With the rapid development of tracking apps to help reduce the spread of infection and increased testing capabilities, individuals are surrendering vast amounts of health, contact and location data. Alongside this, the availability of worker surveillance and analytics technology to monitor new swathes of the workforce working from home is on the rise.  How employers respond and adapt to new and emerging technologies while meeting their privacy and health and safety obligations will play a significant part in defining employee, consumer and wider stakeholder trust in organisations in the future.

We looked at how the pandemic is shaping attitudes towards data privacy as society makes significant trade-offs between established freedoms and safety at our virtual event in collaboration with the RSA. Click here to find out more.


Covid-19 and workplace technology

Wearable employee contact tracing devices. Thermal testing at workplace entry points. Mandatory HR health questionnaires.

The above were almost unthinkable just months ago, but COVID-19 has made the “unthinkable”, essential. 

To reduce the risk of contagion, employers are rapidly investing in new workplace technologies which, to work effectively, are often fed a stream of worker data. 

However rather than rejecting these potentially intrusive, data-hungry technologies, or even begrudgingly accepting their introduction for the greater good, employees are in many cases demanding tracking, testing and monitoring as a condition of their return to the workplace.  Emerging data driven technologies appear to be the key to reassuring workforces (and customer bases) that enterprises are safe to reopen. 

After Covid-19: safety vs data privacy

When “safety” faces off against “privacy” it appears that, at least whilst the deadly virus continues to menace us, privacy now takes a back seat in the minds of employees.  And all this just two years after introduction of the GDPR; a time when workers and consumers are more aware of their privacy rights than ever and data protection authorities finally have the regulatory tools at their disposal to demand compliance. 

This sudden reprioritisation of what’s important to us (safety over privacy) likely also means that our collective attitude towards privacy rights is being reshaped in the long term.  What was once “creepy” may in many cases eventually become the norm. COVID-19 did not however start this process.  One wonders whether the mid-2000 versions of ourselves would have been thrilled at the prospect of global market dominating technology companies storing our biometric records for facial recognition, a feature which in 2020 comes as a standard security offering on most mobile phone models.  

Trust plays an essential role in changing long-term attitudes towards privacy

The actions being taken by employers now are likely to have long-lasting effects on employee trust after the threat of the virus eventually subsides.  In a post-COVID-19 world:

  • Why would an employee willingly surrender their heath information to their employer when, during a deadly pandemic and at their most vulnerable, their employer had failed to keep their health data safe and secure?

  • Why would a data protection authority permit wearable tracking technologies when, during a time of heightened fear and anxiety, employers misused these technologies to unfairly monitor the performance of their workforces? 

  • Why would lawmakers relax workplace privacy rules relating to telecommunications technologies when, during a time of complete dependence on technology to perform roles remotely, employers had secretly spied on their employees’ private conversations? 

Employees are trustingly trading privacy norms in return for safety and the ability to work remotely.  Breaches of trust now are likely to have a real impact on privacy attitudes in future. 

Data privacy legal framework

Luckily in the UK, Europe and other parts of the world with robust, principle-based privacy laws, employers are already required to maintain the trust of those whose data they process.  COVID-19 hasn’t reduced these requirements.

To the contrary, the health crisis has magnified their importance, and many are well aware of their obligations and are complying at a high standard, including both employers and the companies tasked with designing the technology.  “Privacy by design and by default” has gone from being a hypothetical concept in many organisations to an active tool in helping to work out how to ensure any processing of data related to COVID-19 is processed lawfully. 

Key requirements of maintaining data privacy trust are:

Transparency 

As a general rule, the more unusual the processing, the more granular the information provided about the processing needs to be.  “Unusual technologies” implemented during these “unusual times” will normally call for heightened transparency efforts.  An existing workplace privacy notice isn’t likely to cover contact tracing, thermal testing or systematic mandatory health screening.  Whilst there is a need to convey information comprehensively, the aim is not to overwhelm employees but to generate trust.

