Organizations must protect their staff data privacy – while improving office ergonomics

In addition to the legal requirement to protect the physical well-being of all their employees, large organizations also have a legal requirement to protect the data privacy of their workforce. This means that organizations must strike a balance between these two legal requirements to achieve a safe, productive, compliant and caring workplace.

In most developed countries there is now legislation covering employee data privacy. For example, there has been lots of publicity about the new European General Data Protection Regulations (GDPR), but there is now similar privacy legislation in Canada, Australia and New Zealand as well. Considering that GDPR covers every European Union citizen, even when they are not living and working in the EU, many multi-nationals have taken the simplest approach of basically standardizing on GDPR compliance worldwide. GDPR has almost become a de facto world standard.

However, although GDPR has some specific requirements, and also has some very strong ‘teeth’ i.e. financial penalties for non-compliance, at its heart GDPR shares the same basic principles as all other privacy legislation. And these principles are not really too difficult to understand and implement as standard policies. These common principles can be summarized as the following:

1. Any data about employees should only be collected when there is a specific purpose justifying that collection. Organizations can never collect data only because it “might be interesting or useful one day”.
2. The amount of personal data that is collected should always be limited to just that specific data which is needed to fulfill the specified business purpose.
3. Personal data should generally not be used for any other purposes than the purpose for which it was collected.
4. Employees should be accurately informed about all data being collected about them and the specific purpose for which it is being collected.
5. Employees have the right to request access to any data stored about them.
6. Data should not be kept any longer than is necessary to achieve its specified purpose.
7. Data should never be transferred to a foreign country unless it can be fully assured that the data will be only used in accordance with the privacy requirements of the originating country.

Furthermore, when accessing and using this employee data:

1. Access to the data should only be provided to those people who have a legitimate need to use that data for the specified business purpose (and in accordance only with the original purpose of its collection).
2. When someone is given access to the data, they should only be given access to the minimum data that is required for them to complete their assigned task.
3. Access to sensitive personal data, such as health information, should only be provided to people who are qualified or trained to understand and interpret the information correctly.

The difference between personal and non-personal data

Data privacy requirements only apply to “personal data”. This means: any data that relates to a specific individual person who can be identified through an analysis of the data.

Group level, non-personal data, such as averages or distributions, where specific individuals cannot possibly be identified with analysis, are therefore not covered by the restrictions of data privacy legislation. This is a very important point to keep in mind. It means anonymous and aggregate data has far fewer restrictions on it.

However, when using aggregate data it must be ensured that the group size used is sufficiently large that information about individual members of the group cannot be inferred through analysis. For example, if high stress levels occur for 66% of the members of the group, and there are only 3 people in that group, then it’s going to be very easy to identify the employees that have this issue present. So the information in this hypothetical case must be treated as “personal data”.

Do you need employee consent to collect personal data?

The short answer is no – if you are collecting data for legitimate health and safety purposes you do not need employee consent.

Employee consent may in general be recommended for collecting and using data, particularly sensitive data such as that related to health. However, most national data privacy legislation has specific exemptions around consent for the collection of data for health and safety purposes.

Employers have a legal responsibility to ensure the health and safety of their employees at work, and most health and safety legislation specifically requires the collection of employee information as part of conducting risk assessments or for the identification of early signs of injury (e.g. early reporting of discomfort). Data on exposure (time on computer, number of breaks), pain symptoms, workstation setup and posture, and even psychosocial factors, are all legitimate data for the purposes of conducting accurate risk assessment.

If an employer cannot fulfill their legal responsibilities without collecting this information then employee consent is not required. In fact, health and safety legislation normally places a responsibility on employees to co-operate with data collection, as employees also have a duty of care to ensure their own health and safety at work. This includes co-operating with any employer initiatives aimed at achieving health and safety improvements.

So an employer’s legal responsibility to ensure the safety of their employees trumps the employee’s right to privacy. If we think about this, it makes good sense. How can an employer provide a safe workplace if employees can withhold information needed to fulfill this. For example, if it is a requirement that employees on a construction site prove that they are wearing steel capped boots and that they sign an in/out register to track who is on site, the employee can’t refuse consent to provide this data.

