The use of fitness, health and lifestyle tracking apps and devices has developed from novelty to normal over the past few years. There has been an explosion of applications available to enable users to monitor various aspects of their behaviour, set goals and measure progress over time. The next generation of wearable devices like the Fitbit and Jawbone Up are playing an increasing role in our everyday lives.
Health insurance companies already use tracking tools to offer health and medical insurance discounts to people who lead a healthy lifestyle. Now, employers are beginning to explore how applications and devices can be used, and the data they generate can be monitored, as part of "corporate-wellness" and incentive programmes.
Fitbit, Jawbone and app developers have recognised this trend and are creating products and systems tailored towards employers. Fitbit's sales to employers are now one of the fastest growing parts of its business, and it offers software that allows employers to monitor use. More recently Jawbone has launched Up for Groups, a service by which companies can buy Jawbone's fitness trackers in bulk at a discount and use Jawbone's dashboard software to track how they are being used in aggregate. Many new companies are developing applications and software that employers can use to track and incentivise staff on any wearable device.
Employers are attracted to the benefits that such an insight into employees behaviour can offer them and how they can use the information to increase the health and wellbeing of staff, in turn increasing productivity and staff happiness and potentially reducing employee health insurance costs. Much research is being undertaken surrounding the "quantified self" movement and the impact of measuring and monitoring on achieving personal goals, the theory being that "you can't improve what you don't measure".
As a result of the boom in smart phone usage and all of these new wearable devices people are unconsciously generating more data about themselves than ever before. How that data gets used and shared presents a number of privacy law challenges. The data collected by fitness wearables and applications can include sensitive health data.
As an employer if you collect or use personalised information about your workers' health the Data Protection Act will apply. If you wish to collect and hold information on your workers’ health you should be clear about why you are doing so and satisfied that your action is justified by the benefits that will result.
The collection and use of health information brings the Act's sensitive data rules into play. Under these rules the processing of such information is not prevented but the rules limit the circumstances in which it can occur. You must be able to satisfy one of the sensitive data conditions. In the context of health and fitness wearables you are likely to have satisfied the conditions if each worker affected has given explicit consent to you accessing the data generated.
The ICO advises that workers should know what information about their health is being collected and why. Consider why you want to collect and use this information. This might mean identifying a problem you are trying to solve.
Once you are clear about the purpose and that you can satisfy a sensitive data condition, check that the collection and use of health information is justified by the benefits that will result.
Consent
If you rely on consent it must be freely given. This means a worker must be able to say ‘no’ without a penalty being imposed and must be able to withdraw consent once given. A person is more likely to be in this position at the recruitment stage than when they are employed. Be careful not to pressure employees into wearing devices to monitor their health, and whilst you may want to incentive healthy actions, be careful about incorporating any punitive measures.
Security
You must keep information about workers’ health particularly secure. This might mean allowing only one or two people to have access to it, for example by password-protecting it and making sure that the data is not shared without their consent. As wearables transmit more health data to employers therein lies a risk that data could leak and be sold or exploited for marketing purposes or by insurers when considering whether to cover a claim.
If a worker objects to you holding or using information about them because it causes them distress or harm, you should delete the information or stop using it in the way complained about unless you have a compelling reason to continue.
If the information collected does not and could not identify an individual, as with Jawbone's Up for Groups, the Data Protection Act does not apply. Up for Groups won't calculate metrics unless at least 5 people are being anonymously tracked. This prevents employers from singling out individuals and avoids many of the potential privacy issues, but it still allows the individual employees to track their personal data and benefit from the encouragement it provides.
