Wearable devices' - such as fitness trackers, wristbands, access cards - are an increasingly
popular technology. Market researchers have estimated that some 21 million wearable
devices were sold in 2014 (The Economist,14 March 2015, citing research by IDC).
In the US, approximately 90% of companies now operate
"wellness programmes" for their staff which include competitions and team building to improve
fitness and increasingly use wearable technology to record results. Estimates are that by
2018, more than 13 million activity trackers will be used for wellness programmes. The
technology and its uses does not stop there. In addition to the more well-known fitness
trackers, companies are also exploring the use of technology within corporate access cards,
smart watches and specific health-related scanners. Some of the marketed features of many
of these devices include their ability to record, track and report on individuals' sleep, exercise
activity, stress, heart rate and other health-related metrics, as well as the geo-location of the
wearer and time of day and even biometric data in some cases (DNA, finger prints etc).
Employers are increasingly looking at leveraging wearable technology to enable them to
monitor employees' activities so that they can drive positive change via improved productivity
for example as well as employee well-being. These drivers may also reduce costs and waste
associated with injuries and illness and arguably lower insurance costs for businesses. Health and Safety is another area where wearable technologies can assist and is likely to become
commonplace - for example use with pilots and transport drivers, construction sites or other
workplaces that include high levels of manual labour, for example.
In considering whether and how to use wearable technologies with their employees,
organisations must have regard to the requirements of the applicable data privacy rules and
employment laws dealing with employees' rights and consent, as well as potentially broader
concepts of right to a private life in some jurisdictions. These legal and governance
issues impact the design and implementation of any wearable technology rollout or specific
corporate wellness / fitness tracking programme:
'Managing the employment relationship' and notification of the purposes of collection, use and disclosure
From a data privacy perspective, whether or not employers will require consent to collect, use
or disclose their employees' personal data will depend on the local data privacy regime and
the nature of the personal data. In some jurisdictions, employers do not require employee's
consent where the collection, use or disclosure of employees' personal data is reasonable for
the purpose of managing the employment relationship, although it may be necessary to notify
employees of the purposes for which personal data will be collected, used and disclosed in
connection with the management of the employment relationship. Some commentators argue
that monitoring and managing employees' performance, health and well-being at work falls
within the scope of 'managing the employment relationship'.
However, given the intrusive nature of wearable technology and the fact that it usually
continues to be collected outside of working hours or where biometric data is being collected,
more stringent requirements are likely to be applied and so best practice is for employers to
obtain consent for the collection, use and disclosure of personal data via wearables,
particularly where the company provides the device to the employee under a leasing
arrangement or similar. The employee consent and notices about how employees' personal
data will be collected, used and disclosed should be set out in a specific policy or
contract. Personal data such as sleep, biometric data and non-work activity history may
amount to sensitive personal data in some jurisdictions, such that additional legal hurdles
must be satisfied in notifying employees the purposes for which the data is being used and
how it will be treated.
Employers should therefore notify employees and seek their consent to participate in any
wearable technologies or corporate wellness / fitness tracking programme of: (a) what
personal data will be collected, used and disclosed; and (b) the purposes for which, and how,
the employees' personal data will be collected, used and disclosed. Importantly, since fitness
trackers are intended to be worn 24/7 and track activities that occur outside of work hours
(eg, hours of sleep), the notice given to employees should note that the personal data
collected, used and disclosed by the fitness tracker may include information that relates to
employees' activities outside of work hours.
Other issues to consider include whether employees can be mandated to participate in the
use of wearable technology or wellness programmes. From the employment law perspective
the answer is likely to be 'no', at least until the market moves on sufficiently that such use is
deemed normal or standard practice. It is also likely that employers that seek to use
information not related to work operations (or collected outside of business hours as outlined
above) would face disputes form employees disciplined on the basis of such data.
It is also potentially arguable that a company does not own all of the data collected on such
devices, unless the devices is leased to the employee - in the same way as a corporate
mobile phone. this should be clarified in any operation policies.
Obligations to protect data and offshore data transfers
In addition, many data protection regimes impose obligations on organisations to take
reasonable security arrangements to protect personal data in their possession or under their
control in order to prevent unauthorized access, collection, use, disclosure, copying,
modification or disposal of that personal data.
The providers of many wearable devices and fitness trackers provide their own cloud-based
solutions for collecting, collating and reporting on the data gathered by the devices and may
offer organisations the ability to access and analyse their employees' data through these
platforms. These cloud-based solutions may also involve the transfer of personal data to
offshore locations for the purposes of storage or processing.
Organisations should ensure that they have contractual arrangements in place with any
provider of wearable devices / fitness trackers which, amongst other things, ensure that:
- the transferred personal data enjoys comparable protection in the jurisdictions to which it
is transferred (eg, by imposing obligations on the provider to give the transferred
personal data protection which is comparable to that give under the relevant local laws
and specifying expressly the countries to which the personal data may be transferred), and
- the provider is obliged to take measures to protect personal data against accidental,
unauthorised or unlawful access, disclosure, alteration, loss etc. and that the personal
data of employees will be used only for: (a) the purposes of providing the relevant services
to the organisation; and (b) if applicable, by the provider on an anonymised, aggregated
basis for specified, agreed purposes (eg, improving and developing their wearable
devices / fitness trackers, providing aggregated reporting to customers etc.)
In addition, organisations must have internal governance controls as to who in the
organisation can access the data and for what purposes. Best practice is for data to only be
available on an aggregated and not on an individual basis. It is easy to see occasions,
however, when a business may want to identify which staff were in the office at the time
misconduct was committed for example, or to clarify a report of misconduct in a specific
location -in such circumstances an organisation will need to have given thought to whether it
will access this data and how.
Other legal risks
Importantly, organisations should also consider whether using wearable technology to monitor
their employees' performance, health and well-being may also give rise to other legal risks or
issues under workplace health and safety laws, in negligence or under a contract.
For example, if the information collected from such technology means that an employer knows,
or could reasonably know, that an employee has not had much sleep in recent days or was
stressed, does that employer have a duty to:
- the employee
- members of the public who could be injured, and/or
- the organisation for whom the employer is undertaking work under a contract,
to ensure that the employee doesn't operate heavy machinery until their sleep/health/state of
mind improves? Would the employer be liable to any of those people if the sleep-deprived
employee was to fall asleep while operating the machinery and injure themselves or a
member of the public, or damaged other property?