Big Data is powerful, but employers should beware knowing too much
6th October, 2016
We are all becoming increasingly accustomed to sharing our personal data online.
Whether through social media profiles, search engine use or online retail purchases, we entrust online businesses with some of our most sensitive information including credit and debit card information, medical history, home address and more.
But stories are beginning to surface, largely from the US, which show just how powerful Big Data has become – carrying with them a warning for UK businesses.
The treatment of and regulation surrounding Big Data practices differs depending on where the companies collecting the data are registered. American companies have historically led the way in the field, with Facebook, Amazon and Google being among the largest data holders in the world.
While these organisations primarily use the data they collect for advertising, other companies collect Big Data on employee behaviour based on their use of company computers, networks and smartphones.
In the US, private firms such as Castlight Health Inc and Healthcore Inc have collected medical information that can make assumptions about the health of employees within a workforce. Although names of individual employees are generally not released alongside such data, the disclosures could include the number of female staff at an organisation that may be trying to conceive.
Similarly firms can make assumptions based on web searches, perhaps carried out within an employee’s lunch hour, which may, for example highlight personal circumstances otherwise not disclosed but that act as an indicator for a person’s future plans, especially searches which indicate them taking an interest in e.g. maternity wear or nursery furniture.
Through the Data Protection Act (1998) and EU legislation, companies based in the UK face more regulation than those in the US, with businesses expected to be ‘transparent’ and ‘fair’ with data that they collect.
Despite this, current regulations surrounding Big Data are struggling to keep up with developments in data use and mining – although further legislation to impose additional constraints on personal data processing are due to be introduced in the coming months.
The General Data Protection Regulation (GDPR) adopted by the EU Parliament and Council earlier this year is set to come into effect in 2018. The new regulations will strengthen existing legislation across all EU states.
Following the Brexit vote, it remains to be seen whether the UK will adopt the GDPR. However, the legislation is due to be implemented by all member states by May 2018 (and we will still be members at this point). In any event the UK will want to continue conducting business with EU members, and so will need to continue to demonstrate that they have adequate data protections in place.
Among the changes proposed in the GDPR is the requirement for Big Data collectors – regardless of where they are based – to obtain explicit consent from EU citizens before collecting and processing their information, with large fines being imposed on organisations that fail to do so.
The new legislation will also provide individuals with new rights, giving them the ability to object to profiling that significantly affects them, and to request that existing profiles be ‘forgotten’.
With this in mind, it is wise for businesses to take a ‘safety first’ approach. The trend is to increase restrictions on collection and use of data so you need to ensure your business has a clearly defined policy on how it uses data, whether from customers or employees.
Not doing so increases your risk of falling foul of current legislation and new measures and the result could be a costly employment tribunal.
You might also be interested in...
15th August, 2019
Leading legal practice Aaron & Partners has strengthened two of its teams with the recruitment of two new... Read More »