Wednesday 13 February 2019

GUEST BLOG: Duty of Care vs. Data Privacy: Striking a Balance

By now, we are all quite familiar with the Global Data Protection Regulations (GDPR) rolled out last May. We now find ourselves in this brave new world of data privacy that require some changes to how we’ve managed our business in the past. 

In particular, GDPR has introduced a quandary for corporate travel managers as it relates to balancing employee data privacy and travel risk management obligations.

The issue is most pronounced when considering the impact of off-piste “leakage” bookings. Given that over two-thirds of employees have booked travel outside their mandated travel management company (TMC) or online booking tool (OBT) in the past year, this is a legitimate conundrum, as the critical itinerary details about those bookings exist outside the tools to manage them.

How can a company meet its duty of care liability if it doesn’t know where employees are travelling?

And more specifically: can an individual employee “opt out” of sharing their business travel plans, if doing so impedes the company’s ability to provide duty of care?

It’s an open question that has not yet encountered a formal legal challenge, so there are no clear answers. However, there are two provisions within GDPR that may offer guidance.

  1. Legal Obligation. Where your company has a legal obligation to provide duty of care to employees, this may be sufficient justification for using data from the travel booking without first obtaining employee consent. There are some fences, of course, but in general if the data is necessary and there is no alternative way to meet the legal obligation without this data, you may have standing.

  2. Legitimate Interest. This standard is broader in scope, but can also provide justification for using employee data to meet duty of care obligations. It uses a three-part test:
   Purpose test – is there a legitimate interest behind the processing? Given the data is used for duty of care, and not for something akin to marketing, it’s likely this test is met.
   Necessity test – is the processing necessary for that purpose? Can duty of care be achieved without acquiring this data? If not, then it can be deemed necessary.
   Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?  Could the employee likely be harmed in any way by the use (or misuse) of their data for this purpose? If the potential damage is minimal, you may have standing to use the data.

Either or both standards may apply to your organisation, and if so, can offer more latitude in what solutions you may deploy to capture travel program leakage data. New technology solutions for data aggregation can help by automatically capturing these leakage bookings in real-time, but implications on data privacy must be evaluated. More traditional approaches like requiring employees to manually enter or forward in confirmation emails for off-piste bookings can meet the “consent” requirement, as can a blanket consent obtained as part of an employment agreement or traveller profile created within your OBT systems.

Enlist internal stakeholders from your risk/security, legal, HR, travel, and procurement teams to determine which path (or paths) fit best for your organisation, considering your risk profile and company culture.

Most critically, once you’ve chosen a path, make sure to communicate the program clearly to your employees.  The best duty of care approach is one that enlists employees as partners in the process, as they are the ultimate stakeholders.

To learn more, download the white paper Duty of Care vs. Data Privacy, sponsored by Traxo.


This post was written by Cara Whitehill, Chief Commercial Officer for Traxo, a leader in travel data aggregation solutions for corporate clients. Traxo’s services integrate with leading travel risk management solutions to capture off-piste “leakage” bookings for duty of care purposes.

Traxo is exhibiting at the Business Travel Show at Olympia London next week - register for free now at 

1 comment: