The role of the Quantified Self in a corporate environment and what it means for IT
Data Privacy and Security

The role of the Quantified Self in a corporate environment and what it means for IT

People are often happy to share their health data – friends’ running routes being published on social media is a common sight. But how would you feel about your employers having that data? And if you’re on the IT side; how would you feel about having to store and protect that data?

Tracking workers is nothing new; company-owned vehicles as well as devices such as laptops and mobiles are often fitted with GPS, while devices usually have at least some kind of activity logs to ensure security is maintained. However, these processes are generally understood and have a strong legal precedent. Tracking employees through wearables is new territory, and spans not only location but health and lifestyle, blurring the lines between business and personal life.

 

Wearables in the workplace: Employees want to be tracked (if there’s something in it for them)

A number of startups – including Humanyze, OccupEye, StatusToday, and Unifi.id – have popped up in recent years, all dedicated to keeping tabs on workers’ location and productivity. But wearable devices on the corporate networks can provide not only location but real-time health information. Information which the user may not want their employers to have access to.

An accurate number of corporate wearables – as in wearables given out by the organization –  is hard to know, but Tractica predicts there will be 75 million wearables within the workplace by 2020. Whatever the actual numbers, the mix of business and health data is definitely already happening.

A 2017 study by The Society for Human Resource Management found 8% of US companies offer fitness tracking bands to employees. Insurance companies are using health data from fitness trackers to reduce premiums and ensure more accurate coverage, and several firms now offer employees fitness trackers as part of their corporate wellness programs, including SAP, IBM, Autodesk, BP, Appirio, and Accenture. These corporate wellness programs vary depending on the company, but can track areas such as steps, calories, and stress/relaxation.  

Ensuring a healthy workforce through wearables, says PwC, ensures lower healthcare costs, less sick time taken, and higher productivity: a 2014 study found people using wearable technology increased productivity 8.5%, while their job satisfaction levels were up 3.5%.

“Wrist-based wearables are finding a place in the US and other markets where employee-supported health insurance is common in that companies can monitor activity levels and offer more active (and therefore potentially more healthy) employees discounted rates for health insurance,” says James Moar, Senior Analyst at Juniper Research, “or use it as a bargaining chip with insurance companies to demonstrate that their employees are more active and therefore deserve an insurance discount. Collecting this sort of data is relatively non-controversial at this stage.”

A study from enterprise health benefits platform Jiff (since acquired by Castlight Health) into wearables in the workplace found 65% of employees believe employers should take an active role in encouraging them to live healthy lifestyles.

A study by Oracle and LSE found just under 70% of workers would be willing to share wearable data with employees if it led to more benefits for them such as flexible working hours, reduced health insurance, free gym memberships, or transport allowance.

The Jiff study found companies that do have corporate wellness programs see more employees reaching fitness targets.

 

Security and using the data correctly

However, blurring the lines between business and personal life is not without its dangers. The ability to track not only employee wearables at all times, but also track their diet and well-being is not only invasive, but potentially gives employers the ability to question their employees’ lifestyles out of hours.

Nearly half of people surveyed in the Oracle/LSE study expressed concern that an employer could use data collected from wearables against them in some way, with a similar number saying they weren’t confident in their employer’s ability to keep such data properly protected.

“While I have no problems with companies offering incentives I would hate to think those kinds of measurements are being incorporated into any kind of assessments on how a person is performing,” says Dr Nigel Whittle, Head of Medical & Healthcare at technology consultants Plextek.

“I don't mind if the company offers me a treat, I’d hate to see it appear in my yearly appraisal. I would have a problem if that was entering into my employment prospects or assessed on whether I’m being a fit healthy person by walking 10,000 steps a day.”

Ensuring that such data is properly secured and used in the right way is an important consideration when running such schemes. Over-tracking employees can often be bad for business. UK newspaper the Daily Telegraph came under fire for installing heat and motion sensors to monitor if workers were at their desk - a scheme Barclays bank has recently copied – and quickly removed the devices.

