martin_matthews - Fotolia

Wearable technology in the workplace and data protection law

Wearable technology is slowly creeping into the workplace to monitor staff performance and health, but do employers understand the legal implications? We assess the data protection implications

Imagine a workplace where an employer switches on a computer and sees the exact time that an employee entered and left the building, views the employee’s heart rate and step-count throughout the working day, accesses details of the employee’s lunch purchases in the staff canteen, and tracks how many mistakes or near-misses the employee made while carrying out their role. This may sound like a new Sims expansion pack or an episode of Black Mirror, but the technology is here.

Wearable technology in the workplace is, of course, nothing new, with security access passes a long-time office staple, for example, but the sophistication and complexity of these technologies is evolving rapidly.

A recent example of an employer who is riding this zeitgeist is Amazon, which was issued with two patents in the US for a wristband for tracking the performance of workers in its warehouses. The wristband system will mean workers will receive a little “buzz” if they place a product near or in the wrong inventory bin.

Microchip implants

More controversial were the plans of US-based tech company Three Square Market, which implanted microchips in 50 consenting staff, containing security access and purchasing capabilities. Biohax, a Swedish human microchipping company, also hit headlines and troubled trade unions last year, when it announced talks with a number of UK-based employers about microchip fitting.

However, wearable technology is not always quite as extreme, with many employees reaping the benefits of fitness bands and smart watches. Wearable technology can also be used to help keep employees safe. For example, Oxfordshire County Council recently announced that waste recycling teams will be fitted with body cameras to deter physical and verbal abuse from the public.

Whatever the technology, there will always be arguments for and against the introduction of workplace accessories, with the importance of wellbeing, safety and productivity, balanced against the adverse costs, legitimate privacy concerns, risks of discrimination and potential staff morale issues.

However, given the breadth of personal data the technologies are likely to obtain, and the real risk of over-collection or that the data is used for an illegitimate purpose, the biggest adversary for wearable technology in the workplace is likely to be data protection law.

So, what do employers need to think about when introducing wearable technology in the workplace?

Data Privacy Impact Assessments

It is worth noting that the monitoring and/or surveillance of employees, whether through technology or otherwise, is considered a high-risk activity by the Article 29 Working Party (the independent European advisory body on data protection and privacy).

This means that, in accordance with the General Data Protection Regulation (GDPR), an employer will need to carry out a Data Privacy Impact Assessment (DPIA) to assess the necessity and proportionality of its technology plans.

A DPIA is needed to demonstrate the organisation has made an appropriate risk assessment and achieved the correct balance between allowing workers to enjoy privacy at work, and ensuring the interests of the business are protected.

An important step in completing a DPIA is the need to consider whether there are any alternatives to monitoring staff or collecting their data, or whether there are less intrusive options. Fortunately for employers, the Information Commissioner’s Office (ICO) has produced an example DPIA and helpful Employment Practices Code.

Legal basis and justification

A fundamental step for data protection is establishing the lawful basis for processing the personal data obtained via the technology. Put simply, without a specific legal basis, an employer will not be able to process employees’ personal data.

As most businesses will now be aware, there are various bases, including performance of a contract, compliance with a legal obligation, consent and legitimate business interests. For special categories of personal data, such as biometric data and health information, the threshold is much higher.

Read more about wearable technology

  • Business applications, not consumer, will be the real drivers for growth in wearable technology.
  • Wearable devices aren’t just a consumer fad – they’re making inroads in the enterprise.
  • Wearable technology creates opportunities for retailers.

The basis most likely to be relied upon in respect of workplace tech is legitimate business interests, but with invasive technologies such as microchipping, employers may struggle to justify processing on this basis when balancing their business interests against the rights and freedoms of the individual employee.

Instead, employers will have to seek consent to their implantation for such processing to be lawful. However, businesses will need to ensure this is freely given and fully informed consent; a high bar to reach.

Privacy notices

As with any other data processing, employers will need to reflect the data collection obtained via wearable devices in a privacy notice to employees. This is about notifying staff members about what and why personal data is being collected.

Among other things, the notice should contain exactly what type of personal data is obtained, the legal basis for processing the relevant data, who it is shared with, how it is kept secure and how long it is retained for.

The use of third-party processors

The GDPR places an obligation on data controllers (such as employers) to enter into a contract with any third-party data processor it uses, such as IT services or cloud providers. Employers will need to ensure a contract is in place containing certain information, such as data security and breach notification requirements.

While the above requirements of data protection legislation may seem onerous, the invasive nature of many workplace technologies and the risk of large fines under the GDPR mean that employers really must consider data protection compliance at the outset.

A fundamental principle of the GDPR is data protection by design and by default. In essence, this means businesses will need to integrate data protection into their data processing activities and business practices, from the design stage and beyond, in the same way that businesses consider cost.

Read more on Internet of Things (IoT)

Data Center
Data Management