One bad apple: a Morrisons employee put personal details of colleagues online © Bloomberg
Experimental feature

Listen to this article

00:00
00:00
Experimental feature

Recent data scandals have highlighted companies’ mismanagement of consumer information, from Cambridge Analytica’s use of Facebook users’ data to the €50m fine of Google by French regulators for breaking EU privacy rules. Now the spotlight has turned to the information companies hold about their employees.

The UK’s first data leak class action, brought by staff against Morrisons supermarket chain, means that, despite following rigorous data protection policies, it has been told to compensate staff whose personal details were posted on the internet by a disgruntled employee in 2014. The details included bank accounts, dates of birth, national insurance numbers, addresses and phone numbers. Morrisons is waiting for the UK’s Supreme Court to rule on its appeal.

“Cases like Cambridge Analytica demonstrated that people really do care now about their data privacy and they are not going to just shrug their shoulders if it turns out their information hasn’t been properly protected,” says Nick McAleenan, partner at JMW Solicitors, who represents the claimants.

Employers can gather unprecedented amount of data on workers far beyond personal details. For instance, technology can track someone’s movement, including interactions with colleagues and even personal fitness information, with artificial intelligence now being used to analyse behaviour.

As the availability of such so-called people analytics grows, employers are entering “uncharted territory”, says Ellyn Shook, chief leadership and human resources officer at professional services firm Accenture. Employee data, she warns, can be a “gold mine or a minefield”.

Collected responsibly, made secure and put to good use, data has the potential to benefit both organisation and individual. Treat it otherwise and the financial and reputational risks are high. Mr McAleenan says the 2018 General Data Protection Regulation (GDPR), brought in by the EU, is seen as the global gold standard for handling personal data responsibly.

A new survey by Accenture of 1,400 global senior executives found 49 per cent of business leaders would use new technologies and sources of workplace data as they saw fit. While 62 per cent said their organisations used tech to monitor employees and workplaces to gain precise insights — such as how employees spend their time, and with whom — only 30 per cent were “very confident” they are using the data responsibly.

55

Percentage of senior executives who told Accenture their organisation did not ask for employee consent on using tech to analyse employee information

Some 55 per cent said their company does not ask for employee consent. This varied between countries, with 41 per cent of respondents from Germany not asking, 44 per cent in the US and UK, 65 per cent in China and Spain, and Japan at 66 per cent.

“This is an issue that none of us really understands because it is relatively new and we don’t have good guidance and practices in any of our organisations yet,” says Thomas Kochan, professor at MIT Sloan School of Management. “Companies are just thinking about how they can use the data strategically and they have only been thinking about employees as an afterthought.”

Edward Houghton, the Chartered Institute of Personnel and Development’s head of research and thought leadership, says: “Companies want to make the most of people data and analytics but not enough organisations are thinking critically about the kind of risks that might be present.”

For companies operating within the EU, falling foul of GDPR can lead to fines of up to 4 per cent of global turnover or €20m, whichever is greater, if they are not clear about why they are collecting data, making sure the data they hold is adequate, relevant and not excessive, and that it is up to date and secure. In the US, companies put themselves at risk of “litigation, embarrassment when bad practices are exposed and of losing their best people”, says Prof Kochan.

The real risk, however, is to employee trust, says Ms Shook. Accenture has even calculated the difference in future revenue growth rates between losing and earning employee trust through the use of workforce data as 12.5 per cent. Accenture, she adds, has appointed its first data protection officer. Employees give their consent, can see the data collected and are allowed to challenge it.

Best practice is to be open with employees about which data is collected and why, who sees it and what the limits should be. Good practice also includes having robust cyber security measures, data protection policies, data audits and insurance.

“We are going to see employees begin to recognise that they have data that could be used as a source of influence and power,” says Prof Kochan.

Amy Castell, head of people at MediaCom, says the media agency uses anonymised people analytics to collect statistics on headcount, churn, retention, and ethnicity and gender. Its My360 career platform collects performance data that is seen only by an individual and their manager, as is the personal information gathered in its voluntary Open Blend application, which sets goals and metrics for an employee across work and personal life.

“Employee data brings greater transparency and understanding in terms of what’s happening with an organisation,” says Ms Castell.

Nevertheless, as Prof Kochan points out: “[Employees] are going to demand a voice in it, and a fair share of the benefits.”

Letter in response to this article:

EU rules on data are clear about employee consent / From Jon Baines, London, UK

Copyright The Financial Times Limited 2019. All rights reserved.

Follow the topics in this article