Wearable devices: Data protection in the workplace

wearable devicesThis next in our series of articles based on a report by the Article 29 Working Party (‘WP29’), an independent European advisory body on data protection and privacy, looks at wearable devices and the potential implications for the employers of those using them.

Employers are increasingly tempted to provide wearable devices to their employees in order to track and monitor their health and activity within and sometimes even outside of the workplace. However, this data processing involves the processing of health data, and is therefore prohibited.

Given the unequal relationship between employers and employees – i.e. the employee has a financial dependence on the employer – and the sensitive nature of the health data, it is highly unlikely that legally valid explicit consent can be given for the tracking or monitoring of such data as employees are essentially not ‘free’ to give such consent in the first place. Even if the employer uses a third party to collect the health data, which would only provide aggregated information about general health developments to the employer, the processing would still be unlawful.

Also, it is technically very difficult to ensure complete anonymisation of the data. Even in an environment with over a thousand employees, given the availability of other data about the employees the employer would still be able to single out individual employees with particular health indications such as high blood pressure or obesity.

Example: An organisation offers fitness monitoring devices to its employees as a general gift. The devices count the number of steps employees take, and register their heartbeats and sleeping patterns over time.

The resulting health data should only be accessible to the employee and not the employer. Any data transferred between the employee (as data subject) and the device/service provider (as data controller) is a matter for those parties only.

As the health data could also be processed by the commercial party that has manufactured the devices or offers a service to employers, when choosing the device or service the employer should evaluate the privacy policy of the manufacturer and/or service provider, to ensure that it does not result in unlawful processing of health data on employees.

Leave a Reply

Your email address will not be published. Required fields are marked *