Data Privacy and trust in the workplace – is a profound shift underway?

Wearable employee contact tracing devices. Thermal testing at workplace entry points. Mandatory HR health questionnaires.

The above were almost unthinkable just months ago, but Covid-19 has made the previously ‘unthinkable’ essential. 

To reduce the risk of contagion, employers are rapidly investing in new workplace technologies which are fed a stream of worker data to function effectively.

However rather than rejecting these potentially intrusive, data-hungry technologies, or even begrudgingly accepting their introduction for the greater good, employees are in many cases demanding tracking, testing and monitoring as a condition of their return to the workplace. 

Emerging data driven technologies appear to be the key to reassuring workforces (and customer bases) that enterprises are safe to reopen. 

Will this change in attitude be temporary, or is it the sign of a more fundamental shift in employee attitudes?

Trust is vital in the future of workplace data

At a moment where privacy concerns are receding, it is more vital than ever for employers to retain trust in how they are using data. Any breach of trust at this critical moment would have a decades-long impact. Imagine if data was mis-used now. After that:

• Why would an employee willingly surrender their heath information to their employer when, during a deadly pandemic and at their most vulnerable, their employer had failed to keep their health data safe and secure?
• Why would a data protection authority permit wearable tracking technologies when, during a time of heightened fear and anxiety, employers misused these technologies to unfairly monitor the performance of their workforces? 
• Why would lawmakers relax workplace privacy rules relating to telecommunications technologies when, during a time of complete dependence on technology to perform roles remotely, employers had secretly spied on their employees’ private conversations? 

Employees are trustingly trading privacy norms in return for safety and the ability to work remotely.  Breaches of trust now are likely to have a real impact on privacy attitudes in future. 

Luckily in the UK, Europe and other parts of the world with robust, principle-based privacy laws, employers are already required to maintain the trust of those whose data they process. Covid-19 hasn’t reduced these requirements.

In fact, the crisis has magnified their importance. Many are well aware of their obligations and are complying at a high standard, including both employers and the companies tasked with designing the technology. 

“Privacy by design and by default” has gone from being a hypothetical concept in many organisations to an active tool in helping to work out how to ensure any processing of data related to COVID-19 is processed lawfully. 

So, how can trust be retained?

1. Transparency

As a general rule, the more unusual the processing, the more granular the information provided about the processing needs to be. 

“Unusual technologies” implemented during these “unusual times” will normally call for heightened transparency efforts. An existing workplace privacy notice isn’t likely to cover contact tracing, thermal testing or systematic mandatory health screening.  

Whilst there is a need to convey information comprehensively, the aim is not to overwhelm employees but to generate trust.

2. Data minimisation, retention and purpose limitation

To maintain trust, employers must only ask for what is strictly necessary for their purposes. For instance, does a contact tracing solution really need GPS data to work effectively? In most cases, the answer is no. Information should only be stored for the length of time strictly necessary to achieve the stated purposes.  In the case of retaining health data, this might be a matter of days or even shorter in some cases (consider how long an employer really needs temperature check data at building entry points).  Any data collected should only ever be used for the stated purposes.  Minimising the data collected, and deleting it once it is no longer needed, reduces the temptation to misuse data.      

3. Security and due diligence

With so many workplaces collecting so much new information, data security considerations need to be front and centre - and this doesn’t necessarily mean focusing on security against “outside threats”.  Should a junior HR person really be responsible for collating intrusive health questionnaires received from every member of the workforce?  Should the collated data be able to be copied locally to the HR employee’s laptop?  Should the HR employee be able to send that health data outside of the organisation? A threat to security can just as easily come from within than it can from outside.   If third party service providers have been engaged to help with the return to work, employers need to conduct due diligence on those third parties to ensure that the security of any personal data provided is sufficiently guaranteed.  With demand high, unscrupulous services providers are likely to pop up seeking quick profits and employers, as data controllers, are ultimately responsible for their workers’ health data transferred outside of the business. 

4. Data Privacy Impact Assessments

“Large scale”. “New technologies”. “Health data”.  “Monitoring and surveillance”. 

Alarm bells are ringing left, right and centre indicating that Covid-19 return to work technologies will often involve high risk data processing.  A DPIA is a risk assessment which assesses proposed new processing activities against the privacy principles.  It is an essential tool to demonstrate compliance, prevent breaches, and maintain trust between an employer and its workforce. 

5. Privacy by design and default

As the virus spreads quickly from person to person, there is an imperative on innovators to move even quicker in designing and developing new technologies. 

Making privacy principles core to the design of new technologies from their very inception avoids trips back to the drawing board later in the process and the delays that would inevitably follow. 

When we look back on the data privacy relationship between employers and employees in the future, there is no doubt Covid-19 will seen be a critical juncture. Whether it’s remembered as a moment where trust in data grew or shattered will be due to how employers handle this critical period.

Madeleine leads Lewis Silkin’s award winning Future of Work Hub initiative which brings HR professionals, business leaders, futurists, academics and commentators together to explore their perspectives on the future of work.