On July 15, 2020, Traxo held its latest Travel Managers Office Hours event, Balancing Traveler Safety, Security and Privacy. Moderated by Chad Costa, the webinar featured two prominent corporate travel duty of care and data privacy industry experts. Bruce McIndoe, President/Founder of WorldAware and Sterling Miller, author, keynote speaker - currently Senior Counsel at Hilgers Graben.
Right now everyone in business travel is under immense stress and working hard to stay informed to plan for the future. One key component to realize is that moving forward, travelers too will be anxious about their trips. As travel ambassadors for your companies, you should expect to be the first resource these travelers will inevitably come to with specific questions about safety, protocol, and security.
The foundation of this Office Hours event, the fourth in our series, was empowering Travel Managers with the ability to communicate with your team about what to expect so you can support them and provide confidence during this return.
The constant evolution of data privacy
Beginning with Sterling Miller, the longtime industry legal expert shared that Travel Managers should feel empowered to collect the data they need as long as they follow basic parameters. Some data privacy protection laws are well known, such as GDPR, and others like California’s CCPA (which does cover employee data) are only now beginning to be enforced. However, there are a plethora of national, state and local data privacy laws that not only vary on their own particular levels, but also based on where the travel originates from.
Miller stresses however, that the basics of data privacy are fairly straightforward: the company has a legitimate interest in processing employee itinerary data, including relevant personal identifiable information (PII), when those trips are for company business purposes, are conducted with company resources, and paid for with company funds. This meets the reasonable test as well: how can a company ensure it provides employees with the proper safety alerts or emergency assistance if the company doesn't know where that employee is traveling for the business trip?
Companies can further protect their interests regarding compliance with privacy laws by communicating to employees what personal data the company collects, for what purpose, and the steps it takes to ensure that data is processed and stored securely. Fortunately, most companies likely already comply with this requirement by virtue of the travel policies they publish and share with employees; a good-hygiene approach would be to conduct regular reviews of your travel policy and communicate updates or changes to employees.
When it comes to traveler safety, Miller notes that employers generally have a “duty of care” requirement to protect their employees, and collecting and holding PII is a critical facilitator of that duty. As a legal expert he highlighted the key aspects Travel Managers should keep in mind:
- Being able to identify the company’s legitimate interest in the travel data
- Limit the data collection to only what is needed
- Keeping the data secure
- Maintaining on record a written travel policy and notify employees of what data is collected and why
- Review process and updated written documentation yearly
Miller concludes by noting that ultimately using common sense in everything Travel Managers do related to employee travel and data issues will be key. Document any issues in writing and always involve ALL the right people (HR, Legal Counsel, Corporate Security, Travel Managers, etc.).
Sterling’s view are his own and not necessarily those of Hilgers Graben PLLC nor are they intend as or constitute legal advice.
"Location Awareness" is the foundation for duty of care
Bruce McIndoe followed Sterling by sharing that having ability to communicate with your travelers is going to be the best way to support them as we resume travel. Travel is unique in that impactful events can occur every minute of every day. The fact that we don’t have control over a traveler's surroundings led Bruce’s company WorldAware to develop their take on a continuous risk management model.
1. Learn: policies, procedures and outcomes as needed.
2. Monitor threats and incidents which could impact your employees
3. Assess what assets may be at risk.
4. Notify your at-risk employees and create awareness of the threat.
5. Respond and prepare: work to recover from the event and continuously improve the process.
The concept is simple in that implementing a continuous risk management program ensures confidence and organization necessary to strengthen companies ability to assist travelers in times of peril or need. In order to create such a model for your company, collecting essential (PII) is needed. Such PII would include:
- Full Name
- Email Address(es)
- Phone Number
- Mobile Number
- Air Booking info, Hotel Info/addresses
- Location Awareness
- Emergency Contact
- Manager Contact
While some of this information can easily be collected from the employee on a one-time occurrence, other aspects, such as hotel addresses and air booking info are constantly changing. McIndoe adds that the only way WorldAware (or other DOC providers) can assist clients in risk management would be knowing where employees are going ahead of time. Bruce cited the importance in this and also being a key factor for why WorldAware has shaken hands with Traxo. By partnering together, Travel Managers can now feel confident in providing WorldAware coverage to not only employees via TMC booking data, but also Traxo’s data which detects itinerary details regardless of booking source.
Bruce concluded that as travel resumes over the next 12 months, Travel Managers should be ready to address questions. This could range from what travelers should expect, be concerned or aware of and certainly about what rights they have. Government guidelines, such as state-to-state quarantine restrictions will continue to be lifted, placed or adapted as we progress through the pandemic. Having the capability to communicate proper answers to these types of questions will be one of the best way to support them.
