To better protect employees, an organization decides to distribute wearables among workers when they return to the office following COVID-19. The devices measure proximity to other wearables and emit a small audio signal as a reminder to social distance.
The wearables don’t collect or process any data, and they don’t track where the wearer has been. The result is a wearable that enables the employer to provide employees both safety and privacy without having to trade one for the other.
The trade-off would be, how much do we invade privacy to offer a certain level of safety?
While balancing safety, productivity and privacy — three goals seemingly at odds — creates dilemmas for employers, there are ways to achieve all three without trade-offs.
“Take privacy versus safety for example,” says Bart Willemsen, VP Analyst, Gartner. “The trade-off would be, how much do we invade privacy to offer a certain level of safety? It's making a concession between both values. It would actually be better to try and fulfill both values.”
Download podcast:Balance Safety, Privacy and Productivity When Employees Return to Work
As employees return to work, employers are collecting more data to ensure both safety and productivity. By taking a risk-based approach, which considers what data is being collected and how it’s being used, organizations can protect employees while managing privacy risk.
“The higher the risk, the more important it is to justify that a particular solution is indeed balanced and proportional to the risk we are assessing,” says Willemsen.
Here are six principles to guide risk-based employee data collection.
No. 1: Purposeful processing
If you do decide to collect data, make sure it has a predefined purpose. Once data has fulfilled its purpose, there’s no reason to keep collecting and storing it. Removing data can also lead to significant cost savings for the organization when it comes to storage.
No. 2: Proportionality
Default to the least invasive measure possible to satisfy your goals. Once a measure becomes disproportional to the risk or the purpose can be achieved in a different way, remove it.
No. 3: Subsidiarity
Ask yourself, what amount of data is enough? Can you achieve the same purpose with less personal data or without processing personal data at all? Only collect the minimum amount necessary.