Privacy, human rights concerns arise with wearable wellness technology
With the greater use of Fitbits and other wearable technology that can measure a person’s health and activity levels, more employers are embracing the trend as part of workplace wellness programs.
Group competitions, for example, might see employees outfitted with fitness trackers so they can monitor their daily activity levels and compare them to other groups, both inside and outside the company.
In the United States, at least, this trend has caught the eye of federal regulators. The Equal Employment Opportunity Commission (EEOC) has issued a proposed rule that would amend the regulations and interpretive guidance implementing part of the Americans with Disabilities Act (ADA) as they relate to employer wellness programs — and data gathered as part of a company-sponsored fitness program could fall under the proposed rule.
The collection and use of this data, even if done by a third party, should be done with care, according to Canadian experts.
“Employers are going to have to use caution, make sure that whatever they’re doing is reasonable, make sure that consent is obtained from employees and is not coerced or obtained under duress, it’s not forced on them, and they’re going to have a role in making sure that employees understand what is being collected and how it will be used,” said Éloïse Gratton, a partner at Borden Ladner Gervais in Montreal.
Consent
While there is privacy legislation federally and in some provinces (including British Columbia and Alberta) around the collection of personal information, the general rule is employers can collect what a reasonable person would consider appropriate in the circumstances, said Deborah Cushing, a partner at Lawson Lundell in Vancouver.
“If you’re collecting this information as part of a fitness program, to me, that doesn’t seem as something that a reasonable person would think you need to manage the employment relationship — it’s more an add-on,” she said.
“So if the employer is collecting that information, they should have the consent of the individual to collect this specific information and identify what that information is going to be used for and who it might be disclosed to.”
And employers should be sensitive about implementing the program, recognizing a fitness-tracking competition may not be for everyone, said Cushing, so it’s better to have an opt-in program versus an opt-out one.
“(Opting out) can create some discomfort for people if they have to identify, for whatever reason, ‘I don’t want to participate in this,’” she said.
That also raises potential human rights issues — if someone has a hidden disability, for example, and hasn’t disclosed it at work but other team members are encouraging him to participate, said Cushing.
“It may make it uncomfortable for that person and they don’t have to disclose it because it’s not really necessary for employment, it’s an add-on. So I think employers should be sensitive about how they do this… though it sounds like it’s for a very good purpose, you’d want to be cautious or careful as to how you design it so it has the desired effect.”
These types of issues are going to come up, said Gratton, and it’s always going to come down to: Was the employer transparent when it collected the information and is this information necessary for the employer?
“Many privacy regulators could say, ‘No, you’re providing benefits but it’s not necessary, it’s not necessarily reasonable to collect this kind of information,’” she said. “Employers are going to have to think about these issues first instead of running with this data, saying nothing to employees and making decisions that may have an impact on these employees. They need to be transparent and they need to ensure they comply with human rights and privacy laws — that’s going to be their challenge.”
In the end, data collected through devices such as health-tracking bracelets should be treated the same way as other personal data collected by an employer, said Matthew Pearn, a lawyer at Foster & Company in Fredericton.
“Most privacy legislation that relates to an employer’s gathering of medical information would likely extend to any biometric data that was gathered — for example, from an employee, so if you were keeping track of someone’s blood pressure, heart rate, blood sugar, any of those things — through these activity trackers… that information would, in my mind, be subject to the same kind of restrictions that would be put on an employer if they had private medical information that had been provided to them through other ways.”
Litigation
People are very excited about this newer technology but the type of information being collected can be quite sensitive and it could be used in the context of litigation, so that’s something employees need to be made aware of, said Gratton.
“I’m not sure everybody understands the implications.”
For example, if an employee is using a Fitbit and the employer has access to the data, it may confront the worker when she claims she was working overtime or she was sick, and the tracking device shows she was doing a physical activity.
“Employers and employees are going to have to have a transparent discussion and make sure that they agree on the framework, the lines that should not be crossed,” she said.
“In the context of litigation, if there’s information sitting there that could be useful, usually lawyers will request from the court authorization to access it and they’ll get it, so it’s something to keep in mind — you’re using a tool that will be tracking you 24-7.”
An employer has an obligation to maintain privacy over the information but if the employee, for example, is engaged in a civil claim of some kind, the fact that there is this documented history of his activity — whether collected by himself or through his employer’s wellness program — is something that can be disclosed as part of a civil claim, said Pearn.
If an employer tells employees this is part of a fitness promotion activity, it really shouldn’t be using it for other purposes, said Cushing.
“I shouldn’t be using it to manage someone’s performance or say, ‘Oh, you didn’t show up for work today but I see on your Fitbit that you were, by the GPS locator, here’s where you were.’ That would be inappropriate,” she said.
“And if you’re in a unionized workplace, I mean, you’re definitely going to cross some lines if you do that because there’s a number of labour arbitrations where employers have collected certain information and tried to use it, say, for performance management and that has not been looked at favourably.”
Security concerns
When it comes to personal information that’s particularly sensitive, such as blood pressure, employers should make sure there are adequate security measures to protect it so people can’t hack into it or use it for purposes that aren’t appropriate or sell to marketers, said Cushing.
“Under privacy legislation, there’s also obligations to destroy information after it’s met its purpose, so if employers are collecting this information, they don’t want to have it around forever. So either you destroy it after it’s fulfilled its use or if you’re using it for a particular decision about an employee or individual.”
Data in aggregate is useful as it can provide a lot of information upon which to make better-informed decisions — but the tricky part is it could potentially be identifiable, said Gratton.
For example, in small groups, certain employees could be identified in the data.
“Using information in aggregate is one thing — making sure it cannot be linked back to a small group or an individual.”
It’s possible employers may collect this amalgamated information as a way to decrease the cost of group insurance by showing the activity levels of employees, said Pearn.
“There are benefits to the insurer — it’s just a matter of making sure that they’ve removed all identifying information so no individual’s personal information becomes disclosed in the process.”
Looking ahead
Looking ahead, third parties, such as insurance companies or employers, could require that employees undergo assessments through these fitness trackers, said Gratton.
For instance, insurance companies could offer better premiums to individuals who agree to be tracked.
Organizations could also decide to provide employees with fitness trackers to potentially reduce corporate plan insurance premiums.
“These type of activities would have to comply with Canadian data protection and human rights laws,” she said.