This next in our series of articles based on a report by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy, looks at wearable devices and the potential implications for the employers of those using them.
Employers are increasingly tempted to provide wearable devices to their employees in order to track and monitor their health and activity within and sometimes even outside of the workplace. However, this data processing involves the processing of health data, and is therefore prohibited.
Given the unequal relationship between employers and employees – i.e. the employee has a financial dependence on the employer – and the sensitive nature of the health data, it is highly unlikely that legally valid explicit consent can be given for the tracking or monitoring of such data as employees are essentially not ‘free’ to give such consent in the first place. Even if the employer uses a third party to collect the health data, which would only provide aggregated information about general health developments to the employer, the processing would still be unlawful.
Also, it is technically very difficult to ensure complete anonymisation of the data. Even in an environment with over a thousand employees, given the availability of other data about the employees the employer would still be able to single out individual employees with particular health indications such as high blood pressure or obesity.
Example: An organisation offers fitness monitoring devices to its employees as a general gift. The devices count the number of steps employees take, and register their heartbeats and sleeping patterns over time.
The resulting health data should only be accessible to the employee and not the employer. Any data transferred between the employee (as data subject) and the device/service provider (as data controller) is a matter for those parties only.