Expert urges transparency and consent as key to employee data protection
As Canadian employers increasingly turn to third-party apps and platforms to manage employee benefits, questions about privacy, consent and transparency are coming to the forefront.
Recent events at Google, where the company reversed a policy requiring employees to share personal data with a third-party AI tool in order to access health benefits, have sparked a broader conversation about how organizations can protect employee information while leveraging new technologies.
The incident highlights the growing complexity of digital consent and the urgent need for HR professionals to understand the risks and responsibilities that come with adopting new technologies.
Understanding consent and employee data privacy
Jonathan Obar, associate professor of communication and media studies at York University, has spent years researching privacy, online consent, and transparency – questioning how fulsome “consent” can be as contracts grow more complex.
This research, funded by the Office of the Privacy Commissioner of Canada, directly relates to third-party apps and platforms provided by employers for their employees, and what sort of data they are being asked to share.
“We're agreeing to things all the time, either via implied consent or more explicit or meaningful consent,” he says.
“So our project, and a number of our projects, have been to try and unpack … how we can ensure that notice and consent protections remain fundamental to privacy and reputation deliverables online and in a world increasingly defined by AI.”
Transparency and the risks of deceptive design
Obar explains the concept of “deceptive design’, noting that the way digital consent forms and privacy notices are set up can have a significant impact on whether employees actually understand what they are agreeing to.
When third-party providers use complex language, hide important details in lengthy documents, or design interfaces that nudge users toward consent – such as using “click wraps” to encourage user consent on apps – they can undermine employee rights to privacy.
“As software increasingly governs how organizations are operating, and helps to facilitate all sorts of organizational communication and organizational processes, it's really important … that organizations prioritize transparency and compliance with notice and consent requirements,” says Obar.
“I think this involves being aware that it can be quite challenging to engage with the notice materials that different companies provide.”
Asking – or requiring – employees to consent to sharing their data can not only invite employee blowback but can also expose organizations to regulatory scrutiny and reputational harm.
“There's a lot of companies that people are trying to engage with at the same time, and we're busy and in a situation where we want to make sure that we're a good team member and that kind of thing,” he says, adding that some groups are more vulnerable than others to inequities relating to privacy.
“Organizations need to be careful about making sure that people's rights are protected … we know from the literature that members of marginalized, multiply marginalized and vulnerable communities are most likely to be harmed or suffer AI inequities and other problems too. So, when it comes to big data, it's really important that companies are careful and thorough when it comes to transparency.”
The challenge of meaningful consent in practice
Obar notes that the Privacy Commissioner’s office has been calling out for Canada to put more focus on data privacy, including educating businesses on protecting their employees’ data.
“They have a number of documents, one in particular, ‘Guidelines for obtaining meaningful consent’, where they ask organizations to be more innovative and creative,” Obar says.
“For consent processes to be more than just taking a paper-based or PDF-based policy and posting it on a website somewhere where no one may go.”
Employees are often overwhelmed by the volume and complexity of information presented to them, he says. This can make it difficult to make informed choices, meaning employers should be mindful of user experience when engaging third party providers.
“Individuals are being placed in a very difficult set of circumstances when it comes to trying to exercise their civil liberties when it comes to the way that a lot of these policies are organized,” he explains.
“They're very long and complicated. They're primarily conveyed via text, as opposed to via video or other modalities that might be more engaging. They often are quite static, and more can be done to make them more dynamic.”
Obar recommends employers instead provide more dynamic forms of consent such as “just in time” consent, which updates consent as users use software, instead of requiring it once and then never again: “When it's sort of a more static process, you sign up at the beginning and then five years later, what did I agree to five years ago? It's hard to remember.”
