Image from AbsolutVision, Unsplash

By Emily Byrne, Content Manager & Marketing Executive at Track24

What does privacy mean in the context of duty of care? How do both apply to organisations, enterprises, their employees and extended networks? Most people understand the term ‘duty of care’ to mean: “The moral or legal obligation to ensure the safety and well-being of others.” Source. However, the need for privacy in the context of duty of care has integrated itself into every avenue of our daily working lives. In which ways?

The society we live in is flooded with security breaches and cyber-attacks, particularly amidst Covid19. The Covid19 crisis brought around a cyber pandemic and a fivefold increase in cyber attacks noted by WHO by April 2020 alone. Source. We are targeted on the daily by imposters claiming we have a parcel from Royal Mail or DPD to be re-delivered and prompted to enter our card details to do so, or by hackers claiming to be HSBC, Lloyds or (insert other bank or building society name here). 

A recent study shows; “Majorities think their personal data is less secure now, that data collection poses more risks than benefits, and believe it is not possible to go through daily life without being tracked.” Source

In light of Europe’s General Data Protection Regulation (GDPR) of May 2018 and the California Consumer Protection Act (CCPA), effective from January 2020, enterprises must protect their customer’s data at all times. What systems are in place to protect customer data? What must organisations do if they are impacted by a cyber attack or data breach? What is the organisation’s best practice to protect individual privacy? 

Notably, half of the CEOs asked in a recent study undertaken by the World Economic Forum cited regulation as a priority for 2021, post-Covid. “This unquestionably reflects a rising assertiveness by governments around privacy, data, trade and – amplified by COVID-19 – health,” IBM says. Source.

Trust is as important as it ever has been to business and enterprises. A breach of user privacy or duty of care can sabotage a brand’s reputation entirely. People want to work and buy from reputable, credible companies who they know will keep their data secure. “The business value of data has never been greater than it is today. The loss of trade secrets or intellectual property (IP) can impact future innovations and profitability. So, trustworthiness is increasingly important to consumers, with a full 75% reporting that they will not purchase from companies they don’t trust to protect their data.” Source.

We explore what privacy means in the context of duty of care for businesses and enterprises. This is a hot topic, as highlighted by the fall from grace of third-party cookies, steered by Apple and Google, to be enacted in 2022 and recent, tragic events in the UK media such as the case of Sarah Everard.

Honing in on the GDPR effect: A shift in the status of duty of care and privacy

Illustrative of a recent global increase in data privacy concerns: “Some 81% of the American public say that the potential risks they face because of data collection by companies outweigh the benefits, and 66% say the same about government data collection.” Source.

In order to provide their duty of care obligations to their customers, businesses and enterprises need to have solutions in place to actively protect customer data. As stated by IBM: “Consumer awareness of the importance of data privacy is on the rise. Fueled by increasing public demand for data protection initiatives, multiple new privacy regulations have recently been enacted, including Europe’s General Data Protection Regulation (GDPR) of May 2018 and the California Consumer Protection Act (CCPA)”, effective from January 2020. Source. 

If businesses slip up and fail to follow GDPR or CCPA privacy regulations, this could result in detrimental brand press and public scandal, as we’ve seen in recent years through the wrongdoings and corruption of Cambridge Analytica, at the most concerning end of the scale. Source

Companies that have overlooked their duty of care to their customers after a data breach have seen significant and long-lasting reputational damage as well as financial penalties being imposed by the regulator.” Source

So, why is data privacy and data security so important? IBM gives us the data security 101: “When properly implemented, robust data security strategies will protect an organization’s information assets against cybercriminal activities, but they also guard against insider threats and human error, which remains among the leading causes of data breaches today. Data security involves deploying tools and technologies that enhance the organization’s visibility into where its critical data resides and how it is used. Ideally, these tools should be able to apply protections like encryption, data masking, and redaction of sensitive files, and should automate reporting to streamline audits and adhering to regulatory requirements.” Source.

Digital transformation is profoundly affecting every aspect of how businesses and enterprises operate and compete on a daily basis. As the volume of data enterprises create, store and manipulate grows, as does a greater need for data governance. As computer environments span the public cloud, enterprise data centers and IOT sensors, remote servers and even robots, businesses and enterprises have an extensive duty of care to protect the privacy of the data of their customers. 

