Maintaining location data on employees is critical in safeguarding your workforce and providing them with location-based safety information and to be able to assist them in case of need. However, today’s employees are keenly aware of their location privacy rights, which can present a challenge for any HR-, risk-, travel- or security manager.
The balance between employees’ privacy and the gathering of their personal data to be able to safeguard them
There is a complex and difficult contradiction between respecting the privacy of your employees and the gathering of location data that is detailed, and exact enough to protect your employees in case of need. For example, if there is a fire in the office, you would like to know, at that specific moment, if an employee is at the office or having lunch downtown or working from home. The issue is that such detailed and exact location information can also be misused to spy on the employee.
Transparency and flexible privacy settings encourage employees to share their personal data
Through transparency and flexible privacy settings, you can encourage your employees to be more willing and open to sharing real time and detailed location data such as mobile phone tracking. In both proactive and reactive safeguarding, it is vital to know where they are, where they have been, and where they are going to be.
Proactive situations are when the organization reaches out to the employee to check if they are OK or prevent them from entering a risk-filled situation. Reactive safeguarding is when the employee contacts the organization for assistance or guidance. The problem is that employees are often aware of their (location) privacy rights and hinder their employers for gathering location information such as refusing to install duty of care software or blocking an application’s location services on their smartphones. This can also include users refusing location access in the settings in the operating system as well as pop-ups with requests to approve the use of location services in the applications. The trust between employee and employer is often impaired further by companies’ lack of transparency, poor management of privacy policies, and inflexible privacy settings in the application.
Transparency in how you process personal data is necessary to gain the trust of your employees
Transparency is necessary to gain the trust of the employees, and the key to transparency is a deep and thorough knowledge of the data flows and how the data is used. This knowledge needs to be distributed to the employees in an accessible and comprehensible manner. For example, this could involve creating integrity policies covering different situations employees will be exposed to while gathering and processing their personal data. Below, we will introduce two such policies covering different levels.
Service privacy policy – a mandatory but more generic policy on collecting personal data
When collecting personal data such as employee location data, a privacy policy is mandatory in many countries and unions, such as EU. Many providers of technical platforms provide a default privacy policy that we call Service privacy policy. In many cases, the service privacy policy is a part of the provider’s terms of service. The service privacy policy is written at a higher level and is more generic than the location tracking policy that is described below. An example of this is Safeture’s Privacy Policy (Section 4).
Location tracking policy – a crucial but non-mandatory policy with greater depth than the Service privacy policy
As a complement to the Service privacy policy, many organizations also create a Location tracking policy. This is deeper and tailored to address requirements related to legislations, sectors, regions, risk profiles, etc. Even though the Location tracking policy is not legally mandatory, it is an important asset to increase employees’ insights on how their personal data is used. The Location tracking policy will vary from organization to organization, however. Below, you will find the generic Location tracking policy components needed to maintain transparent communication toward the employees. (Source: Traveller tracking ISO 31030:2021(E) 7.4.13. (Safeture does not receive any commission on any purchases done through the provided link. It’s entirely for informational purposes.))
The following five sections describe different components on which a Location tracking policy can be structured
1. Determining which Personal Data Attributes to Process
To adequately safeguard your employees, some mandatory data is required. Two more groups of optional data can be added: Highly Recommended Optional and Optional. The reasoning behind the two optional groups is the sensitivity of the data weighted against the level of protection it provides for the employee(s).
Here are some examples of what type of data would fall under each group:
Mandatory:
- Name
- Email address
- Session identifiers
Highly Recommended (Optional):
- Location (travel bookings, mobile phone tracking, work location, etc.)
- Phone number
- User device information
Optional:
- Medical information (allergies, medical conditions, medications)
- Gender
- Family emergency contact
Further examples can be found on Safeture’s Personal Data Classification page.
2. Understanding How the Location Data will be Used
The main purpose for maintaining employee location data is to prevent emergencies and assist the employees in the case of need. The location information will enable the emergency team to contact employees that are in the affected area, and better assist employees that contact the assistance center. Additionally, the location information will enable automation of sending alerts to employees that are in the vicinity of an incident.
It is important to implement a system in which an administrator is not allowed to access employee location data without one or more common triggers being fulfilled. Common triggers could include:
- Employee requests assistance
- An incident in the vicinity of one or more employees
- Missed scheduled check-ins that could be a sign something has happened to an employee
- Colleagues reporting an employee is missing
When the employee reaches out and requests assistance the administrator should have the right to look at an employee’s location data to support the employee in their security or medical emergency. This is often triggered by a phone call and results in that the administrator interacts directly with the employee.
In the cases of the administrator working proactively such as locating employees in or near a disaster area, this is normally initiated by a procedure where the administrator sends out an “Are you ok?” message and tries to reach the potentially affected employee(s) by phone.
