Managing technology, personal data and privacy
This is the eighth in a series of articles produced for the Future of Work Hub by Lewis Silkin LLP looking at managing technology, personal data and privacy.
The role of data in the workplace has changed dramatically since the early days of computers and basic databases in the 1970s. Even with the advent of the internet and email, while employers held basic information about their employees (names, addresses, dates of birth and so on), this was generally used for the administration of the business. The need to monitor sickness absence, administer sick pay and comply with obligations under disability discrimination legislation has meant that in the past 20 years it has become more common for employers to hold more detailed information about employees, sometimes of a sensitive nature. Again, until relatively recently, such data was retained mainly for record-keeping purposes, rather than being seen as having a specific business value.
The explosion of social media and the “internet of things” has, however, created enormous quantities of data that will continue to grow in the future. New technologies have improved our ability to track and collate vast amounts of information. With the “quantified self” movement entering the mainstream, a growing number of people are using wearable technology to monitor everything they do. It has not taken long for employers to identify the benefits of introducing this type of technology in their workplace, with the potential to access large amounts of detailed information on their employees. Purposefully collecting and investigating this data to identify patterns and behaviours could be used to help improve overall workforce wellbeing and productivity. Employers’ health insurance premiums could be reduced by having a healthier workforce. Monitoring stress levels and the causes of stress could enable employers to make positive changes to the workplace.
Many predict that consumer concerns about privacy and the security of personal data are likely to decline as they come to perceive the benefits of transparency as outweighing the risks. But it remains to be seen how far employees will be willing to trade their privacy so employers can track their location and activity or assess their performance. So far, there have been a number of well publicised negative reactions from employees and unions where employers have introduced, for example, workplace motion detectors (to monitor desk usage) and wristbands for warehouse workers (to measure productivity and location in real-time).
The possibility for employers to collect and analyse huge amounts of detailed information on their staff inevitably raises legal and ethical issues about data protection and privacy, for which they will need to prepare. With predictions of a future in which managers have dashboards displaying real-time employee biometrics, we can expect to see complaints from employees and unions about unnecessary or intrusive monitoring. Employers should be wary of creating a “surveillance culture” in the workplace, which could lead to increased stress, sickness absence and staff turnover.
People are more likely to be open to the idea of monitoring if they can be persuaded of a clear personal or workplace benefit - particularly if the data is anonymised and shared at an aggregate level rather than being personalised. Trust is likely to be the main stumbling block, so transparent rules and communications about how data is acquired, used and shared will be essential. Employers will also need to obtain employees’ explicit, informed consent before gathering personal data from wearables, then further consent to correlate it with other data such as performance metrics.
Once an organisation is able to collect enough of the right sort of data, it can be possible to use it to automate decision-making. This is already being used with increasing effectiveness and intelligence in recruitment, but has the potential to pervade the whole life cycle of the employment relationship. Although this presents opportunities for organisations to improve their decision-making processes, care should be taken to eliminate any conscious or unconscious bias that could give rise to potential discrimination claims.
Although an employer may have a legitimate interest in monitoring a personal device used for business purposes, this should be balanced against the employee’s right to the protection of his or her private life. Employers should put in place appropriate security measures to protect personal data against misuse, loss or damage. It will become more important in the future for organisations to adopt appropriate policies related to privacy, security and intellectual property, in order to ensure that all processing of personal data on workers’ personal devices complies with data protection legislation and current ICO guidance.
Advances in technology mean that data can now be easily transferred around the world. Data protection laws restrict the transfer of personal data to a country or territory outside the EEA unless it ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data. Ensuring an adequate level of protection can be a real challenge, as illustrated by the recent European Court of Justice judgment outlawing the “safe harbor” arrangements for the transfer of personal data outside of the EU to the United States. The complexity and uncertainty of the rules on international transfers of personal data will continue to create significant risks for employers in the future.
Legal regulation of monitoring and surveillance will continue to limit the use of data for the foreseeable future. Employers will need to consider carefully their rationale for obtaining and using personal data and put in place clear policies to ensure compliance with legal obligations.
The government’s recently published Data Protection Bill will repeal the current Data Protection Act 1998 and incorporate the EU General Data Protection Regulation (“GDPR”) into UK law. While the GDPR will apply directly in all EU member states from 25 May 2018, the Data Protection Bill will provide for GDPR implementation and continuity of data protection standards in the UK following Brexit.
The GDPR will tighten up the use of “consent” as a basis for processing personal data – it must be freely given, informed and unambiguous and there must be genuine choice for the employee. Sanctions for non-compliance with data protection obligations will become much fiercer, with the maximum penalty set at €20m or 4% of an undertaking’s worldwide turnover, if higher. The GDPR will also introduce more stringent enforcement practices, requiring employers to give more thought to issues such as storage and security of potentially vast quantities of data - the more data that employers control, the greater the likelihood of a security breach. Dealing with data subject access requests is likely to become even more onerous.
Ethical issues come into play if an organisation’s decisions about its workforce are increasingly based on data collected outside the workplace. At what point do concerns over “wellbeing” stray into an infringement of privacy? Would it be legitimate to use such data in the context of performance management? To what extent might it be permissible for using a wearable to become, in practice, a condition of employment in the future?
As things stand, employers experimenting with wearables and tracking apps are struggling to find efficient ways in which to analyse the vast quantities of data collected and draw useful insights from it. But this is certain to improve over time and we can expect the use of this type of technology to flourish. As the trend continues and develops, employees are likely to become more receptive and accepting of these sorts of practices. In the same way that data is shared on social media to an extent that would have been unimaginable only a generation ago, the tracking of employees’ daily lives and habits may gradually come to be regarded as a natural aspect of their working lives.
Watch out for the next article in the series will look at working across borders. To read the introduction to the report which gives an overview of the impact of three megatrends - globalisation, technology and changing demographics - on the world of work, see the introduction to the series.
If you would like an advance copy of all sections of the report "Future Proofing Your Business", click the button below to let us know.