Article by Jens Guldbrand – Information Security Manager, Safeture (partner)
Maintaining location data on employees is critical in safeguarding your workforce and providing them with location-based safety information and to be able to assist them in case of need. However, today’s employees are keenly aware of their location privacy rights, which can present a challenge for any HR, risk, travel or security manager.
The balance between employees’ privacy and the gathering of their personal data to be able to safeguard them.
There is a complex and difficult contradiction between respecting the privacy of your employees and the gathering of location data that is detailed, and exact enough to protect your employees in case of need. For example, if there is a fire in the office, you would like to know, at that specific moment, if an employee is at the office or having lunch downtown or working from home. The issue is that such detailed and exact location information can also be misused to spy on the employee.
Transparency and flexible privacy settings encourage employees to share their personal data.
Through transparency and flexible privacy settings, you can encourage your employees to be more willing and open to sharing real time and detailed location data such as mobile phone tracking. In both proactive and reactive safeguarding, it is vital to know where they are, where they have been, and where they are going to be.
Proactive situations are when the organisation reaches out to the employee to check if they are OK or preventing them from entering a risk-filled situation.
Reactive safeguarding is when the employee contacts the organisation for assistance or guidance.
The problem is that employees are often aware of their (location) privacy rights and hinder their employers for gathering location information such as refusing to install duty of care software or blocking an application’s location services on their smartphones. This can also include users refusing location access in the settings in the operating system as well as pop-ups with requests to approve the use of location services in the applications. The trust between employee and employer is often impaired further by companies’ lack of transparency, poor management of privacy policies, and inflexible privacy settings in the application.
Transparency in how you process personal data is necessary to gain the trust of your employees.
Transparency is necessary to gain the trust of the employees, and the key to transparency is a deep and thorough knowledge of the data flows and how the data is used. This knowledge needs to be distributed to the employees in an accessible and comprehensible manner. For example, this could involve creating integrity policies covering different situations employees will be exposed to while gathering and processing their personal data. Below, we will introduce two such policies covering different levels.
Service privacy policy – a mandatory but more generic policy on collecting personal data.
When collecting personal data such as employee location data, a privacy policy is mandatory in many countries and unions, such as EU. Many providers of technical platforms provide a default privacy policy that we call Service privacy policy. In many cases, the service privacy policy is a part of the provider’s terms of service. The service privacy policy is written at a higher level and is more generic than the location tracking policy that is described below.
Location tracking policy – a crucial but non-mandatory policy with greater depth than the Service privacy policy.
As a complement to the Service privacy policy, many organisations also create a Location tracking policy. This is deeper and tailored to address requirements related to legislations, sectors, regions, risk profiles, etc. Even though the Location tracking policy is not legally mandatory, it is an important asset to increase employees’ insights on how their personal data is used. The Location tracking policy will vary from organisation to organisation, however. Below, you will find the generic Location tracking policy components needed to maintain transparent communication toward the employees. (Source: Traveller tracking ISO 31030:2021(E) 7.4.13.)
The following five sections describe different components on which a Location tracking policy can be structured:
- Determining which Personal Data Attributes to Process
To adequately safeguard your employees, some mandatory data is required. Two more groups of optional data can be added: Highly Recommended Optional and Optional. The reasoning behind the two optional groups is the sensitivity of the data weighted against the level of protection it provides for the employee(s).
Here are some examples of what type of data would fall under each group:
Mandatory:
- Name
- Email address
- Session identifiers
Highly Recommended (Optional):
- Location (travel bookings, mobile phone tracking, work location, etc.)
- Phone number
- User device information
Optional:
- Medical information (allergies, medical conditions, medications)
- Gender
- Family emergency contact
- Understanding How the Location Data will be Used
The main purpose for maintaining employee location data is to prevent emergencies and assist the employees in the case of need. The location information will enable the emergency team to contact employees that are in the affected area, and better assist employees that contact the assistance center. Additionally, the location information will enable automation of sending alerts to employees that are in the vicinity of an incident.
It is important to implement a system in which an administrator is not allowed to access employee location data without one or more common triggers being fulfilled. Common triggers could include:
- Employee requests assistance
- An incident in the vicinity of one or more employees
- Missed scheduled check-ins that could be a sign something has happened to an employee
- Colleagues reporting an employee is missing
When the employee reaches out and requests assistance from the administrator (Global Response Team) should have the right to look at an employee’s location data to support the employee in their security or medical emergency. This is often triggered by a phone call and results in that the administrator interacts directly with the employee.
In the cases of the administrator working proactively such as locating employees in or near a disaster area, this is normally initiated by a procedure where the administrator sends out an “Are you ok?” message and tries to reach the potentially affected employee(s) by phone.
