The information explosion and the quantum growth in computing capability has provided organizations with unprecedented levels of workforce data. While the opportunity to collect, integrate, and analyze employee data in greater volumes can be enticing, it simultaneously raises several important questions.
What level of employee monitoring is appropriate? What rights should employees have regarding their data? How do organizations ensure that its people analytics approach is not only beneficial to the company, but fair to employees?
In the legislative realm, there is growing awareness and vigilance around the rights of individuals regarding their data. On May 25, 2018, the General Data Protection Regulation (GDPR) has entered into effect. The GDPR is based on a key guiding principle: personal ownership of private information.
For example, the GDPR mandates that users can access their data, and request to have their data deleted (the “right to be forgotten”). The GDPR legislation is designed to provide a coherent system of privacy regulation for EU citizens.
Notably, however, the legal requirements pertain to any company involved in handling the data of EU citizens, which includes many companies outside of the EU. Moreover, the GDPR may be seen as a guidepost for how to treat data.
In light of the recent scandal in which Cambridge Analytica leaked private information from as many as 87 million Facebook users, Facebook has declared that it will adopt GDPR standards for user data.
Singapore’s data collection act, the PDPA, is similar to the GDPR in that its reach extends beyond the Singapore’s borders and applies to any organization that collects the personal data of its citizens.
However, the reach of the GDPR is far more extensive and the penalties for violating it are far more severe. While the GDPR is applicable to all EU organizations and organizations that collect data on EU citizens, the PDPA has a more limited scope and includes several exemptions – excluding data collected by the public sector and for business contact information.
In addition, the actual definition of consent in the context of the GDPR is far stricter than the PDPA. While the PDPA considers the voluntary provision of data consent, the GDPR requires express consent. The GDPR also requires that data only be used for the specific purpose it was collected, whereas the PDPA is more lenient in allowing use for “reasonable purposes”.
Canada’s personal data protection act, PIPEDA, is similar to the GDPR in that it they both ensure individuals have the right to access data stored about them. GDPR goes beyond PIPEDA legislation by ensuring the right of portability – organizations are required to present this data to individuals upon request “in a structured, commonly used and machine-readable format”.
Although many of these pieces of legislation share similarities, these contrasts highlight the importance of fully understanding the nuances of all data-privacy legislation that applies to your organization.
While adhering to legal guidelines is an important baseline, we believe companies must do more than adhere to legal requirements. As noted in a report by IBM, what companies can do with employee data and what companies should do with employee data are altogether different questions.
Legality does not imply ethicality, and so employers must carefully consider the impact of collecting and analyzing employee data.
Technology is advancing faster than legislators can keep up with, and there are areas that legislation may not be able to anticipate.
For example, some employers are now outfitting their workforce with fitness tracking devices, to measure employee health and wellness. While these types of initiatives can be helpful, they may also have a negative impact on employee morale.
As another example, there is increasing opportunity to track data on employees and candidates from the web, including social media profiles. Where should the line be drawn in terms of what information employers should collect?
Companies will need to carefully consider how their people analytics strategy and implementation impacts employees. At the heart of this matter is the issue of trust. When introduced to new people analytics approaches, employees will likely be wrestling with the following questions, whether explicitly or implicitly:
- Do I trust my employer’s intentions when it comes to collecting and analyzing my data? Is it in my interest for me to share my data, or the interest of the company?
- Do I trust the data itself? Is the data on me accurate? Does it appropriately represent me, or my contribution to the company?
- Do I trust the decisions that are being made based on the data? Are the analyses based on my data likely to result in better and fairer decisions?
We believe that responsibility falls on employers to earn employees’ trust in their people analytics efforts. In order to build this trust, we recommend the following in collecting and handling employee data:
1. Disclose what types of data are being collected, for what reasons, and how the data will be used
In order to establish trust and transparency, it is important to inform your employees of what type of data you are collecting, how you intend to use it, and the sources you will draw from.
If you intend to draw information from the company email network for example, disclosure is important. We also suggest periodically conducting employee surveys to gain a better understanding of how your employees feel about your data collection and handling policies. This will identify any doubts or concerns your employees may have, and allow you to properly address them.
2. Clarify the rights of employees in terms of what data is collected and how it is used.
Some data is necessary to collect for legal and administrative purposes, like social insurance numbers, while other information that you may wish collect is not. For data which is essential to collect for organizational planning, it is appropriate to require employees to provide data.
In this case, procedural fairness, transparency and communication will be of great importance to ensure employee acceptance and cooperation. For data that is not mandatory to collect, employees must be able to opt out of the data collection process, and aware they have the right to do so.
In addition, it is important to ensure that your employees understand the purpose of the data collection. Leaders must clearly communicate the greater organizational purpose the analysis serves. Employees will feel more comfortable if they know that data is being collected in order to improve the governance, communication, and employee engagement within the organization.
3. Encrypt and secure all databases
Keeping employee data safe is critical. Beyond personal information like names, addresses, banking information and SIN numbers, all data that you collect on your employees must be encrypted. Your employees need to know that you are concerned for their data’s safety, and ensuring their information is secure is your priority.
4. Eliminate identifying information from data once data has been integrated
Obfuscation of data is important from a privacy standpoint, but also so that employees do not feel spied on or singled out. For example, if you wish to analyze disciplinary action reports or information regarding grievances and complaints, anonymizing the data is crucial. Removing personal identifiers from the data will increase employee acceptance of your analysis, and further instill trust.
5. Aggregate data and report on results at the aggregated level
Reporting on an aggregate level, whether that be departmental or across the whole organization, will further emphasize the fact that the purpose of the analysis is to capture larger organizational trends.
This will again ensure employees do not feel targeted or scrutinized. In smaller teams, do not share specific findings, but rather provide a statistical summary or overview of the results. Explaining results in terms of averages and statistical trends will ensure that no single response can be attributed to a specific employee.
Today, organizations have the ability to track, monitor, and analyze their workforce to unparalleled degree. While people analytics can provide huge strides in organizational efficiency and effectiveness, it is important to not only abide by the legal requirements when collecting and utilizing this data, but to also consider the ethical implications.
Beyond considering this for the sake of ethical behavior, using workforce data in a manner that employees are uncomfortable with may neutralize any gains by damaging morale and reducing employee engagement.
This article has been adapted from “The People Analytics: Steps toward Data-Driven Decisions”.