Privacy, Data Security & Workplace Wearables: Best Practices for Employers
Today, tracking your heart rate and glucose levels no longer requires a visit to the doctor’s office; instead, all that is needed is a smartwatch. The rise of wearable fitness devices and applications—equipped with health tracking tools—provides the ability to drastically improve health outcomes across all demographics.
Employers have taken note, particularly with respect to the benefits offered by fitness trackers in terms of lower employee health insurance costs. The popularity of wearables grew precipitously during the Covid-19 pandemic, as fitness trackers offered employers the ability to greatly enhance trust and wellness in the workplace at a time when employee health concerns were at an all-time high.
But there are also downsides to wearable fitness trackers in the workplace; namely, privacy and data security concerns and liability exposure risks.
Fortunately, by making privacy and data security a staple of employee wellness programs, employers can leverage these trackers in a manner that maximizes their value to the company while complying with the law, boosting worker morale and trust in the process.
Fitness trackers have grown immensely in their sophistication in recent years, with the ability to generate a treasure trove of highly sensitive health data concerning employees. As a result, workers have grown weary of the myriad intimate, personal health details their bosses now have at their fingertips, which may be used inappropriately.
The security of personal data generated by this technology and transmitted to employers is also of significant concern. As just one example, last year Fitbit and Apple announced that the personal data of 61 million users had been compromised because of a data breach suffered by GetHealth, a third-party entity that offers employee fitness incentives.
In addition to employee concerns—which can significantly hamper workplace morale and productivity—employers also face considerable privacy and data security legal risks as well.
The most significant liability risk to employers comes from the Americans with Disabilities Act (“ADA”), which bars employers from making disability-related inquiries of employees unless those inquiries are job-related and consistent with business necessity. This rule applies even where an inquiry does not explicitly seek information about a disability, but nonetheless is likely to elicit such details.
In addition, the ADA also bars employers from making any employment-related decisions based on any disability that is untethered to an employee’s job-related functions. Translated to the fitness tracker context, an employer that terminates an employee after reviewing the employee’s fitness tracker data opens itself up to allegations by the now-former, most-likely-disgruntled worker that their dismissal was based on a disability or perceived disability; even when, in reality, the employment decision was wholly divorced from any issue regarding the employee’s health or any physical/mental condition.
With that said, the ADA does permit employers to implement voluntary medical examinations—including the use of fitness tracking devices—as part of employee health programs.
To mitigate the legal liability risks associated with the use of wearable fitness trackers, employers should incorporate the following privacy- and security-focused practices into their employee wellness programs:
As data continues to become more valuable—and as health insurance costs continue to rise—more employers will turn to wearable fitness trackers to both enhance the health of their workers and decrease employee health care costs. But employers must proceed with caution before implementing any employee wellness program that incorporates the use of fitness trackers to both allay workers’ privacy and security concerns and mitigate the sizeable legal risks associated with fitness trackers in the workplace. By ensuring privacy and security principles are integrated throughout wellness programs involving the use of fitness trackers, employers can harness the value of fitness trackers in the workplace, while at the same time maintaining legal compliance and mitigating potential liability risk.
Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s Privacy, Security & Data Protection, Biometric Privacy, and Privacy Class Action Litigation groups. David’s practice encompasses both counseling and advising clients on a wide range of privacy, data protection, and biometric privacy matters, as well as defending clients in high-stakes, high exposure biometric privacy, consumer privacy, and data breach class action litigation. He can be reached at david.oberly@blankrome.com.