<\/p>\n
In this post, Dr Phoebe Moore, Associate Professor of Political Economy and Technology in ULSB, discusses the implications of the recently introduced\u00a0General Data Protection Regulation<\/a> (GDPR) for work and workers.<\/em><\/p>\n <\/p>\n By 25th<\/sup> May 2018, all companies with over 250 employees across Europe were required to meet the rules of the General Data Protection Regulation<\/a> (GDPR), which\u00a0is a redrafting of the 1995 Data Protection Directive<\/a> (DPD), or EU 95\/46\/EC. Here, I look at what this means for workers\u2019 rights around privacy, consent for data collected about ourselves and its uses, as algorithms, wearable technologies and precise people analytics set out to monitor, predict, prescribe and assist our performance in workplaces.<\/p>\n <\/p>\n In the case of the DPD, rules pivoted around consumer rights and \u2018information relating to an identified or identifiable natural person\u2019. Your street address, phone number and name were considered personal data. Your eye colour, height and model of your car, within this remit, were not. EU terminology was designed to accommodate new technologies, however, and in 2012, email addresses, IP addresses and in some cases a photo image could be classified as data relating to identifiable people.<\/p>\n <\/p>\n However, it soon became clear that personal data is not static and can be traced back to an individual, using a collection of data points from public records, which could be used to construct a picture of an individual. Indeed, previously anonymized medical records have been excavated to gain information about people; school transcripts and church congregation data resurrected. Furthermore, over time, new technologies have permitted a swathe of new types of data collection possibilities, to do with accumulation at increasingly granular and even intimate levels, as well as providing new possibilities for storage, access and sharing. Not to mention the raft of data being collected by such behemoths as Facebook, which introduces a new range of possibilities for the mix of personal and public identification, the use of this data and legalities therein.<\/p>\n <\/p>\n The GDPR\u00a0 is mandated for all organisations offering goods and services to customers in the EU whether inside the EU or not, whether they own the personal data processed or not. The 261-page GDPR document contains significant technical detail, so there are many items for organizations to work through. Ian Kilpatrick, executive VP for cybersecurity at Nuvia points out, the document provides more information about \u2018what is to be achieved\u2019 than \u2018what is to be done\u2019. In this context, companies and organizations across Europe have been auditing and preparing for some potentially very disruptive requirements for their business practices and operations, hoping to meet compliance and avoid heavy fines that will be imposed.<\/p>\n <\/p>\n Algorithms and people analytics for workplace decisionmaking eliminated?<\/strong><\/p>\n <\/p>\n Unprecedented concerns surrounding the accumulation and lifetime of data, and people\u2019s rights to that data and privacy; questions inspired and forced by a range of new technologies and new methods of data accumulation; have led to the introduction of this new European Regulation. Indeed, in the first two pages of the GDPR text, where the foundations for the new Regulation are set out, it is made clear that technological development is a key reason for the repeal of Directive 95\/46\/EC and its reconsideration, indicating that:<\/p>\n <\/p>\n (6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. <\/em><\/p>\n <\/p>\n Technology has certainly impacted workplaces<\/em> and work<\/em> over time. In recent years, the rise in \u2018gig work\u2019, where work that is made available is determined by algorithm; threats of automation in the manufacturing industry and in routine as well as non-routine jobs elsewhere; big data based on new \u2018people analytics\u2019 techniques and corporate wellness initiatives in office environments involving biometric, health and sensory data acquisition; have created significant new avenues for data collection and now, significant regulation.<\/p>\n <\/p>\n Data subjects will have the ‘right not to be subject to a decision based solely on automated processing, including profiling’<\/p>\n <\/p>\n Key concerns for workers in these new technologically informed and driven worlds of work, as I told a Spanish journalist from Univision on 6th<\/sup> November 2017, are: what information is being collected by my manager\/client\/employer, how and why? How is this data being stored and for how long? Who has access to this data, and why? Workers and worker associations such as trade unions should be vociferously asking, can I get hold of my data? Will it be used in appraisals about my work, and how?<\/p>\n <\/p>\n The last question could apply, for example, to judgements made about warehouse work. In fact, I communicated with one Warehouse Operative in 2016, who indicated to me that she and colleagues were told armband data had been used to make decisions about firing and retention. However, workers were not provided access to the data informing these decisions.