Opinion: organisations collect a range of information about those who work for them, but when does this interfere with an employees' right to privacy?

By Caroline Murphy and Jean McCarthyKemmy Business School, University of Limerick

There has been much discussion about how much personal information companies hold about their customers and service users. This is something which will increase with the new General Data Protection Regulations (GDPR) coming into effect in May. But how many of us have considered how much information our employers hold? And, more importantly, just what do our employers do with that information?

The old adage of "what gets measured gets done" has long been the hymn sheet in business. While the phrase may be a cliché, the message is clear: measuring work and employee behaviours at work provides employers with the information needed to confirm whether targets are being met. While measurement and metrics have long featured in business areas like production, sales, and marketing, it is only recently that organisations are dedicating time to sophisticated analysis of human resources (HR) related data. As such, Human Resource Analytics (HRA) is an emerging practice, which aims to facilitate improved decision-making by applying sophisticated analyses to existing HR data about employees from multiple sources.

The business case for HRA is obvious; companies invest a great deal of time and money in programs designed to select the best applicants, train employees, provide performance feedback and the like, but they rarely evaluate whether these efforts actually work. In recent years, companies like Google have started to use HRA in an effort to evaluate the impact of their people practices on firm performance

"One of these questions is whether and when data collection efforts invade the privacy rights of employees"

The Chartered Institute of Personnel Development claims that HRA is now the "must have" HR capability, and a spate of HRA products and training programmes are now available. While these advances in analytic capabilities are likely to be beneficial to both organisations and employees, important questions are beginning to emerge about the data collected for these analyses. One of these questions is around whether and when these data collection efforts invade the privacy rights of employees. 

What do employers know about you?

Employee data includes a mix of information about individuals (e.g. age, gender and nationality, specific qualifications and skills the employee may have), their job history (pay, promotions and project involvement) and their work behaviour (attendance, participation in training activities, job performance). Viewed in isolation, most of this data appear quite innocuous. However, when multiple sources of personal employee data are combined and analysed, information about individual employees can become quite easily identifiable. This is the point at which employees should become concerned about their privacy, and consider how this data is stored, used, and who has access to it.

The use of CCTV and possibly GPS tracking were once the main concerns of employees in relation to their privacy. Now, organisations have more options available to them than ever before to monitor their employees. The use of wearable technology, badges, biometric data, video and audio surveillance of facilities significantly boosts employers monitoring capabilities with regard to employee movements, location, and interactions with others. In addition, employee activity can be tracked by monitoring phone usage, email, internet searches and downloads. 

As an employee, what should your employer allow you to know about your data?

Most employees bring mobile phones or other devices to the office that have the capability to collect and sometimes transmit data about the users. Data of this sort could potentially be used in decisions about the introduction of new workplace initiatives, workplace design and staffing.

However, the ability to gather so much data inevitably raises privacy concerns. In the US, states like California, Minnesota, Texas, and Tennessee have limited when and how GPS and related technologies can be used. A real issue of concern for employees here relates to BYOD (bring your own device). Considering how many of us now use our personal devices such as smart phones in a work context, it is worth considering how much data we are potentially making available to our employer.

The employers’ right to monitor versus the employees’ right to privacy

There is an ethical dimension to HRA that must be considered. While having the ability to use data to influence workplace dynamics can be very positive for HR leaders, there is a flipside that must be considered for employees. Employees can be fearful of how decisions could have a negative impact on their lives. In one organisation, for example, an algorithm designed to examine employee turnover and attrition trends identified that those living further away from the office were more likely to leave the company. However, the group identified as living further away were also more likely to be from less advantaged backgrounds. Therefore, the company risked discriminating against people in its hiring practices based on the algorithm.

"As an employee, what should your employer allow you to know about your data?"

Employers should be mindful in how they use particular data since it could give way to legal claims from employees. Suppose an employee refuses to give their consent to process his or her data, and is subsequently not promoted, but others are.  This employee could potentially claim they are being discriminated against.  A ruling by the European Court of Human Rights in 2017 combined with GDPR guidelines reveal how important it is for employers to strike an appropriate balance between allowing employee’s privacy rights at work and monitoring employee behaviour in the interests of the business.

Employers should give due consideration to the form and legitimacy of the employee data they collect and monitor. Given the inherent imbalance of power between employers and employees, the argument that data was gathered with the consent of the employee may be an insufficient defence for an employer, where the data gathered or analysed is deemed to be beyond the scope of meeting business needs.

Drawing a line in the sand 

The most basic step organisations should take before embarking on HRA is to ensure that employees are made aware of what data is being collected about them, by whom it can be accessed, how it is being controlled and, importantly, what is its intended purpose. The new GDPR is very clear in this regard, affording much greater rights to employees to request information on personal data held about them.

Organisations can certainly use HRA on aggregated employee data to predict metrics like employee turnover without the danger of crossing the line into personal data. However, performing analysis on data based on a small cohort of employees is something that organisations need to be cautious about; data from small cohorts makes it easier to identify individuals, even if names and other identified are not part of the data file. This potential for exposure creates vulnerabilities, in part rendering data susceptible to falling into the definition of "personal data" under the GDPR (Article 4 of the GDPR). 

Workers at the Tayto crisp factory in 1970

The GDPR defines personal data as any information related to an identified or identifiable natural person (data subject), where the person can be identified directly or indirectly by name; ID number; location data; online identifiers; or factors relating to physical; physiological; genetic; mental; economic cultural or social identity. In fact, much of the data employers gather falls in to the category of sensitive personal data which includes race or ethnicity, sexual orientation, physical or mental health, genetic or biometric data, criminal records or trade union membership. 

How can I find out what information my employer holds about me?

Employers may well consider data information requests as vexatious, but employees have a right to request such data where they have genuine concern about their privacy. The GDPR gives data subjects, and therefore employees, rights make a data access request (free of charge) covering a broader scope of information. Employers must process the request within one month.

As an employee, what should your employer allow you to know about your data? If an employee makes a data access request, an employer is expected to make employees aware of the purposes for processing the data, any categories of personal data held and whom the data has been or will be disclosed to. They must also disclose the period for which data will be retained and whether the data has been used in automated decision making. Importantly too, an employee has the right to request rectification or deletion of certain data. In short, if in doubt about your privacy as an employee, ask!

Dr Caroline Murphy is a Lecturer in Employment Relations with the Department of Personnel and Employment Relations at the Kemmy Business School, University of Limerick. Dr Jean McCarthy is a lecturer in the areas of Human Resource Management, Organisational Behaviour and Human Resource Development with the Department of Personnel and Employment Relations at the Kemmy Business School, University of Limerick

The views expressed here are those of the author and do not represent or reflect the views of RTÉ