The Unblinking Eye: Employee Monitoring in the IoT Era - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Management
01:00 PM
Christine Lyon, Partner in the law firm of Morrison & Foerster
Christine Lyon, Partner in the law firm of Morrison & Foerster

The Unblinking Eye: Employee Monitoring in the IoT Era

Monitoring machines in the Internet of Things can provide valuable data, but there could be privacy issues when employees are using those machines.

The privacy concerns raised by the Internet of Things (IoT) have focused mostly on the consumer, whose personal data is captured in a growing list of goods, including mobile devices, fitness trackers, cars, and home appliances. 

Less attention has been paid to the privacy of employees interacting with IoT in the workplace. For ample reasons, innovation in so-called industrial IoT (IIoT) is projected to explode in coming years. With the latest technologies, companies can better manage and track their inventory; automatically spot and service equipment failures; create safer work environments; and improve employee efficiency. These improvements are made possible through real-time communication between machines with software that collects and interprets vast amounts of data.

But companies investing in these technologies should be aware of potential legal-privacy risks that await. Even if it’s not their primary function, many IIoT applications could be used to monitor employees in unintended ways. Use of such data, if it’s not obtained properly, could damage a company’s reputation or put it on the defense in litigation.

Christine Lyon
Christine Lyon

Take, for example, sensors that some industrial companies embed in employee uniforms and helmets. These kinds of sensors can detect hazardous conditions such as toxic gases, or warn of over-exertion based on the reading of an employee’s heartbeat. Or consider GPS-enabled devices or mobile applications that permit employers to track the precise physical location of workers in order to deploy them most efficiently to new work assignments.

But what if information gleaned from these devices was used to detect patterns about an employee’s movements, which could be used to draw negative conclusions about the employee’s efficiency or performance? Yet an employee’s slow pace in moving between work stations, or frequent departures for bathroom breaks, might be due to a legally protected medical condition rather than laziness. Penalizing the employee based on this data might set the employer up for a disability discrimination claim. Similarly, an employer may face whistleblower or retaliation claims if a manager is able to use location data to figure out which employee went to the human resources office to lodge a complaint about him or her. It is inevitable that employers will seek to use IoT data to better manage their employees, as well as their inventory and equipment, but employers will need to guard against inappropriate or even unlawful uses of this data.

The sensors do not need to be carried by the employees to raise potential privacy concerns. In a connected workplace, data about employees can be captured in any number of ways. Sensors connected to equipment -- forklifts, for instance -- could provide detailed information about an employee’s movements. Again, harvesting and using this data could open up a Pandora’s box.

Unfortunately, a myth persists that an employee’s privacy rights end the moment he or she walks through an employer’s door. The reality is more nuanced in the United States, where employees can and do bring claims against their employers alleging that monitoring activities invade their privacy, especially when the monitoring is high-tech or unexpected. And the myth is fundamentally wrong in places outside the United States, such as in Europe, which views privacy as a fundamental human right that follows employees into the workplace and thus imposes broad restrictions for monitoring employees.

Other stakeholders may have a say in employee monitoring as well. Unionized employers will need to consider their potential obligations to consult or bargain with the labor unions over employee monitoring programs. Employers will also need to assess their obligations under local employment laws to consult with works councils or other employee representatives and potentially to register with (or even seek approval from) local data protection authorities of certain employee monitoring activities. Employee monitoring activities that may be permissible in one country may be problematic in another, so it is important to consider local laws and practices.

To reduce the risk of employee claims and reputational harm, companies should keep a few best practices in mind:

  • Give proper notice to employees. Office workers are used to receiving privacy notifications from their employers when they log onto their work computer. Similar notifications should be given to employees who are interacting with the IIoT.
  • Be thoughtful about what you collect and collect only what you need. In seeking to improve workplace efficiency and safety, it’s natural to want more data. The richer the data, the better the conclusions can be made about what needs improvement. But the more data collected, the more likely you could run into unforeseen legal consequences. Generally, when deciding what information to collect, make sure there is a strong business case that outweighs privacy concerns for individuals. In court, it’s harder to defend data collection seen as excessive.
  • Be thoughtful about how long you maintain the data. With data storage so cheap, it may be tempting to keep data for extended periods of time. But again, the longer you keep data, the more potential for legal risk. If maintaining data for long periods is critical, think about aggregating data so it’s no longer personalized.


Christine E. Lyon is a partner with Morrison & Foerster. She advises organizations on cutting-edge issues related to the collection, use, sharing, and safeguarding of data, including personal information of customers and employees.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/22/2017 | 9:13:26 AM
IoT security
There ara really lots of issues with IoT at the moment. In January there was a big IoT Tech Expo in London where industry experts discussed issues mentioned in the article. The main idea behind the Expo is that IoT is evolving, there is no single understanding of what it encompasses and what are the boundaries, especially legal. As IoT software developers we were really keen on learning more about software security. And there is no clear answer on how to provide it. One of the cases, for example, is when you use smart bulbs at you industrial premises/home and then - when it is broken - you throw it away. However, the lamp has in-built access to you network. Which means you even cant just throw away IoT devices....    
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll