THE INSTITUTE Most privacy laws that give consumers control over how their personal data is being used don’t cover employees. It’s up to the employer to protect the personal information they’ve collected about their workers, some of which is sensitive. That can create problems, not just because an employer might mishandle the information but also because it could be sold by third-party vendors that administer workplace programs.
As more technology that uses personal data is adopted in the workplace—such as biometric authentication tools to verify worker identities and GPS apps that track their whereabouts—there are even more reasons to protect the records.
Employees are becoming concerned that their data is used in an ethical, transparent way.
The IEEE Standards Association in 2017 initiated the IEEE P7005 Standard for Transparent Employer Data Governance. The project is sponsored by the IEEE Computer Society.
The IEEE P7005 working group is currently defining specific methods for employers to certify how they collect, access, use, share, store, and destroy employee data. The group also is working on recommendations for how to provide a safe, trustworthy environment for employees to share their information.
The working group’s 30 members include representatives from large multinational companies, trade unions, and human resource departments, as well as self-employed workers.
The standard considers existing data privacy laws, including the European Union’s General Data Protection Regulation, says IEEE Member Ulf Bengtsson, chair of the working group. The GDPR, which took effect in 2018, aims to protect individual privacy and empower people to have greater control over their online presence and personal information, including how their data is shared and used.
Bengtsson says a draft of the standard is undergoing a legal review and will be released later this year. In the meantime, he says, there are certain basic rights and best practices that employers can keep in mind when considering how to handle employee data.
• Employers should not collect and store data unless they have a specific purpose for it. “The employer, of course, has autonomy over the data on its employees,” Bengtsson says. “But that information should only be used for a particular reason.”
• Collection of data should always be with the consent of the employee, who is the one who actually owns the information.
• Data should not be kept longer than is necessary for the purpose for which it’s intended.
• When an employee leaves the company, the business should destroy its copy of the worker’s information.
• Employee information should not be shared with a third party without the employee’s consent. Bengtsson says the standard will call for third-party vendors to comply with privacy protections recommended in the standard.
IEEE P7005 is part of a growing portfolio of more than 30 technical and impact standards that promote innovation, foster interoperability, and recognize human values. The standards are part of the AI systems portfolio of work in the IEEE SA, including the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems, an IEEE SA Industry Connections activity that produced the Ethically Aligned Design document published last March.