Data minimisation, retention and purpose limitation 

Fear of exposure to the virus might mean that in the name of safety vulnerable workers are willing to hand over more personal data than they otherwise would.  Economic pressures might mean that an employee feels they have no choice but to agree to providing their employer with intrusive information about themselves as a condition of returning to work.  To maintain trust, employers must only ask for what is strictly necessary for their purposes. For instance, does a contact tracing solution really need GPS data to work effectively? In most cases, the answer is no. Information should only be stored for the length of time strictly necessary to achieve the stated purposes.  In the case of retaining health data, this might be a matter of days or even shorter in some cases (consider how long an employer really needs temperature check data at building entry points).  Any data collected should only ever be used for the stated purposes.  Minimising the data collected, and deleting it once it is no longer needed, reduces the temptation to misuse data.      

Security and due diligence

With so many workplaces collecting so much new information, data security considerations need to be front and centre - and this doesn’t necessarily mean focusing on security against “outside threats”.  Should a junior HR person really be responsible for collating intrusive health questionnaires received from every member of the workforce?  Should the collated data be able to be copied locally to the HR employee’s laptop?  Should the HR employee be able to send that health data outside of the organisation? A threat to security can just as easily come from within than it can from outside.   If third party service providers have been engaged to help with the return to work, employers need to conduct due diligence on those third parties to ensure that the security of any personal data provided is sufficiently guaranteed.  With demand high, unscrupulous services providers are likely to pop up seeking quick profits and employers, as data controllers, are ultimately responsible for their workers’ health data transferred outside of the business. 

Data privacy impact assessments

“Large scale”. “New technologies”. “Health data”.  “Monitoring and surveillance”.  Alarm bells are ringing left, right and centre indicating that COVID-19 return to work technologies will often involve high risk data processing.  A DPIA is a risk assessment which assesses proposed new processing activities against the privacy principles.  It is an essential tool to demonstrate compliance, prevent breaches, and maintain trust between an employer and its workforce. 

Privacy by design and by default

As the virus spreads quickly from person to person, there is an imperative on innovators to move even quicker in designing and developing new technologies.  Making privacy principles core to the design of new technologies from their very inception avoids trips back to the drawing board later in the process and the delays that would inevitably follow. 

Future attitudes towards workplace data privacy

With pressures from multiple angles to reopen and begin trading, it may however be tempting for some employers to rush to put in place new technologies without considering privacy rights and implications.  Afterall, we are in the middle of a health and economic crisis and delays could cost not only jobs and profits, but lives.  But by ignoring privacy implications, the trust which is essential for the permanent adoption of data driven workplace technologies might be irreversibly damaged. 

On the other hand, embedding a culture of respect for privacy into the fabric of workplaces during this crisis is likely to lead to greater acceptance of future emerging technologies by employees, their representatives, regulators and lawmakers.  This could lead to a greater acceptance of AI and data analytics in the workplace, revolutionising HR.  Imagine:

  • Facial recognition and other biometric technologies being accepted by workforces as a more secure alternative to key passes and PINs. 

  • An increased use of multiple sources of communications technologies enabling more connectivity between employers and employees and greater flexibility around where and when work is performed.

  • A greater acceptance of entrusting health information to employers so that employers can play more of a role in promoting wellbeing at work. 

Trust vs distrust of data collection

Viewed through the prism of trust, the prospects above look to be great steps forward in workplace security, productivity, health and wellbeing.

But viewed through the prism of distrust, the above look to be an insight into a scary and dystopian new world:

  • “Biometrics for security” becomes “an identity theft risk”. 

  • “Connectivity for workplace flexibility” becomes “unfair surveillance and monitoring”. 

  • “Health data for the promotion of wellbeing” becomes “career killing profiling on medical grounds”. 

Now is the time to shape our post-Covid-19 attitudes towards technology and privacy. 

Please join us on 2 July -  Data privacy and trust in the workplace – is a profound shift underway?

Comment