3. Specifying Who will have Access to the Data
Employees should only have access to their own information, meaning end-users should not be able to see information about other end-users. Likewise, non-security critical managers or other employees with personnel responsibilities shouldn’t be able to see other employees’ location data, either. There are a few exceptions to this, namely certain administrators that require access to protect and assist the employees such as Travel Risk Managers, Global Security Operational Center operatives (GSOCo), Emergency Response Center operatives (ERCo), etc.
4. Protecting the Data
Transparency also includes informing your employees about the data protection measures you implement as a company to protect your employees’ data. Always include both technical and organizational protection measures in your communication. When an employee feels you have a well thought out process and good technical and organizational measures in place, they’re more willing to share their personal (location) data.
Here are examples of protection measures that are mandatory or highly recommended:
- Single Sign-On
- Role-Based Access Controls
- IP-white listing
- Two-factor Authentication
- Encryption
- Obfuscation, pseudonymization, and anonymization
You can find a more thorough list and examples on Safeture’s Datenschutzmaßnahmen page. This can also be used as a guide in your work with transparency towards employees.
These examples and more are part of the work involved in meeting cyber security certifications such as the ISO 27001. (Source: ISO 27001:2022 (Safeture does not receive any commission on any purchases done through the provided link. It’s entirely for informational purposes)).
A final note: In preventing administrators from abusing employees’ location data, comprehensive audit logs should be kept. These audit logs enable follow-up procedures in the case of misuse of information on the platform.
5. Retaining the Data
Most providers have a custom default retention period. However, some circumstances require the retention periods to be configurable. Below are some examples of such circumstances:
- Different groups of personal data (Mandatory, Highly Recommended Optional, Optional (See Transparency section ‘Determining which Personal Data Attributes to Process’)
- The Organization’s risk exposure
- Regions of operation
- Privacy legislations
In working towards transparency, you should give users the opportunity to cancel their own account and/or service if desired. This triggers the default or configured retention period. This ensures flexible privacy settings for all employees.
Flexible Privacy Settings
Providing flexible privacy settings is crucial. To give the employees full control of their privacy, the system must be tailored to meet requirements that originate from several different situations. By giving the user the power to change their privacy settings, you give them actual control over their own data. This, in turn, makes the user feel more comfortable to share more location data.
Technically, the settings should enable the employee to choose when, where, and how granular and privacy protected location data can be collected. Useful settings for the employee to change on their own can be:
- Exact position
- City
- Region
- Exact position only when abroad
When positions should be shared:
- Always
- Never
- Geplante Check-ins
- During an emergency
The above settings options enable for example the employee to not share their location data while in their home country but collect this data when abroad. Here is a visual example of its implementation.
Another important feature for both the employee and you as an administrator is Scheduled Check-ins. These enable a systematic way of making sure the employees are OK without continuous positioning. As an Administrator, you should be able to set a schedule when you want individuals or groups to check-in. A missed check-in could trigger a notification to selected Administrators. For the employee’s convenience, the check-in time should take the employee’s current time zone into consideration.
During an emergency, it is key for the employee to be able to override their default or chosen privacy settings. Typically, this is done through an easily accessible toggle switch. An emergency button in a mobile app is one such switch. The pressing of the emergency button should override the chosen settings and give an exact position with an increased (real-time) positioning update frequency. In addition, several background processes such as emergency notifications to emergency assistance personnel are usually triggered at the same time.
Next Steps: Summary and Action Items
For your employees’ safety, location data is key. It is important to consider the usefulness of transparency and flexibility to build mutual trust. As every organization is unique, the location tracking and privacy implementation needs to adopt for each organization. However, there are a few common denominators in the work processes for most organizations.
- What is your current (if any) solution, and is it compliant with your country’s legislation?
- Does the current solution support your organization’s requirements of Duty of Care?
- Many organizations have a higher standard of Duty of Care than the country’s legislation dictates driven by ethical decisions and for being a caring employer.
- Do you already have privacy policies in place, and are they up to date?
- Do you have a proper balance in your safeguarding? Is all the data gathered relevant, and do you lack any data you would need in an emergency?
- Are your current communications channels enough to distribute policies and updates to all affected employees?
- Do you implement continuous improvements and monitor changes in legislation to keep your policies up to date?
This is your first step to establishing the necessary provisions to safeguard your most valuable assets. While employees can be afraid of sharing personal data with their employer, it is important to maintain clear, consistent, and transparent communication that demonstrates why sharing personal data is important, how it is used, and is collected only for the purpose to keep them safe.
Jens Guldbrand
Information Security Manager, Safeture
Jens manages the ISMS work at Safeture and oversees the legal work with 3rd parties and sets the strategy for how Safeture works with information security. He is a key figure in Safeture’s work with the ISO 27k certification and has ownership of Safeture’s Security Steering Group.
He has written several of Safeture’s internal and external policies, in addition to the assembly of a thorough self-assessment questionnaire for organizations to evaluate their compliance with the ISO 31030 standards.
