6 Principles for Employee Privacy

September 18, 2020

Contributor: Samantha Grasso

Employers will likely collect more data as employees return to work, requiring risk management leaders to balance safety, productivity and privacy.

To better protect employees, an organization decides to distribute wearables among workers when they return to the office following COVID-19. The devices measure proximity to other wearables and emit a small audio signal as a reminder to social distance.

The wearables don’t collect or process any data, and they don’t track where the wearer has been. The result is a wearable that enables the employer to provide employees both safety and privacy without having to trade one for the other.

“ The trade-off would be, how much do we invade privacy to offer a certain level of safety?”

While balancing safety, productivity and privacy — three goals seemingly at odds — creates dilemmas for employers, there are ways to achieve all three without trade-offs. 

“Take privacy versus safety for example,” says Bart Willemsen, VP Analyst, Gartner. “The trade-off would be, how much do we invade privacy to offer a certain level of safety? It's making a concession between both values. It would actually be better to try and fulfill both values.”

Download podcast:Balance Safety, Privacy and Productivity When Employees Return to Work

As employees return to work, employers are collecting more data to ensure both safety and productivity. By taking a risk-based approach, which considers what data is being collected and how it’s being used, organizations can protect employees while managing privacy risk.

“The higher the risk, the more important it is to justify that a particular solution is indeed balanced and proportional to the risk we are assessing,” says Willemsen.

Here are six principles to guide risk-based employee data collection.

No. 1: Purposeful processing

If you do decide to collect data, make sure it has a predefined purpose. Once data has fulfilled its purpose, there’s no reason to keep collecting and storing it. Removing data can also lead to significant cost savings for the organization when it comes to storage.

No. 2: Proportionality

Default to the least invasive measure possible to satisfy your goals. Once a measure becomes disproportional to the risk or the purpose can be achieved in a different way, remove it.

No. 3: Subsidiarity

Ask yourself, what amount of data is enough? Can you achieve the same purpose with less personal data or without processing personal data at all? Only collect the minimum amount necessary. 

No. 4: Transparency

Don't do anything in the dark. Be abundantly clear to staff what data you collect, for what purposes and who has access to it.

Read more: Are Your New Remote Workers Visible to Security Operations?

No. 5: Mandatory or not

Apply measures equally for all staff to prevent discrimination and protect autonomy. 

No. 6: Risk-based

Make decisions in light of the risks you are trying to mitigate, and acknowledge that decisions are subject to change. Don’t hesitate to retrace steps taken early and adjust accordingly as things change.

When it comes to returning to the workplace, every decision leads to a certain risk. Following these principles equips employers to assess and mitigate privacy risk by making decisions based on the current situation and continue to measure the relevance of decisions as conditions change.  

Read more: COVID-19 Makes a Strong Business Case for Enterprise Risk Management

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

Drive stronger performance on your mission-critical priorities.