Wonder Who’s Watching You Now?

Privacy, Data Security & Workplace Wearables: Best Practices for Employers

Today, tracking your heart rate and glucose levels no longer requires a visit to the doctor’s office; instead, all that is needed is a smartwatch. The rise of wearable fitness devices and applications—equipped with health tracking tools—provides the ability to drastically improve health outcomes across all demographics. 

Employers have taken note, particularly with respect to the benefits offered by fitness trackers in terms of lower employee health insurance costs. The popularity of wearables grew precipitously during the Covid-19 pandemic, as fitness trackers offered employers the ability to greatly enhance trust and wellness in the workplace at a time when employee health concerns were at an all-time high. 

But there are also downsides to wearable fitness trackers in the workplace; namely, privacy and data security concerns and liability exposure risks.

Fortunately, by making privacy and data security a staple of employee wellness programs, employers can leverage these trackers in a manner that maximizes their value to the company while complying with the law, boosting worker morale and trust in the process. 

Employee Concerns 

Fitness trackers have grown immensely in their sophistication in recent years, with the ability to generate a treasure trove of highly sensitive health data concerning employees. As a result, workers have grown weary of the myriad intimate, personal health details their bosses now have at their fingertips, which may be used inappropriately. 

The security of personal data generated by this technology and transmitted to employers is also of significant concern. As just one example, last year Fitbit and Apple announced that the personal data of 61 million users had been compromised because of a data breach suffered by GetHealth, a third-party entity that offers employee fitness incentives. 

Employer Legal Risks 

In addition to employee concerns—which can significantly hamper workplace morale and productivity—employers also face considerable privacy and data security legal risks as well. 

The most significant liability risk to employers comes from the Americans with Disabilities Act (“ADA”), which bars employers from making disability-related inquiries of employees unless those inquiries are job-related and consistent with business necessity. This rule applies even where an inquiry does not explicitly seek information about a disability, but nonetheless is likely to elicit such details. 

In addition, the ADA also bars employers from making any employment-related decisions based on any disability that is untethered to an employee’s job-related functions. Translated to the fitness tracker context, an employer that terminates an employee after reviewing the employee’s fitness tracker data opens itself up to allegations by the now-former, most-likely-disgruntled worker that their dismissal was based on a disability or perceived disability; even when, in reality, the employment decision was wholly divorced from any issue regarding the employee’s health or any physical/mental condition. 

With that said, the ADA does permit employers to implement voluntary medical examinations—including the use of fitness tracking devices—as part of employee health programs. 

Practical Compliance Tips & Best Practices

To mitigate the legal liability risks associated with the use of wearable fitness trackers, employers should incorporate the following privacy- and security-focused practices into their employee wellness programs:

• Make the Program Voluntary & Allow the Ability to Opt-Out: Ensure the use of fitness trackers—and the employer’s wellness program as whole—is completely voluntary. Allow employees who originally entered into the program to opt-out at any time and without any adverse impact on their employment. 
• Notice: In today’s highly digital world, transparency is a must—not only to minimize liability exposure, but to gain and maintain trust with employees. As such, provide workers with clear notice regarding the company’s utilization of fitness trackers as part of its wellness program, including a description of the program, the reason(s) fitness trackers have been included as a core element of the program, the nature of the fitness tracking devices, the health data that will be collected from the devices, who will have access to that data, how that data will be used (and not used), and the measures being taken to safeguard and secure that data. This notice should be provided to all employees prior to the time any health data is collected, and included in the company’s employee handbook. 
• Written Consent: Obtain written consent from all employees who seek to use fitness trackers in conjunction with the employer’s wellness program before any personal data is collected from employees’ or their wearable devices.
• Policies & Procedures for Ensuring Proper Use of Fitness Tracker Health Data: Develop and implement policies and procedures to ensure that the employer, its management, and any third-party service providers properly use any health data generated by employee fitness trackers. All policies should include a strict ban on using any employee health data generated through this technology to make any type of employment-related decision. 
• Data Security Measures: Since Internet of Things (“IoT”) devices—which includes wearable fitness trackers—are particularly vulnerable to data breaches, ensure that data security measures are implemented and maintained to safeguard and secure employee health data. These safeguards should be at least as robust as those utilized by the employer (or its service provider) to protect other types of sensitive personal information. 
• Data Retention/Destruction Requirements: Similarly, to limit the compromise of employee health data in the event of a data breach event, implement data retention and data destruction requirements mandating that employee health data only be retained for the minimum period necessary; and further, that it be permanently destroyed immediately after the data is no longer needed for the purpose for which it was originally collected. 

As data continues to become more valuable—and as health insurance costs continue to rise—more employers will turn to wearable fitness trackers to both enhance the health of their workers and decrease employee health care costs. But employers must proceed with caution before implementing any employee wellness program that incorporates the use of fitness trackers to both allay workers’ privacy and security concerns and mitigate the sizeable legal risks associated with fitness trackers in the workplace. By ensuring privacy and security principles are integrated throughout wellness programs involving the use of fitness trackers, employers can harness the value of fitness trackers in the workplace, while at the same time maintaining legal compliance and mitigating potential liability risk.