Wearables at work: Data privacy and employment law implications

Intellectual Property and Technology News

Employment Update

By:

Wearable devices' - such as fitness trackers, wristbands, access cards - are an increasingly popular technology. Market researchers have estimated that some 21 million wearable devices were sold in 2014 (The Economist,14 March 2015, citing research by IDC).

In the US, approximately 90% of companies now operate "wellness programmes" for their staff which include competitions and team building to improve fitness and increasingly use wearable technology to record results. Estimates are that by 2018, more than 13 million activity trackers will be used for wellness programmes. The technology and its uses does not stop there. In addition to the more well-known fitness trackers, companies are also exploring the use of technology within corporate access cards, smart watches and specific health-related scanners. Some of the marketed features of many of these devices include their ability to record, track and report on individuals' sleep, exercise activity, stress, heart rate and other health-related metrics, as well as the geo-location of the wearer and time of day and even biometric data in some cases (DNA, finger prints etc). 

Employers are increasingly looking at leveraging wearable technology to enable them to monitor employees' activities so that they can drive positive change via improved productivity for example as well as employee well-being. These drivers may also reduce costs and waste associated with injuries and illness and arguably lower insurance costs for businesses. Health and Safety is another area where wearable technologies can assist and is likely to become commonplace - for example use with pilots and transport drivers, construction sites or other workplaces that include high levels of manual labour, for example. 

In considering whether and how to use wearable technologies with their employees, organisations must have regard to the requirements of the applicable data privacy rules and employment laws dealing with employees' rights and consent, as well as potentially broader concepts of right to a private life in some jurisdictions. These legal and governance issues impact the design and implementation of any wearable technology rollout or specific corporate wellness / fitness tracking programme: 

'Managing the employment relationship' and notification of the purposes of collection, use and disclosure 

From a data privacy perspective, whether or not employers will require consent to collect, use or disclose their employees' personal data will depend on the local data privacy regime and the nature of the personal data. In some jurisdictions, employers do not require employee's consent where the collection, use or disclosure of employees' personal data is reasonable for the purpose of managing the employment relationship, although it may be necessary to notify employees of the purposes for which personal data will be collected, used and disclosed in connection with the management of the employment relationship. Some commentators argue that monitoring and managing employees' performance, health and well-being at work falls within the scope of 'managing the employment relationship'. 

However, given the intrusive nature of wearable technology and the fact that it usually continues to be collected outside of working hours or where biometric data is being collected, more stringent requirements are likely to be applied and so best practice is for employers to obtain consent for the collection, use and disclosure of personal data via wearables, particularly where the company provides the device to the employee under a leasing arrangement or similar. The employee consent and notices about how employees' personal data will be collected, used and disclosed should be set out in a specific policy or contract. Personal data such as sleep, biometric data and non-work activity history may amount to sensitive personal data in some jurisdictions, such that additional legal hurdles must be satisfied in notifying employees the purposes for which the data is being used and how it will be treated. 

Employers should therefore notify employees and seek their consent to participate in any wearable technologies or corporate wellness / fitness tracking programme of: (a) what personal data will be collected, used and disclosed; and (b) the purposes for which, and how, the employees' personal data will be collected, used and disclosed. Importantly, since fitness trackers are intended to be worn 24/7 and track activities that occur outside of work hours (eg, hours of sleep), the notice given to employees should note that the personal data collected, used and disclosed by the fitness tracker may include information that relates to employees' activities outside of work hours.

Other issues to consider include whether employees can be mandated to participate in the use of wearable technology or wellness programmes. From the employment law perspective the answer is likely to be 'no', at least until the market moves on sufficiently that such use is deemed normal or standard practice. It is also likely that employers that seek to use information not related to work operations (or collected outside of business hours as outlined above) would face disputes form employees disciplined on the basis of such data. 

It is also potentially arguable that a company does not own all of the data collected on such devices, unless the devices is leased to the employee - in the same way as a corporate mobile phone. this should be clarified in any operation policies. 

Obligations to protect data and offshore data transfers

In addition, many data protection regimes impose obligations on organisations to take reasonable security arrangements to protect personal data in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal of that personal data. 

The providers of many wearable devices and fitness trackers provide their own cloud-based solutions for collecting, collating and reporting on the data gathered by the devices and may offer organisations the ability to access and analyse their employees' data through these platforms. These cloud-based solutions may also involve the transfer of personal data to offshore locations for the purposes of storage or processing. 

Organisations should ensure that they have contractual arrangements in place with any provider of wearable devices / fitness trackers which, amongst other things, ensure that: 

  • the transferred personal data enjoys comparable protection in the jurisdictions to which it is transferred (eg, by imposing obligations on the provider to give the transferred personal data protection which is comparable to that give under the relevant local laws and specifying expressly the countries to which the personal data may be transferred), and 
  • the provider is obliged to take measures to protect personal data against accidental, unauthorised or unlawful access, disclosure, alteration, loss etc. and that the personal data of employees will be used only for: (a) the purposes of providing the relevant services to the organisation; and (b) if applicable, by the provider on an anonymised, aggregated basis for specified, agreed purposes (eg, improving and developing their wearable devices / fitness trackers, providing aggregated reporting to customers etc.) 
In addition, organisations must have internal governance controls as to who in the organisation can access the data and for what purposes. Best practice is for data to only be available on an aggregated and not on an individual basis. It is easy to see occasions, however, when a business may want to identify which staff were in the office at the time misconduct was committed for example, or to clarify a report of misconduct in a specific location -in such circumstances an organisation will need to have given thought to whether it will access this data and how. 

Other legal risks 

Importantly, organisations should also consider whether using wearable technology to monitor their employees' performance, health and well-being may also give rise to other legal risks or issues under workplace health and safety laws, in negligence or under a contract. 

For example, if the information collected from such technology means that an employer knows, or could reasonably know, that an employee has not had much sleep in recent days or was stressed, does that employer have a duty to: 

  • the employee
  • members of the public who could be injured, and/or  
  • the organisation for whom the employer is undertaking work under a contract, 
to ensure that the employee doesn't operate heavy machinery until their sleep/health/state of mind improves? Would the employer be liable to any of those people if the sleep-deprived employee was to fall asleep while operating the machinery and injure themselves or a member of the public, or damaged other property?