You’re probably tired of reading stories about hybrid work arrangements and the technology that supports them. But I suspect there’s a side of the topic that you haven’t given much thought to: employee privacy. The lack of attention is understandable, with the Delta variant raging, employers are focusing on health and safety as top priorities. Yet the same technologies that support health and safety can compromise employee privacy, incurring significant risks for both the company and the buildings that they occupy.
Consider, for example, occupancy management software, which encompasses space planning, room/desk booking, and usage optimization. This is the technology that makes the hybrid model feasible for large companies. The software relies on data collection through sensors or Wi-Fi and often integrates with workforce management software and other HR information systems. Adoption of such technologies yields higher efficiencies and better cost control, but “data collection” should set off alarm bells. If you’re collecting data on your employees, you’ve got to account for privacy.
Legal risks
Data collection is subject to privacy standards like the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and several newly enacted laws. The latest include China’s Personal Information Protection Law (PIPL), which goes into effect on November 1, and the California Privacy Rights Act (CPRA), which supplements CCPA. Many other U.S. states are enacting or have enacted their own laws. Also in the works is Canada’s Consumer Protection Act (CPPA).
The consequences for non-compliance can be steep indeed. Maximum GDPR penalties, for instance, are 20 million Euros or 4 percent of a company’s global revenue. And the fines are rolling in: Ireland just imposed a $270 million fine on Facebook’s WhatsApp service. Previously, Luxembourg fined Amazon $886 million and France fined Google $57 million. Not exactly chump change.
Warnings have characterized California’s CCPA implementation to date, but if fines materialize, they can add up quickly. Every unintentional violation of the CCPA incurs a fine of $2,500 (note the ‘every’), while intentional violations draw a fine of $7,500 each. You get the idea. The pandemic may have deflected attention from privacy in the short term, but we can expect more and more governmental entities to enact privacy legislation and penalize non-compliance going forward. If CEOs are seeking something else to keep them up at night, this trend is a worthy candidate.
HR risks
There is also plenty to worry about from an HR perspective. Consider the case of the Daily Telegraph, a U.K. newspaper. Management sought to monitor energy and space usage by placing motion trackers under the desks of its reporters. Employees, who had little warning about the additions, reacted with anger and protests. In response to the backlash, the newspaper removed the trackers. The end-results? A drop in employee morale and a wasted investment.
Even when employees are given more warning, they might be unhappy with data collection, especially when it involves personal identifiable information, or PII. Some companies want to know exactly who occupied a space and when that person or persons arrived and departed. It’s even possible for companies to track how long someone stays in the restroom! With this level of detail, legal risks multiply and employers face pushback from employees, along with low morale, low productivity, and high turnover—all of which fuel one another and endanger companies’ financial health.
The good news is that occupancy management software does not require PII. Some employers simply want to know how many people occupied a room at one time. The information allows companies to adjust their office footprint to control density, meet social distancing comfort levels, and understand space usage patterns, which can lead to decisions that save money on rent and utilities. Employees, meanwhile, typically appreciate the reassurance that when they go to the office, they won’t be sitting too close to their colleagues and that they will have their own designated space for the day.
Best practices
Fortunately, with a little forethought and planning, both HR and legal risks can be avoided without sacrificing the efficiencies and increased profitability that stem from integrated workforce and workplace management systems. Secure occupancy tracking through these integrations yields valuable data, personalized or not. At MRI, we typically advise our clients to target the lowest common denominator, the occupancy statistics without the personal specifics. My colleague Alycia Workman from our legal team approves of this approach. “The first question to ask is ‘are you gathering personal data,’” she says. “If the answer is ‘no,’ then you don’t have to worry about violating personal privacy rights.”
Alycia adds that companies should only be collecting information that is “reasonably necessary,” and she suggests that they adhere to the Fair Information Practice Principles (FIPP – yes, another acronym), which forms the basis of many of our modern privacy laws. She also urges companies to collaborate with their legal departments: “Have your legal team conduct a data impact assessment and analysis before you roll out a change to your data collection processes. Your legal team should know which data protection rules apply to your business and will be able to advise accordingly.”
The communication component is important. “Be transparent,” says Workman. “Let employees know what you’re collecting and why you’re collecting it. Then actually do with the data what you say you’re going to do. And make sure that the procedures you’re implementing are covered in your employee handbook, which should be updated regularly.”
Some companies offer rewards to employees who agree to personalized data collection. One example is a company that gives half-price discounts in the cafeteria to employees who use a mobile tracking app. Employees may welcome such ‘sweeteners’ provided, again, that the employer has explained what data is being collected and how it will be used.
My overarching advice to employers is to err on the side of caution. You can gather extremely valuable data through occupancy management software without compromising employee privacy. If you require PII, be sure to enlist the aid of your legal department, because one thing is certain when it comes to fines or disgruntled employees: your missteps will not remain private.
