Wearable devices that track and record personal biometric data are hardly new to the technology scene. In addition to the now-commonplace electronic pedometers and heart rate monitors, there are portable and wearable devices that, quite literally, do everything – from administering medical tests, like electrocardiograms, to analyzing the quality of one’s sleep based on user input. Never before, however, have employers had such ready access to this personal information about employees. It is this access – and the employer’s use of the gathered data – that can pose a legal trap for the unwary employer.
Collection of biometric data in the workplace through wearable devices or screenings can occur for a variety of proper reasons. For example, employers may require such data for security verification purposes or as a means of authenticating employee accounts or files. One increasingly prevalent practice is for employers to offer insurance premium discounts, bonuses, or other incentives to employees who undergo a biometric screening to raise health consciousness or to employees who achieve a certain activity level, as measured by a wearable electronic pedometer or fitness tracker. Such programs give employers unprecedented access to a wealth of biometric data about employees (like activity levels, nutritional habits, and certain physical characteristics).
On its face, there is nothing improper about an employee consenting to participate in these types of incentive programs. However, if an employer considers or uses the collected data in any way when making employment decisions, it may unwittingly open itself up to claims of disability or other discrimination. Further, the company’s possession of such information certainly increases its privacy and data security challenges.
Adding to the potential hazards of these initiatives is the dearth of legal authority on the issue of how to collect and manage biometric data. There is no federal law or guidance on the issue; only two states, Illinois and Texas, have enacted statutes that even define specifically what constitutes biometric data; and only a few additional states, Alaska, California, New York and Washington, have proposed legislation on the issue.
So, what’s an employer to do?
Here are some rules of thumb – based in part on the key provisions of the Illinois and Texas laws – that an employer in possession of its employees’ biometric data would be well advised to apply:
- Always provide employees with written notice of biometric data collection and storage, and explain the reason for the collection and the length of time the data will be stored;
- Require employees to give written consent to the data collection;
- Protect the collected biometric information from disclosure unless the employee gives prior written consent to disclosure or the disclosure is required or permitted under state or federal statute, or in response to a warrant from law enforcement or a valid subpoena, or to complete a financial transaction requested by the employee;
- Protect stored biometric data in a manner that is at least as protective as the means used to protect other confidential information;
- As with health information in general, separate biometric data from other employee records, and ensure that company access to such data is limited to those with a legitimate need-to-know;
- Never sell, lease, trade, or otherwise profit from the collected data;
- Maintain and make publically available a written retention policy that requires permanent destruction of the data by the earlier of the date when “the initial purpose for collecting or obtaining” the data has been “satisfied” or three years after the employee’s last contact with the organization; and
- Keep abreast of cases that address the appropriate use of biometric data and its collection and handling. For example, this relatively recent case addressed whether requiring biometric screenings as part of a wellness plan violated the Americans with Disabilities Act.