Wearable fitness trackers such as fitbit are promoted as useful tools for employee wellbeing programmes. But employers that collect and monitor data from this technology risk breaching data protection law if their policies and procedures are not kept up to date. Clare Gilroy-Scott of law firm Goodman Derrick advises.
Many people sport fitness tracking devices and/or smartwatches – forms of wearable technology which not long ago seemed futuristic but are now familiar accessories. These developed from wearable medical technology – devices worn on the body which are able to assess and record detailed physiological data about the wearer – to fashion-forward fitness trackers.
Wearable fitness trackers at work
Such wearable tech is increasingly being introduced into the workplace, often as part of an employer’s “corporate wellbeing” scheme. It is believed that around 202 million wearable devices were given out by employers in 2016. A recent study by consultancy PwC described such devices as having “the potential to unlock a new world of opportunity for both employers and employees, offering key information to understand and manage the workforce and increase employee engagement”.
Data protection and monitoring employees
Register for the GDPR webinar
XpertHR and Personnel Today’s live webinar on the new General Data Protection Regulation is on 10 May 2017 and will be available on-demand after that date.
An important factor for employers in providing wearable devices to staff is to assist employees with managing their personal health.
PwC’s most recent survey on workplace wearables found that 65% think that technology has a real role to play in their health and wellbeing, with such devices capturing and recording activity levels and providing feedback on exercise and diet.
The PwC report found that 61% of employees were “keen for their employer to take an active role in their health and wellbeing”.
Such corporate wellbeing schemes are a means of tackling absenteeism costs – a useful tool for employers, while providing a “benefit” for the employee. However, it is not unusual for the data from wearable devices to be recorded, and through these devices it is possible that the employer is able to track significant data on employees, including information such as location, hours worked, rest breaks and even activity levels.
Employees may not be aware of the data and security issues, taking advantage of free kit without realising that they may be giving away personal information. Some employer schemes involving fitness trackers encourage open targets and records of achievement. Employees may enter data on consumption of water with the device recording the number of steps taken. The information on the device, along with the data of other employees is, in some cases, recorded on a tally available for others to see.
What are the employment law implications?
Wearable devices raise issues about monitoring, data security and privacy that may not have been fully addressed by employers or appreciated by employees. Does the employer have a legal right to such monitoring, and does it process or store data from devices in accordance with the requirements of the Data Protection Act 1998 (DPA)?
Under the DPA, such data must be processed lawfully and fairly. Employees should be informed about the purposes for which their data is going to processed. In the employment context, the processing of data must have employee consent, or it must be necessary as part of the employment contract, or else needed for the employer’s legitimate business interests.
As well as data protection issues, there are rules about monitoring and surveillance in the workplace. Employees should be informed about the extent of monitoring and how it might be carried out and the purposes for it.
What should employers do if they provide wearable fitness trackers?
Employers offering such devices would be well-advised to formulate clear policies on how the information from such devices may be processed, stored and used by them. It is likely that internal policies on monitoring and use of IT systems, equipment and communication, as well as data protection, will need to be reviewed and updated.
If you process data from wearable technology provided to employees, ensure that you are transparent about all the probable purposes for which the data may be processed. You should also not store data which is not accurate or up to date.
Your policy should preferably indicate how long the data will be stored, if stored by you rather than the employee. Data should also be held securely and guidelines set for employees who deal with the data collected. Perhaps make clear that misuse of such data is a disciplinary offence and provide training on data processing where necessary.
As with other electronic and telecommunications, employees should be notified if their devices are monitored and the nature, extent and purposes for which monitoring is carried out.
Remember that explicit individual consent is required to process sensitive personal data – this includes information about physical health or condition – to be expected in the case of a fitbit provided as part of a corporate wellness programme. The sensible approach would be to get individual consent in all cases and to provide clear guidelines for employees on data capture, monitoring, storage and use.