Although health and safety obligations override data privacy restrictions when it comes to the collection of appropriate data, they still apply to the use of, and any access to, this data once its collected. This means the data on individual’s health and safety should only be used for the purposes of health and safety, and access to it should only be by those staff responsible for health and safety.

This does not preclude the use of the data for other purposes in an aggregate or anonymized form. However, it is recommended as good practice to inform staff if the data is to be used for any other purposes, even if this is done in an aggregated and therefore anonymous form.

How should organizations inform staff about data collection?

There are three key pieces of information that staff typically should receive in relation to the collection and use of any of their personal data:

• What data will be collected?
• How will the data be used?
• Who will have access to the data?

Because the gathering of a data on, for example, computer use and breaks may be a new concept to staff, it will always be helpful to provide them with background on the projects and objectives that the data is being gathered to address. For example, it makes sense to remind staff that as an employer the organization is legally responsible for their health and safety at work and that this means the organization must take appropriate steps to protect them from the risks of RSI/WMSD. And explain that one of the steps to achieve this protection is collecting ‘exposure data’ for each employee to measure their exposure to the risk factors that can lead to computer use injuries.

It is perhaps also a good idea to refer employees to some background information on RSI risks, causes and prevention, which explains the multi-factorial nature of RSI.

What access to data should management have?

Organisations should review their EHS processes and determine what responsibilities your managers are expected to take on regarding health and safety risks of their reporting staff. As access to personal data by their own manager is likely to be the most sensitive area for employees restricting access by managers to only that data needed to fulfill their responsibilities is very important. The manager may therefore only need to look at group level information to identify whether risks are high, and what the common risk factors are. They can then call on EHS assistance to help address risks on an individual basis among their staff if risk levels are high.

How should access to detailed personal data be restricted?

With an ergonomics risk management tool, such as Wellnomics Risk Management, it’s possible to provide basic reporting on computer use statistics, such as time using the computer, time using the mouse, number of days using the computer, and number of breaks taken. Generally speaking, access to this data is not needed to manage the health and safety of employees. However, in some circumstances these statistics may be helpful in better understanding the work patterns of a high risk employee or an employee who has reported an injury (have they been working 7 days week? Have they been working overtime with days of over 8 hours at the computer?). These statistics can also be important in the case of a dispute or legal claim – providing objective evidence of the computer use exposure of the individual.

However, because that computer use data could also be used as an inaccurate proxy for ‘work hours performed’, managers should not be given access to person-level computer use data that has been gathered under the aegis of health and safety.

Depending upon your organizations policies you can decide to either provide local EHS staff with access to this data or you can restrict this access only to a designated ‘administrator’ who can then provide reports on this data on a case-by-case basis.

If local EHS staff do have access to this data then it is important that they are trained to interpret the data correctly and that they do not provide copies of any data to other parties.

Summary

Privacy legislation can be scary for employers, but at its heart even the most restrictive regulations like GDPR, are based on common sense principles which when followed don’t restrict the employer’s ability to collect the data they need. GDPR and other legislation isn’t so much about saying what you can’t do, its more about saying how you should do it. Follow the steps outlined above and ensure these requirements are built into your processes and the tools you use right from the start and, as an employer, you can still achieve all your goals without legal or reputational risk.

Disclaimer

This article is based upon a review conducted by Wellnomics of the EU General Data Protection Regulations (GDPR), UK Data Protection Act (1998) and the Australian Privacy Act (1988) . Overall the principles enshrined within these two acts, and their relation to health and safety legislation, are expected to be representative of data privacy legislation in other countries where such legislation exists, although Wellnomics has not undertaken any review of such legislation in other countries.

This document represents Wellnomics interpretation of data privacy legislation and does not constitute a legal opinion. Wellnomics Ltd cannot give any guarantees as to the accuracy of the information contained herein, or the interpretations or opinions expressed. Anyone reading this information or using the Wellnomics product is advised to take their own legal advice on meeting legislative privacy requirements.