.gif)
Are freelance staff leaving agencies at risk?
Using freelance staff does not remove an agency’s responsibility for managing confidential information and data, says Raj Shah.
With the pandemic having accelerated technology-driven shifts in the digital media environment, PR agencies are under pressure to become as flexible and agile as possible. Many in-house marketing teams have responded to resourcing demands by turning to the gig economy. Since engaging freelancers is typically quicker than recruiting full-time employees, it’s common for PR agencies to overlook the need to ensure that freelancers keep both commercially sensitive and personally identifiable information confidential.
Often freelancers are engaged on an informal basis without a written agreement. It’s imperative to formalise the arrangement using a consultancy agreement, as this can be used to introduce legally binding obligations on freelance staff to keep commercially sensitive information strictly confidential.
It’s therefore sensible to include obligations on freelancers in such consultancy agreements regarding what can or can’t be printed at home, what should be kept locked away, and how documents should be destroyed. This should also stipulate that all work-related emails must be via the agency’s email systems rather than through personal accounts.
Notwithstanding Brexit, UK-based PR agencies still have to comply with the domestic version of the regulation General Data Protection Regulation (GDPR). This requirement is unlikely to change any time soon, not least because Britain’s adequacy status that the European Commission has just granted in respect of its privacy regime hinges on regulatory alignment in that area.
PR agencies will likely constitute ‘processors’ of personally identifiable information that their clients will have provided to them (with such clients being ‘controllers’ of that information). The GDPR requires certain mandatory provisions to be included in contracts between processors and controllers to govern how this personal data will be handled.
Among other commitments, these include obligations on PR agencies as processors to keep personal data provided by their clients confidential, to implement appropriate security measures to protect that data, and to delete or return that data at the end of the engagement. In addition, all of these obligations have to flow down by way of written contracts to any third parties that PR agencies engage as ‘sub-processors’.
Consequently, privacy obligations in PR agencies’ agreements with their respective clients need to be explicitly mirrored in written consultancy agreements with freelance staff. This is because, unlike employees (who are considered part of the PR agency rather than third parties), freelancers would count as separate ‘sub-processors’. In other words, if any freelance staff engaged by an agency have access to personally identifiable information provided by the agency’s clients, then the agency has a legal obligation to formalise a written contract with those freelancers that mirrors the data protection commitments contained in the agency’s client terms of engagement.
A failure to implement this could theoretically lead to an eyewatering fine by the UK’s privacy watchdog, the Information Commissioner’s Office (ICO), of up to the greater of 2% of worldwide turnover or £8.7 million.
Checking the data protection provisions of every client contract before engaging a freelancer to work on projects involving those clients is a huge burden for any PR agency. As such, it makes sense for agencies to use standard terms of engagement with all clients containing the same data protection clauses, so there is certainty as to what obligations need to be passed down to freelancers. Ideally an agency’s client terms of engagement should require the client to give a general authorisation to appoint freelancers as sub-processors; otherwise, clients would first have to be approached to give their permission for freelancers to handle the relevant personal data.
Even if a freelancer is hired in a rush to complete a certain project by a deadline, the seriousness of personal data breaches mean that PR agencies can ill afford to skip elementary training on how clients’ personal data should be handled. Beyond having in place written agreements, therefore, agencies are well advised to have a ready-to-go training session (for example, by way of a video or online tutorial) that all new personnel can watch on day one in the job. If a personal data breach were to occur, one of the first questions that will be asked by the ICO is whether all staff (and not just employees) have been adequately trained in respect of their data protection obligations.
Given that any leak of confidential or personally identifiable information could jeopardise the reputation of a PR agency, it’s vital to keep this in mind when engaging freelancers. It goes without saying that few organisations are likely to instruct an agency that can’t keep its own image spotless.
Raj Shah is a Senior Associate at law firm Collyer Bristow LLP