Recent trends have seen business enterprises and corporate entities implement GDPR across the board, in order to keep themselves compliant and prepared. StreetFight notes: “This trend is different across regions. Companies based in the U.S. are trying to leverage CCPA to collect more data whereas companies in Asia Pacific are defaulting to GDPR to leverage data sharing with the EU. As a result, the investment in privacy experts, tools, consultants, and practices will increase dramatically in 2021”. Source. “The ‘GDPR’ effect can be seen across the world with many countries stepping forward with their version of data protection and showing how their consumers’ rights are important to them. With major markets like Brazil, China, and India declaring that they will be implementing these regulations, smaller countries will have an incentive to follow suit and create a framework to emulate these regulations.” Source.

In the context of data privacy, duty of care is most valued by customers when it’s enacted to help, support and protect them, especially if something goes wrong. If you fail to protect your customers and their data, they’ll vote to abandon your brand with a swift click of a mouse.

Welcome to the privacy-first party: Customer data, marketing and duty of care 

In the wake of Google and Apple’s announcements of removal of third-party cookies early in 2022, the advertising ecosystem must strategise and explore new methods of marketing which embrace a privacy-first, first-party data approach. A duty of care is now attached to the usage of customer data and data privacy, after the most recent passage of Virginia’s new privacy regulation: the Virginia Consumer Data Protection Act of March 2021, built upon changes made by the CCPA and the EU’S GDPR Act.

‘As smartphones, mobile apps, and mobile web rose to the top of the usage charts, companies realized that these phones could basically be used as 24/7 surveillance devices.’ Source.

Apple has begun to develop its data privacy measures, with the iOS 14 update at the end of April and beginning of May 2021. “Apple will require apps to ask users for permission (opt-in) to collect and share data on all Apple devices, most notably iPhones.” Source. “The biggest unknown […] after the iOS 14 update is how many people will choose to opt-in and continue to allow personal identifiers on their Apple devices. Current estimates range from as low as 10% to 30% or higher.” Source.

As for Google, they plan “to stop using or investing in tracking technologies that uniquely identify web users as they move from website to website.” Source This has “the potential to move the digital advertising industry as a whole away from individualized tracking.” Source. A definite nod to preserving the privacy of the individual user and towards duty of care, no doubt.

StreetFight expertly condenses the recent shift from third to first-party data and indicates how this has forced companies to review their duty of care to their customers, in terms of data privacy: “First, users were merely informed that apps were using their personal data. Then regulators drafted tougher legislation, including personal legal implications for executives whose companies didn’t comply. Next came rule changes that forced apps to make specific requests for every type of sensitive data they wanted to use.” Source

Aptly put, each one of recent changes to data regulation legislation: “was aimed at curtailing practices that compromised users’ privacy. Each new wrinkle forced companies to adapt.” Source.

Recent changes will protect user privacy under a duty of care umbrella, which will eventually enable users complete control over their data. Customers will be able to determine whether they wish to share their data and if so, which parts, and consider with whom they may share it with.

Employing duty of care and a privacy-first approach in the workplace 

Let’s begin by exploring the common law of confidentiality, in order to determine what privacy means in the context of the most basic level of duty of care employers are obligated to fulfil to their individual employees. We’ll move on to evaluate how duty of care and privacy protection have evolved in the workplace in recent years.

“The legal obligation for confidentiality is one of common law, which means it will change as case law evolves. The so-called common law duty of confidentiality is complex: essentially it means that when someone shares personal information in confidence it must not be disclosed without some form of legal authority or justification. In practice, this will often mean that the information cannot be disclosed without that person’s explicit consent unless there is another valid legal basis.” Source.

In less legal jargon: Although set to constantly evolve with common law, the common law duty of confidentiality protects employees’ private information from being disclosed in normal situations. Only with legal necessity or consent from the individual can this be done. Therefore, a basic level duty of care is ensured. 

An organisation’s duty of care is not only necessary offline in the technology-obsessed world we operate in. A new statutory duty of care was set in place to monitor online platforms and end user privacy, operating in the UK in the Government’s Online Harms White Paper, published back in 2019. 

“Social media platforms, file hosting sites, online discussion boards, messaging services and search engines, as well as other businesses that ‘allow users to share or discover user-generated content or interact with each other online’, will be subject to the new duty. Compliance with the new duty is to be overseen by an independent regulator, which the government said industry would fund.” Source.