<\/p>\n <\/p>\n The practice of using purely automated data such as in this warehouse, if case should be eliminated with the new Regulation. Indeed, Section 4, the \u2018Right to object and automated individual decision-making\u2019 Article 22, called \u2018Automated individual decision-making, including profiling\u2019, indicates that:<\/p>\n <\/p>\n 22(1): The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling,<\/strong> which produces legal effects concerning him or her or similarly significantly affects him or her.<\/em><\/p>\n <\/p>\n The foundations for the Regulation, listed in the first sections of the document, make it abundantly clear that:<\/p>\n <\/p>\n (71): The data subject has the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing<\/strong> and which produces legal effects concerning him or her or similarly significant affects him or her, such as\u2026 e-recruiting practices<\/strong> without any human intervention. Such processing includes profiling that consists of any form of automated processing of personal data evaluating the personal aspects of a natural person, in particular to analyse or predict aspects concerning the data subject\u2019s performance at work\u2026<\/strong><\/em> reliability or behaviour, location or movements<\/em><\/strong>, where it produces legal effects concerning him or her or similarly significantly affects him or her.\u00a0<\/em><\/p>\n <\/p>\n These restrictions will put significant pressure on any company making decisions solely based on algorithm, which potentially fully disrupts the Uber business model and operational practices. Uber taxi drivers gain work through the use of an app that directs customers purely based on algorithm; movements are entirely tracked and judgements about working practices made accordingly; and worst, can presently can be deactivated if their client ranking systems are not high enough, or they have not accepted enough rides. It is difficult to see how these practices will not be fully overhauled\u00a0in the wake of\u00a0GDPR coming in to force.<\/p>\n <\/p>\n The new Regulations also call into question data-driven \u2018people analytics\u2019 under extensive experimentation by human resources professionals. This practice involves using hard data and using \u2018digital tools and data to \u2018measure, report and understand employee performance, aspects of workforce planning, talent management and operational management\u2019. The tools allow \u2018organizations to conduct real-time analytics at the point of need in the business process\u2026 allows for a deeper understanding of issues and actionable insights for the business\u2019 (Collins et al 2017). Miriam A Cherry (2016) indicates that people analytics is a nascent field that helps human resources make decisions on \u2018(1) the search for new pools of quantitative data that are correlated with business and employment success, and (2) the use of such data to make workplace decisions and to replace subjective decision-making by managers\u2019 (Cherry 2016). In February 2017, Deloitte reported<\/a> that 71 per cent of companies internationally see people analytics as a high priority for their organizations, but progress, this\u00a0 reported, has been slow.<\/p>\n <\/p>\n However, the GDPR may slow people analytics even further, particularly where big data is being used to recruit workers, evaluate performance, provide better leadership, make hires and promote, to influence and improve job design, make decisions on compensation, and improve collaboration without \u2018human intervention\u2019 as the GDPR requires. Teach for America is applauded for the most extensive use of people\u2019s data to make hiring decisions as well as predictions about performance before hires, where \u2018human intervention\u2019 would be difficult to achieve, given the lack of interaction with data subjects at the earliest stages. A little late in the game, Google advises that a data driven approach, in their People Analytics<\/a> guidance, provides the best way to \u2018inform your people practices, programs and processes\u2026 reporting and metrics to predictive analytics [to help you] uncover new insights, solve people problems<\/em> [italics added] and direct your HR actions\u2019. \u2018People problems\u2019 could, of course, mean \u2018who to fire\u2019.<\/p>\n <\/p>\n ‘People problems’ in people analytics could, of course, mean ‘who to fire’.<\/p>\n <\/p>\n Further to these practices, which will be much challenged in the wake of the GDPR, wearable devices in factories and warehouses where industrie 4.0 is being introduced, track workers\u2019 movements and store extensive data about their performance, toilet breaks and minutes spent on consoles (see example of Warehouse Operative above). In professional workplaces, devices are being used to store information about how long workers spend at desks using heat sensors, such as in the case of Occupeye as briefly used at the Telegraph<\/a>, as well as record workers\u2019 tones of voice and gestures as experimented with Humanyze<\/a>. Under the GDPR, these activities will come under great scrutiny, as companies will need make it clear what data is being used and why, the authenticity and reality of \u2018human intervention\u2019 if decisions are made on the basis of data analytics, and, of course, to gain explicit consent from data subjects in the first instance.<\/p>\n <\/p>\n Workers\u2019 consent?