Employers will likely collect more data as employees return to work, requiring risk management leaders to balance safety, productivity, and privacy.
To better protect employees, an organization decides to distribute wearables among workers when they return to the office following COVID-19. The devices measure proximity to other wearables and emit a small audio signal as a reminder to social distance.
The wearables don’t collect or process any data, and they don’t track where the wearer has been. The result is a wearable that enables the employer to provide employees both safety and privacy without having to trade one for the other.
“The trade-off would be, how much do we invade privacy to offer a certain level of safety?
While balancing safety, productivity, and privacy — three goals seemingly at odds — creates dilemmas for employers, there are ways to achieve all three without trade-offs.
“Take privacy versus safety for example,” says Bart Willemsen, VP Analyst, Gartner. “The trade-off would be, how much do we invade privacy to offer a certain level of safety? It’s making a concession between both values. It would actually be better to try and fulfill both values.”
“The higher the risk, the more important it is to justify that a particular solution is indeed balanced and proportional to the risk we are assessing,” says Willemsen.
Here are six principles to guide risk-based employee data collection.
No. 1: Purposeful processing
If you do decide to collect data, make sure it has a predefined purpose. Once data has fulfilled its purpose, there’s no reason to keep collecting and storing it. Removing data can also lead to significant cost savings for the organization when it comes to storage.
No. 2: Proportionality
Default to the least invasive measure possible to satisfy your goals. Once a measure becomes disproportional to the risk or the purpose can be achieved in a different way, remove it.
No. 3: Subsidiarity
Ask yourself, what amount of data is enough? Can you achieve the same purpose with less personal data or without processing personal data at all? Only collect the minimum amount necessary.
No. 4: Transparency
Don’t do anything in the dark. Be abundantly clear to staff what data you collect, for what purposes, and who has access to it.
No. 5: Mandatory or not
Apply measures equally for all staff to prevent discrimination and protect autonomy.
No. 6: Risk-based
Make decisions in light of the risks you are trying to mitigate and acknowledge that decisions are subject to change. Don’t hesitate to retrace steps taken early and adjust accordingly as things change.
When it comes to returning to the workplace, every decision leads to a certain risk. Following these principles equips employers to assess and mitigate privacy risk by making decisions based on the current situation and continue to measure the relevance of decisions as conditions change.