This regulator was proposed to have a legal obligation to ‘pay due regard to innovation’, as well as ‘protect users’ rights online’, ‘particularly rights to privacy and freedom of expression’. 

Recent, harrowing events in the UK media have highlighted the need for organisations to continue to ensure their duty of care obligations to employees after hours, with Sarah Everard’s story sparking a movement based around female security. 

“Activists who have previously channeled energy into almost every other social and political cause are, finally, turning to the matter of women’s lives. Here in the UK, a spontaneous political movement has erupted with women at its centre.” Source.

Any emerging protective intelligence technologies or software used by organisations to monitor the safety status of employees should be deployed carefully, with the promise that they are privacy-first and user consent driven.The end user should be able to determine when they are being tracked and be able to switch to private mode or disable active tracking when they have reached their destination safely, or no longer feel at risk.

In recent years, the importance of an employer’s duty of care over their employees has come under the spotlight. In the aftermath of the Covid19 pandemic and the increased terror threat level in the UK, we’ve seen organisations focus on both protecting mental health in the workplace and adopting a more hybrid way of working. Companies are much more ‘woke’ when it comes to protecting the well-being of their people.

An example of the evolution of duty of care, performance management technology? BambooHR is using geolocation technology to help record employees locations and timesheets. The HR platform states: ‘Adding geolocation to Time Tracking in the BambooHR Mobile app helps make your workforce that much more transparent across the board.’ Source. Employees’ privacy remains protected when they clock out of their app once their working day is done and of course, employees must first, be willing to opt in. 

Let’s consider how duty of care has evolved into ‘reasonable care’ in the midst of the pandemic: “‘Reasonable care’ means that an employer has to assess potential risk; the harm it could cause an employee (and others); and the safety precautions that could be implemented to eliminate or minimise risk to as low a level as reasonably practicable.” Source. This obligation becomes more complicated for organisations to enact when we consider all the employees working remotely. 

Two major aspects of this new form of duty of care? Protecting individual privacies and taking reasonable care to shield employees from foreseeable harm. It becomes clearer than ever, duty of care cannot be delegated to another person or organisation, it is entirely in the hands of the organisation in question and has arguably become more important than ever. Brand reputation will undoubtedly suffer, should malpractices of a duty of care or privacy protection nature be reported.

Employees are now driving employers to take duty of care seriously. Safety, flexibility and wellness are the top trending priorities in the workplace. Here’s how, as cited from Forbes’ fascinating article: “10 Workplace Trends to Watch For in 2021”.

Safety: “Workplace safety isn’t just a topic for manufacturing and warehouse environments. Employers need to have policies and procedures in place to make sure their office workers feel safe, too.” Source.

Flexibility: “Prior to the pandemic, flexibility was seen as a perk. Now, it is much more than that. To attract and retain talent, it has become a necessity. Offering this flexibility can benefit companies as well. Providing flexible schedules can result in increased morale and productivity while also reducing stress.” Source.

Wellness: “There is an added focus on health care benefits and wellness initiatives. Employees will continue to directly compare their current benefits to the benefits offered at prospective employers, particularly when it comes to mental health and wellness.” Source.

As we’ve all experienced, the trends in 2021 have prompted major adaptation and change in the workplace, such as an increased use of technology and significantly, a shift in mindset. Now, a huge emphasis is placed upon employees feeling safe, well and provided with flexible working opportunities. Organisations must provide employees with a duty of care which rivals competitors and previous workplaces. In this day and age, duty of care obligations can in no way be ignored.


In answer to the question: “What does privacy mean in the context of duty of care?”, protecting employees’ privacy IS an integral part of an organisation’s duty of care culture. After all, “Trust is based on three key components: what you say, what you do, and how you perform.” Source

Trust culture depends on not only employees, but also customers maintaining confidence in a brand. Organisations must be reliable, dependable, accountable and transparent both internally and externally, not only in their duty of care policies but also in the way they handle data privacy and confidential information, particularly in light of recent legislation changes, prompted by the EU GDPR Act and the CCPA.

The modern world we live in, in the shadow of the impact of the Covid19 pandemic, a boom of online activity, terror threats and hybrid, remote working, has married the obligations for organisations to ensure that sufficient duty of care and privacy protection is readily available to their employees and even their extended networks. Perhaps… technology provides a solution for the provision of both necessities. 

For more information about the work of Track24, visit our refreshed website here:

Connect With Us

Share This