In Dave Egger’s 2013 novel ‘The Circle’ – which documents a near-future tech company’s devaluation into Orwellian Big Brother – employees ingest a health-tracking device and have a location wristband engraved with the motto “To heal we must know. To know we must share.” While it may be fanciful, that company’s obsession with sharing leads it to obsessively track its employee’s location and well-being. And could easily become reality.

“There are multiple companies deploying Fitbits, companies that are doing that are very strict about the ownership of the data, and the notion that these programs are opt-in,” says Moar.

“Generally, the companies providing this sort of information for employers, display it only at the aggregate level, but these devices could easily be linked to individual devices through the right software, and of necessity are in certain fields (like pro sports).”

“The bit that worries me is eventually these kinds of things will become commonplace enough that opting out will be the exception, and when that happens - and whether it's intentional or not - then you're going to get problems.”

In 2015 Gartner predicted that two million employees will be required to wear health and fitness tracking devices as a condition of employment in 2018.

Fitbit offers a pledge for companies to adopt when using its devices for corporate wellness policies. Its tenets include any such programs being voluntary and not include penalties for non-participation, being open about how any data will be used, and limiting access to the data collected.

Wearables, like many Internet of Things devices, are often guilty of poor security practices. A badly secured device could become an easy access point to your network for an attacker. And if the company doesn’t put the right privacy protocols in place, could see data being leaked.

While leaking the details of how many steps and employee takes per day may not seem like a big deal, there’s more to it than that.

“The challenge for companies is to have very clear and consistent policies,” says Dr. Whittle.

“The casual release of information of how the blood pressure of a sick person is dropping, not terribly important from a practical point of view, but is for privacy. But the other extreme, one can imagine highly sensitive commercial data being compromised by releasing that kind of information [for example with athletes].”

Fitness tracking app Strava was recently found to be revealing sensitive locations through personally identifiable soldiers’ running routes being publicly shared. UnderArmor’s calorie counting app My Fitness Pal recently disclosed details of a data breach, but claims usernames, email addresses, and hashed passwords were lost, rather than any actual health-related data.

“Healthcare data is more valuable for cybercriminals because it’s not as easily altered as financial data, and so has a far longer shelf-life,” warns Moar. “As biometric security becomes more common, possessing a lot of theoretically unalterable biometric data collected from wearables could pay off handsomely in future for cybercriminals.”

“Outside of identity and authentication, if a person’s wearable data shows a future health condition, then it could be used to damage their ability to obtain healthcare insurance, or potentially to get a job. However, this latter case is some way off as it relies on being able to algorithmically interpret large amounts of healthcare data, which is not a common capability for cybercriminals.”

While data collected from wearables doesn’t explicitly fall under any regulatory requirements, Moar says several wearable companies advise data collected and stored from devices should done in a way that it is compliant with HIPAA regulations in the US. And given that such devices can track a person’s activity and location at any time, they could count as personally identifiable, which would come under the remit of GDPR.

“This is still a bit of a legal grey area. The conversation at the moment is very much about avoiding overreach in this environment of relatively little regulation.”

“It’s debatable quite how much things like step tracking count as personal or medical data, and so there are few legally-binding processes that secure the data. Quite a few of these companies are choosing to make their data compliant with HIPAA, but that is mostly voluntary at this stage, unless the wearable is being sold as a medical device.”

“There are no explicit measures to compel encryption and similar, but the GDPR’s terms do mandate a stronger level of security for wearables-generated data than any other legislation to date.”

 

Also read:
InfoShot: Wearables vs. Goldfish

PREVIOUS ARTICLE

«Enterprise GitHub projects of the week: Microsoft special

NEXT ARTICLE

Is Puerto Rico ready to be the next blockchain utopia? »
author_image
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should the government regulate Artificial Intelligence?