and Beyond (2023)

The first article examines the extent to which the GDPR offers the necessary tools to protect workers from harm stemming from algorithmic management. It argues that while the provisions tailored to automated decision-making (ADM) and the rest of the GDPR provide workers with some limited protections, significant gaps remain. It then suggests policy options on how the existing protections under the GDPR can be further complemented, particularised, and strengthened through a combination of legislative and non-legislative measures.

The second paper further explores the persistent policy gap in regulating employee data processing in the EU by building on recent developments in Germany, as an example. It argues for the urgent need for independent legislation by Member States to address the challenges posed by new monitoring and algorithmic management systems to workers' privacy and data protection rights.

Halefom Abraha is a Postdoctoral Researcher at the University of Oxford.

Jeremias Adams-Prassl is a Professor of Law at the University of Oxford.

Sangh Rakshita is a Researcher on Algorithmic Management at the University of Oxford.

M. Six Silberman is a Postdoctoral Researcher at the University of Oxford.