Consumers, businesses and manufacturers can all help ensure that the privacy rights of wearables users are respected.

Ruby A. Zefo, Chief Privacy & Security Counsel, Intel

August 18, 2014

4 Min Read

Wearable devices are here: in bed, at home, on the street, and in the office. We often think of fitness bands and smartglasses, but wearables are proliferating in weird and wonderful ways via clothing, jewelry, ear buds, and tattoos.

This variety alone makes it difficult to define wearables. But one thing's for sure: Wearables carry with them enormous potential for individual and public good. They can help us track information like diet, exercise, and blood glucose levels that make us healthier. 

[The healthcare industry must head off trouble with wearables in clinical settings. Read Wearables In Healthcare: Privacy Rules Needed.]

Wearables often collect data that's then transferred to a smartphone app through a wireless connection. That data may also be transferred to the cloud to be stored or analyzed. The Basis band I'm testing collects my sleep habits and reports a sleep score, various depths of sleep, temperature, and toss-and-turn rate. I transfer that data to an app on my smartphone or computer, which creates reports that help me gain insight into my sleep habits. 

Aggregated in a way that respects privacy rights, data from wearable devices can be used for the common good, such as disease prevention. With their connection to the Internet, wearables can make mobile payments, send texts and emails, and create videos of our daily lives.  

However, each of these benefits carries risk. Personal health data in the wrong hands could lead to profiling or discrimination. You wouldn't want your daily ice cream and Breaking Bad binge-watching habits to wind up increasing your health insurance rates. Mapped to location data, wearables data can lead to safety issues. Add in payment information, and you could be the victim of identity theft.

Data privacy best practices
Given the personal nature of this collected data, our acceptance of wearables depends on feeling that we have privacy and security rights and trust in both the device and its ecosystem. Consumers, businesses, and manufacturers all face challenges but can use best practices to overcome them.

Consumers should investigate the data being collected, how it is being collected, where the data is going, who's using it and for what purpose, and whether the data is secure through its lifecycle. They can start by reviewing the provider's website and privacy policy. If the company does not provide enough information, they can contact customer service. If the consumer isn't satisfied with the answers, perhaps it's time to pick a different device.   

Businesses should start by adopting device-neutral policies because policies cannot keep up with technology. When someone asks me what to do about Google Glass wearers, I ask them, "What did we do about cell phones?" We do not have a specific "cell phone recording policy"; we have an audio/visual recording policy that applies to any kind of recording device. Businesses should also be transparent with employees about expectations of wearables in the enterprise and how the data will be used or monitored. Also, focus on security. For instance, piping company email from a corporate network to an unregistered device without appropriate security controls risks loss of personal information and intellectual property. Don't ignore wearables here -- they're another form of BYOD. When I ask security experts if they have a BYOD program at work and they say "No," I say, "Yes you do. It's just not authorized."

For manufacturers, good user experiences are derived by elegantly integrating privacy into product and service designs, not bolting it on later (or never). Be transparent about data collection and use. Notice and consent for device users is often essential, but infusing other privacy principles with more verve can help, such as data minimization, legitimate business purpose, transparency, and accountability. 

To that end, wearables providers -- in fact, all companies -- should take advantage of programs that educate their employees on privacy and data security, such as certification programs offered through the International Association of Privacy Professionals (IAPP).

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

About the Author(s)

Ruby A. Zefo

Chief Privacy & Security Counsel, Intel

Ruby A. Zefo serves as Chief Privacy & Security Counsel for Intel. In that role, she manages Intel's global privacy and security legal group to enhance shareholder value through legal counseling on all privacy and security issues. She is also a member of the International Association of Privacy Professionals, the world's largest and most comprehensive global information privacy community.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights