With the expansion of 5G networks, industry experts are watching to see how the proliferation of 5G will stimulate the growth of wearable devices. Even without 5G, the connected wearable device marketplace doubled in size between 2016 and 2019, and it is projected to reach more than one billion by 2022, according to Statista.
One area in which we are likely to see an increase in demand for wearable devices is corporate wellness programs. More businesses than ever are handing out company-sponsored wearables to encourage employees to incorporate healthy habits – walking a specific number of steps per day, for example – as a way to reduce the company’s healthcare premiums. Wireless fitness trackers and smartwatches provide an easy means to track employee progress.
Carriers are likely to benefit from this trend as well, both in supplying the devices and their connectivity to enterprise clients as well as managing buyback programs. This puts carriers in a critical position when it comes to helping enterprises better manage how the data privacy of employees is protected when they wear a company-owned health wearable.
Workplace devices are getting more personal
Historically, the expectation was that company-issued technology used to conduct business on behalf of an organization would contain only business-related data. Traditional desktop computers, for example, typically have had little personally identifiable information. This has changed over time with advances in device mobility. Today laptops and mobile devices that regularly leave the office likely contain a cache of personal data in addition to work files. Now think about what wearables bring to the table. These small personal devices, perhaps issued to an employee as part of a corporate wellness program, are fully connected computing devices on which the information tracked and shared is entirely personal in nature. This could include highly sensitive health details.
So, what happens to the sensitive health data when an employee leaves an organization to work elsewhere? Are wearable devices reused, recycled or returned to a carrier? And which party – the individual users, the company sponsoring the device or the carrier — is responsible for ensuring that the data is eradicated? These are all questions that must be taken into consideration before putting a device on an individual’s wrist.
Wellness tools versus healthcare devices
Everyone involved in the company-owned health wearables ecosystem – employees, employers and carriers – must understand how data privacy rules apply. First and foremost, wearable devices are not healthcare devices, which makes them exempt from HIPAA regulations. HIPAA regulations only apply to information created, received or maintained on behalf of healthcare providers and health plans. To bypass HIPAA regulations, many companies in the wearables space simply label their products as wellness tools in their privacy policies or terms and conditions.
While exempt from HIPAA regulations, many wearables and wellness apps do collect substantial personal information about an individual’s exercise routine and general health. The information collected is then either sold by the device manufacturer or app provider for marketing purposes or used to make their products better. Furthermore, employer-sponsored wearables may also share data collected about individuals to a health insurance provider.
Needless to say, the risk of private information getting into the wrong hands is high without proper data management.
Protecting sensitive health information
At present, data hygiene is still an issue that enterprises have not entirely tackled. Last year, Blancco in partnership with Coleman Parkes conducted a survey with 1,850 senior enterprise leaders about how they handle data. More than half (56%) stated that their organization does not have a data sanitization policy in place that’s being effectively communicated across the full company on a regular basis, thereby increasing the risks of potential data breaches. Wearables may be a catalyst for enterprises and their employees to become more involved in the process, as quite a bit of personal data is at stake.
When an employee is offered a device that will contain and share sensitive personal information, it’s important for companies to be transparent about how data will be used and have clear procedures about how to deal with that data. Being open about who will have access to the device data and the reason that it is being provided to others helps organizations adhere to privacy regulations and safeguards company reputations with current and future employees. While many individuals will be fine with their information being shared once they know the reason is to decrease the cost of health benefits to both the business and its employees, it’s imperative to allow the user to make the choice with the full context.
Another consideration is what happens when an employee returns a device that contains sensitive personal information. An organization’s data sanitization practices should be in place and clearly expressed in the event devices are reused, returned to the company’s wireless carrier or otherwise disposed.
Improper measures may lead to sensitive user information remaining on devices. Take a factory reset, for example. If device data is encrypted by default, a factory reset should make device data inaccessible. However, if linked accounts are not proactively disconnected on the wearable, private information could be reloaded on the device even after a factory reset.
Whose role is it to ensure workplace wearables are securely sanitized?
As company-sponsored health wearables gain popularity, responsibility to ensure data sanitization best practices is often shared among various players in the wearable ecosystem. As noted above, organizations issuing the device must pay attention to how the data is managed and eliminated. This process should be the same for wearables as for other company-issued technology, such as mobile devices and IT equipment. One way is partnering with an ITAD or other service provider to securely erase and sanitize the device before it’s given to a new employee or traded in with the carrier.
Employees also bear a level of responsibility. If they choose to link other personal accounts and devices to their company-provided wearables, it is in their best interest to proactively sever all wearable device connections when the time comes.
A carrier’s role comes into play when it offers wearable leasing packages and buy-back programs. Doing so delivers an opportunity for carriers to not only keep used devices out of landfills, but it also opens the door to revenue via the secondary device market. This means carriers must put in place data sanitization processes and relationships to ensure they are not liable for the exposure of personal data. It also makes sense for carriers to provide their business clients with the same direct consumer education that they use for individually owned devices.
As wearables become second-nature in the workplace, data privacy considerations will continue to arise, especially when it comes to sensitive health data that may be found on wellness wearables. Proper data hygiene should continue to be addressed and standardized by all parties involved in the wearable device ecosystem, from the individual user and the enterprise to the carrier.