- Specifying Who will have Access to the Data
Employees should only have access to their own information, meaning end-users should not be able to see information about other end-users. Likewise, non-security critical managers or other employees with personnel responsibilities shouldn’t be able to see other employees’ location data, either. There are a few exceptions to this, namely certain administrators that require access to protect and assist the employees such as Travel Risk Managers, Global Security Operational Centre operatives (GSOCo), Emergency Response Centre operatives (ERCo), etc.
4. Protecting the Data
Transparency also includes informing your employees about the data protection measures you implement as a company to protect your employees’ data. Always include both technical and organisational protection measures in your communication. When an employee feels you have a well thought out process and good technical and organisational measures in place, they’re more willing to share their personal (location) data.
Here are examples of protection measures that are mandatory or highly recommended:
- Single Sign-On
- Role-Based Access Controls
- IP-white listing
- Two-factor Authentication
- Encryption
- Obfuscation, pseudonymization, and anonymization
These examples and more are part of the work involved in meeting cyber security certifications such as the ISO 27001. (Source: ISO 27001:2022).
A final note: In preventing administrators from abusing employees’ location data, comprehensive audit logs should be kept. These audit logs enable follow-up procedures in the case of misuse of information on the platform.
- Retaining the Data
Most providers have a custom default retention period. However, some circumstances require the retention periods to be configurable. Below are some examples of such circumstances:
- Different groups of personal data (Mandatory, Highly Recommended Optional, Optional (See Transparency section ‘Determining which Personal Data Attributes to Process’)
- The Organisation’s risk exposure
- Regions of operation
- Privacy legislations
- In working towards transparency, you should give users the opportunity to cancel their own account and/or service if desired. This triggers the default or configured retention period. This ensures flexible privacy settings for all employees.
Flexible Privacy Settings
Providing flexible privacy settings is crucial. To give the employees full control of their privacy, the system must be tailored to meet requirements that originate from several different situations. By giving the user the power to change their privacy settings, you give them actual control over their own data. This, in turn, makes the user feel more comfortable to share more location data.
Technically, the settings should enable the employee to choose when, where, and how granular and privacy protected location data can be collected. Useful settings for the employee to change on their own can be:
Granularity levels:
- Exact position
- City
- Region
- Exact position only when abroad
When positions should be shared:
- Always
- Never
- Scheduled check-ins
- During an emergency
The above settings options enable for example the employee to not share their location data while in their home country but collect this data when abroad. Here is a visual example of its implementation.
Another important feature for both the employee and you as an administrator is Scheduled Check-ins. These enables a systematic way of making sure the employees are OK without continuous positioning. As an Administrator, you should be able to set a schedule when you want individuals or groups to check in. A missed check-in could trigger a notification to selected Administrators. For the employee’s convenience, the check-in time should take the employee’s current time zone in consideration.
During an emergency, it is key for the employee to be able to override their default or chosen privacy settings. Typically, this is done through an easily accessible toggle switch. An emergency button in a mobile app is one such switch. The pressing of the emergency button should override the chosen settings and give an exact position with an increased (real-time) positioning update frequency. In addition, several background processes such as emergency notifications to emergency assistance personnel are usually triggered at the same time.
Next Steps: Summary and Action Items
For your employees’ safety, location data is key. It is important to consider the usefulness of transparency and flexibility to build mutual trust. As every organisation is unique, the location tracking and privacy implementation needs to adopt for each organisation. However, there are a few common denominators in the work processes for most organisations.
- What is your current (if any) solution, and is it compliant with your country’s legislation?
- Does the current solution support your organisation’s requirements of Duty of Care?
- Many organisations have a higher standard of Duty of Care than the country’s legislation dictates driven by ethical decisions and for being a caring employer.
- Do you already have privacy policies in place, and are they up to date?
- Do you have a proper balance in your safeguarding? Is all the data gathered relevant, and do you lack any data you would need in an emergency?
- Are your current communications channels enough to distribute policies and updates to all affected employees?
- Do you implement continuous improvements and monitor changes in legislation to keep your policies up to date?
This is your first step to establishing the necessary provisions to safeguard your most valuable assets. While employees can be afraid of sharing personal data with their employer, it is important to maintain clear, consistent, and transparent communication that demonstrates why sharing personal data is important, how it is used, and is collected only for the purpose to keep them safe.
If you are interested in finding out more about Securewest’s travel risk management service we are currently offering a free demo and 30 day free trial for the SPHERE platform and app. For more information contact info@securewest.com or read more about our Travel Risk services here.