The privacy concerns raised by the Internet of Things (IoT) have focused mostly on the consumer, whose personal data is captured in a growing list of goods, including mobile devices, fitness trackers, cars, and home appliances.
Less attention has been paid to the privacy of employees interacting with IoT in the workplace. For ample reasons, innovation in so-called industrial IoT (IIoT) is projected to explode in coming years. With the latest technologies, companies can better manage and track their inventory; automatically spot and service equipment failures; create safer work environments; and improve employee efficiency. These improvements are made possible through real-time communication between machines with software that collects and interprets vast amounts of data.
But companies investing in these technologies should be aware of potential legal-privacy risks that await. Even if it’s not their primary function, many IIoT applications could be used to monitor employees in unintended ways. Use of such data, if it’s not obtained properly, could damage a company’s reputation or put it on the defense in litigation.
Take, for example, sensors that some industrial companies embed in employee uniforms and helmets. These kinds of sensors can detect hazardous conditions such as toxic gases, or warn of over-exertion based on the reading of an employee’s heartbeat. Or consider GPS-enabled devices or mobile applications that permit employers to track the precise physical location of workers in order to deploy them most efficiently to new work assignments.
But what if information gleaned from these devices was used to detect patterns about an employee’s movements, which could be used to draw negative conclusions about the employee’s efficiency or performance? Yet an employee’s slow pace in moving between work stations, or frequent departures for bathroom breaks, might be due to a legally protected medical condition rather than laziness. Penalizing the employee based on this data might set the employer up for a disability discrimination claim. Similarly, an employer may face whistleblower or retaliation claims if a manager is able to use location data to figure out which employee went to the human resources office to lodge a complaint about him or her. It is inevitable that employers will seek to use IoT data to better manage their employees, as well as their inventory and equipment, but employers will need to guard against inappropriate or even unlawful uses of this data.
The sensors do not need to be carried by the employees to raise potential privacy concerns. In a connected workplace, data about employees can be captured in any number of ways. Sensors connected to equipment -- forklifts, for instance -- could provide detailed information about an employee’s movements. Again, harvesting and using this data could open up a Pandora’s box.
Unfortunately, a myth persists that an employee’s privacy rights end the moment he or she walks through an employer’s door. The reality is more nuanced in the United States, where employees can and do bring claims against their employers alleging that monitoring activities invade their privacy, especially when the monitoring is high-tech or unexpected. And the myth is fundamentally wrong in places outside the United States, such as in Europe, which views privacy as a fundamental human right that follows employees into the workplace and thus imposes broad restrictions for monitoring employees.
Other stakeholders may have a say in employee monitoring as well. Unionized employers will need to consider their potential obligations to consult or bargain with the labor unions over employee monitoring programs. Employers will also need to assess their obligations under local employment laws to consult with works councils or other employee representatives and potentially to register with (or even seek approval from) local data protection authorities of certain employee monitoring activities. Employee monitoring activities that may be permissible in one country may be problematic in another, so it is important to consider local laws and practices.
To reduce the risk of employee claims and reputational harm, companies should keep a few best practices in mind:
- Give proper notice to employees. Office workers are used to receiving privacy notifications from their employers when they log onto their work computer. Similar notifications should be given to employees who are interacting with the IIoT.
- Be thoughtful about what you collect and collect only what you need. In seeking to improve workplace efficiency and safety, it’s natural to want more data. The richer the data, the better the conclusions can be made about what needs improvement. But the more data collected, the more likely you could run into unforeseen legal consequences. Generally, when deciding what information to collect, make sure there is a strong business case that outweighs privacy concerns for individuals. In court, it’s harder to defend data collection seen as excessive.
- Be thoughtful about how long you maintain the data. With data storage so cheap, it may be tempting to keep data for extended periods of time. But again, the longer you keep data, the more potential for legal risk. If maintaining data for long periods is critical, think about aggregating data so it’s no longer personalized.
Christine E. Lyon is a partner with Morrison & Foerster. She advises organizations on cutting-edge issues related to the collection, use, sharing, and safeguarding of data, including personal information of customers and employees.