About a year ago, the U.S. Department of Health and Human Services’ Office for Civil Rights and the Federal Trade Commission (FTC) issued a warning to hospital systems and telehealth providers about the privacy and security risks associated with online patient health tracking technologies. Specifically, the agencies’ warning focused on the common use of personally identifiable data in these tracking systems—including names, IP addresses and device IDs—and the fact that patients’ information may be disclosed, without permission, to third parties.
There’s potential for this same type of enhanced oversight to work its way into other business settings. In truth, no business is immune to the risk of failing to handle and protect employee data appropriately—and being held liable for it.
Recognizing the Risk
Seth Barany is an attorney and legal product associate at SixFifty, an automated legal expertise platform based in Salt Lake City. The dangers involved in handling personally identifiable data can sometimes be hidden or subtle, Barany noted.
“As was detailed in the FTC’s recent warning to the health care industry, the websites or mobile apps that employers use to host these data collection tools can sometimes have online tracking technologies embedded in them that share employee data with third parties without the employer’s knowledge or the employee’s consent,” Barany said.
This most often happens, Barany pointed out, when some form of online tracker is at work on the public-facing portion of a website—a third-party advertising tracker like Google Analytics or Facebook Pixel, for instance—that uses a different, internal part of that website to collect or manage employee data.
“If the employer does not take adequate steps to ensure they have disabled the tracking technology on the internal portion of their website, that technology could be capturing employee data and sharing it with third parties,” he said.
The Power of People Data
In a technology-enabled world where “people analytics” has become a quickly growing aspect of HR practice, data about employees has taken on increased importance for companies of all sizes and types.
Cristian Grossmann is CEO and co-founder of Beekeeper, a global platform headquartered in Zürich, Switzerland, that helps companies engage their front-line, “deskless” workforce. “Workplace data and employee analytics play a pivotal role in helping an organization create an environment that fosters employee engagement and a positive employee experience,” Grossmann said. “This is why, now more than ever, it is imperative for businesses to find ways that allow them to facilitate internal communication without sacrificing data privacy in the process.”
But the use of that data comes with potential risk, as Barany noted. Employers need to ensure that they fully understand exactly what type of tracking is being done and what type of data third-party vendors may have access to.
While some technologies only capture the page titles and URLs someone visits, “others track everything a user clicks on a given webpage and sends it all to a third party,” Barany noted. “This means, if an employee logs in to an HR portal that is equipped with tracking technologies, it is possible that all of the information that employee accesses in the portal (e.g., payroll information, demographic data and even a Social Security number) could be disclosed without the employee’s consent.”
People Privacy Concerns
“The privacy implications surrounding employee data collection and its use in people analytics are significant and multifaceted,” said Paul Schmeltzer, a health care and cybersecurity attorney with Clark Hill, a law firm headquartered in Detroit. Of paramount concern, he said, is that employee data often includes sensitive details like personal contact information, financial data, health records and performance evaluations.
“In the quest for hyper-personalization, HR and IT leaders must tread carefully to strike a balance between personalization and privacy,” said Lawrence Guyot, president of ETTE, an IT technical support and consulting firm based in Washington, D.C. At ETTE, he shared, “we take privacy quite seriously and process data on a need-to-know basis, ensuring General Data Protection Regulation [GDPR] compliance. This has created a sense of trust within our teams while enabling us to personalize our employee experiences.”
Online tracking technologies can also raise risks for employers, Schmeltzer said. “The use of tracking technology inevitably results in larger amounts of employee data stored digitally, which could lead to an increase in the employer’s risk of cyberattacks, data breaches or unauthorized access,” he said.
Remote employees may face heightened privacy challenges, Grossmann pointed out. “Employees want to be connected, and it is our job as leaders to help them get connected safely,” he said. “So, using administrative tools that can aid in monitoring and protecting employee, company and personal data alike is the first step to take when looking to ensure safe internal communication.”
For instance, Grossmann recommended the use of the EU’s General Data Protection Regulation-compliant management tools that provide secure group messaging, fully monitored user controls and 256-bit transport layer security encryption.
Laws You Need to Know
Once employers start collecting workers’ data, they are subject to certain laws and regulations. “Extensive data collection, especially in areas like monitoring employee emails, internet usage or location tracking, raises concerns about invasion of privacy and surveillance,” Schmeltzer said. “Sharing or outsourcing data analytics to third-party vendors introduces additional risks if these vendors do not adhere to the same privacy and security standards.”
There are a number of data protection regulations that govern the collection, storage and use of personal data, Schmeltzer said. Noncompliance could lead to legal repercussions and hefty fines. For example, he pointed to the California Privacy Rights Act, which augments the California Consumer Protection Act and “addresses businesses’ need to disclose the use of digital trackers, even if that data may have not constituted a ‘sale’ to third-party advertisers.”
Businesses that target California consumers or have California employees, Schmeltzer said, “must clearly notify users when sharing personal information with third parties and provide an opt-out for the sale or sharing of personal information on their webpage.”
The capture and use of people data is fraught with risks, but there are some important steps HR leaders can take to help minimize those risks.
How to Reduce Risk
In addition to ensuring that “robust security measures are in effect to safeguard sensitive information,” Schmeltzer said, employers can mitigate risks by “clearly communicating data collection methods and purposes and seeking explicit consent from employees before gathering their data.”
Schmeltzer also recommended that employers use “techniques like anonymization and aggregation to protect individual identities while still extracting valuable insights from data, collecting only necessary data, and ensuring its relevance to the intended analysis.”
Lin Grensing-Pophal is a freelance writer in Chippewa Falls, Wis.