If you work in a modern office, chances are you’ve heard about employers putting on health or fitness challenge for the staff. It’s not surprising that so many companies and organizations are looking for ways to improve the well-being of their team. Studies show that a healthier employee works better. Encouraging everyone to eat healthy and stay in shape is good business.
ACT | The App Association’s We Wear It series—where we’re trying out a bunch of different wearable devices throughout the summer, using them for health and fitness challenges, and telling you all about it—is in its fourth week. Right now we’re challenged to find our daily recommended water intake and drink that much each day – and I, for one, have spent all week realizing that I do not drink nearly enough water.
But before you start a health program at the office, it’s important that your team has a plan for the privacy and security of employee health data. Specifically, every organization should have a privacy policy, which outlines the challenge program and how the health data collected and submitted by participants will be used and protected. Here are a places to start when drafting a privacy policy:
Voluntary and Not Liable – There are many reasons why someone would not want or be able to participate in a health or fitness challenge. Employers should encourage employees to consult a doctor before beginning any new exercise or diet. Further, the privacy policy should clarify the employer is not responsible for any injuries incurred when participating in the program. Best practice is to have these kind of challenges be an “opt in” event.
Collection of Data – To participate in a health challenge, employees will likely have to submit health data and other personally identifiable information (“PII”). Employees should understand how their PII is being collected and protected. Specifically, the privacy policy can address things like whether or not data will be disclosed as a part of the challenge (like having a website where participants and their scores and data are listed). Those policies should have a way for employees to request data be corrected, changed, or deleted.
Health Data Not Used for Employment Reasons – Health data is sensitive stuff. Even simple step counts can let an employer know when and how their employees are active. Employees should make sure the privacy policy has provisions that prevent employers from using health data to make employment decisions, like hiring, firing, and promotions.
Third Parties – Often, employees will use third party wearables to track their progress (for our challenge I am currently wearing a Withings Pulse and June by Netatmo). Wearables are generally built to connect to an app, which allows users to view their data history. The apps themselves can also collect data; for example, the app I use in association with my June collects my location in order to give me a forecast of the UV index for my area. Employers should be clear – especially when they are the ones providing the wearable – that they are not responsible for the collection or use of employee information by third parties.
Social Media – When the health challenges have a social media aspect to them, employers should be clear that they are not responsible for the security of information that employees voluntarily place in public places, like Twitter, Instagram, Facebook, and even blog posts and comments on the employer’s website. Employees who participate in a challenge publish information in public forums at their own risk.
While not an exhaustive list, hopefully these suggestions give you an idea of where to start when drafting a privacy policy for your health fitness challenge. You can check out the privacy policy for ACT | The App Association’s We Wear It Challenge. Now, if you will excuse me, I have to go drink some more water.
Image: Privacy Key / license / no changes made