<\/strong><\/p>\n <\/p>\n In the British Academy\/Leverhulme project I have just completed, the company I studied which carried out the Quantified Workplace experiment involving FitBits, RescueTime and daily lifelogs, was queried by the Dutch Personal Data Protection Agency. While employees had consented to participation in the project, the Agency asked the company: \u2018can there ever be a consenting<\/em> relationship between an employee and employer?\u2019.<\/p>\n <\/p>\n Indeed, one of the key areas the GDPR develops in data protection is consent<\/em>. The definition of \u2018consent\u2019 in the DPD was \u2018any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed\u2019. The GDPR definition adds detail regarding how consent is given and states in Art 4(11) that consent is: \u2018any freely given, specific, informed and unambiguous indication of the data subject\u2019s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her\u2019.<\/strong><\/p>\n <\/p>\n At present, consumers are required to agree with often very detailed and rather opaque terms and conditions by ticking a box after entering significant amounts of personal data into a form online in order to register, before crossing into provision of most online services today. The ICO has published Draft Guidance<\/a> documents, including guidance on consent, which indicates that the \u2018GDPR sets a high standard for consent\u2019. Most of the advice on consent compliance centres on consumers, indicating for example that \u2018consent requires a positive opt-in. Don\u2019t use pre-ticked boxes or any other method of consent by default\u2019. Further, the Guidance recommends making it easy to withdraw consent and \u2018tell them how\u2019. Even more interestingly, companies should \u2018avoid making consent a precondition of service\u2019. This is quite a significant difference to the widespread use of the tick box required for online services and apps or even to buy theatre and circus tickets!<\/p>\n <\/p>\n Explicit reference to the implications of the GDPR for workers<\/em> is far less detailed than for consumers<\/em>, but the ICO\u2019s Draft Guidance<\/a> states explicitly that \u2018public authorities and employers will find using consent difficult\u2019<\/strong> and that \u2018employers and other organisations in a position of power are likely to find it more difficult to get valid consent\u2019<\/strong>. However, \u2018consent\u2019 is not the only way to ensure compliance of the GDPR in processing personal data, as pointed out by Information Commissioner Elizabeth Denham in a blog post<\/a> August 2017. Local authorities process council tax information, banks share data for fraud protection and insurance companies process claims information, for example, and for each of these, a different lawful basis is used to process personal information, which is not \u2018consent\u2019.<\/p>\n <\/p>\n Public authorities and employers will find using consent difficult. In any case, to process data, a company or organisation must \u2018identify a lawful basis before you start\u2019. The GDPR provides further ways<\/a> to process data that could be \u2018more appropriate than consent\u2019, Ms Denham indicates. Looking through these other ways, there are a number of provisions that are relevant, for example, to public authorities and highly regulated sectors where the \u2018public interest\u2019 is upheld:<\/p>\n <\/p>\n 6(1)(a) \u2013 Consent of the data subject<\/em><\/p>\n 6(1)(b) \u2013 \u00a0Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract<\/em><\/p>\n 6(1)(c) \u2013 Processing is necessary for compliance with a legal obligation<\/em><\/p>\n 6(1)(d) \u2013 Processing is\u00a0necessary to protect the vital interests of a data subject or another person<\/em><\/p>\n 6(1)(e) \u2013 \u00a0Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller<\/em><\/p>\n 6(1)(f ) \u2013 Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject<\/em><\/p>\n <\/p>\n Article 9 of the GDPR stresses the following however:<\/p>\n <\/p>\n Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person\u2019s sex life or sexual orientation shall be prohibited.\u00a0<\/em><\/strong><\/p>\n <\/p>\n This clause of prohibited data collection is not unlike the previous DPD, but the GDPR document then a list of conditions then listed where paragraph 1 does not apply<\/em>. The sections with relevance to workers are 9(2)(b) and 9(2)(h):<\/p>\n <\/p>\n 9(2)(b) \u2013 Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement<\/strong><\/em><\/p>\n 9(2)(h) \u2013 Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee<\/strong>, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional <\/em><\/p>\n <\/p>\n Decisions on this basis will be made without worker consultation in some or even most cases, and the Regulation puts a lot of responsibility for ethical practices on human resource departments and employers themselves. For example, \u2018working capacity\u2019 of the employee is not defined in any detail, potentially putting a lot of onus on companies, or even the government, to provide useful and good guidance on fitness to work, which has very negative implications in recent UK history.<\/p>\n <\/p>\n Nonetheless, employees, as data subjects, should gain significant rights under the GDPR. In general, employees\u2019 rights gained with the introduction of this Regulation should give people:<\/p>\n <\/p>\n <\/p>\n So, the rolling out of the GDPR under the banner of the UK\u2019s Data Protection Bill has significant implications for employers and it will be interesting to see how these new requirements change the employment relationship, perhaps forever.<\/p>\n <\/p>\n\n