Finally, McIndoe closed his thoughts noting this remains a golden opportunity for Travel Managers to review policies, procedures and consider enhancing their TMC data. By properly educating yourself and exploring new options, McIndoe suggests you set yourself up for the most efficient return .
The audience had several great questions for the panelists which we covered in the event and are recapped below. A big thank you to Bruce and Sterling for taking the time to respond to these questions and share insights with the audience during the call.
Q: What suggestions do you have to get appropriate parties (ie. HR, Risk, or Legal) involved in the creation of DOC policies?
A: All stakeholders (HR, Risk, Legal, and your Executive team) should be involved, but to get the ball rolling you should engage with your best partner in the company. You could share the link to this webinar with those stakeholder partners as a first step. They should understand the need to take action and the risk/liability of not taking action. Regular reviews of and update to your processes and policies should include these stakeholder groups as well to ensure alignment.
Q: How should I address Legal or Privacy teams' concerns about collecting employee PII for business trips without securing employee consent first? Can an employee opt-out of sharing business trip itineraries?
A: In general, a company has a Legitimate Interest in processing employee PII for purposes related to that company's business -- so, when an employee books a business trip, the purpose of which is to conduct company business, that is a legitimate reason for the company to capture PII related to that trip. Additionally, because the company is paying for the trip, it has a legitimate interest in knowing what company dollars the employee is spending on that trip. This data is necessary for the company to be able to perform both its risk management duties in protecting the employee, as well as its fiscal duties in managing its expenses responsibly.
Furthermore, there is no risk of harm to the employee for the company to process this data. The risk of harm to the company in NOT processing this data outweighs any perceived harm to the employee in having the data processed.
Finally, when employees use company resources, including email, corporate cards, laptops, mobile devices, etc. to conduct business -- even if it's personal in nature -- companies have every right to monitor that activity, including processing and viewing data submitted via email, chat, or text. This is typically communicated to employees as part of a company's Acceptable Use policy that is included in employment agreements or other standard HR onboarding, so most companies will already be covered for communicating these rules to employees. Employees who do not want their personal data accessed should not use company resources (including company email) to conduct personal business.
Given the above tests, an employee cannot "opt-out" or decline consent for the company to process its itinerary details and related PII for business trips. If an employee has concerns about this, then the company should consider not allowing that person to travel on company business until their concerns can be resolved.
Q: How should we think about data privacy and risk management when it comes to "bleisure" trips, where there is a mix of both business and leisure travel?
A: As Bruce put it on the webinar, your duty is to "protect people, not trips". Your employees are your most valuable and most strategic asset, so you should answer this question from that perspective.
COVID-19 has presented numerous examples of this scenario: for instance, an employee who tacked on a few days vacation after a business trip in Italy could have been exposed to COVID-19 at any point during that trip. That company should want to provide assistance to that employee regardless of whether the exposure resulted from the leisure portion of the trip or the business portion, because the risk to that employee's health and safety could impact his or her productivity -- as well as colleagues' productivity -- after the trip.
The legal rules are a bit blurry on this topic, so there is no clear legal answer governing where a company's liability may begin and end. Best practice is to focus on ensuring the health and safety of the employee, regardless of the mixed purpose of the trip.
Q: Are there any concerns about apps that countries are requiring travelers to install to monitor for COVID risk?
A: Best practice is to always use a separate travel phone. Don’t use your personal phone in most countries as you risk the highest level of data exposure, especially if downloading files and/or apps.
Q: How should the issue of travelers not following policy even though they have been given the polices, signed a document stating that they will follow the policies, but continues to break the policies?
A: This should be treated in line with your company's standard process for discipline. If this is a recurring issue within your company, either broadly or with a subset of individuals, then you may consider reviewing your policies and/or providing more regular communications about the purposes behind the policies. Engaging your employees in a dialogue can help improve their understanding of the "why" behind your policies, and sometimes even bring forward new and better ideas.
Traxo Office Hours
Bruce and Sterling were part 4 of the Travel Managers Office Hours series. View all past events. If you’d like to be notified when the next webinar will take place or are interested in learning more about Traxo's offering for corporate travel managers, contact us.
eBook: Corporate Travel - The Four Stages of Recovery Post-Pandemic
Don't miss our latest eBook, Corporate Travel - The Four Stages of Recovery Post-Pandemic. This resource features a framework for how companies and their travel management partners can navigate this strange new era of business travel.