HM Insights

Google Glass glitch: why wearable technology presents a data protection headache

Wearable technology – which involves the incorporation of smart technologies, such as cameras and internet connectivity, into items of clothing and associated accessories - is becoming increasingly popular. Examples include smartwatches and Google Glass, which was released in the UK last week.

While the use of such technologies brings convenience and benefits to our private lives, it gives rise to a host of data protection issues when used within the workplace. Such devices are capable of collecting and transmitting large volumes of data that when connected to the internet enables them to automatically "share" content with popular online services and social media platforms, such as Facebook and Twitter.

If your organisation collects and processes personal data relating to individuals, it must comply with the Data Protection Act 1998 (the "DPA"). If employees process personal data in the course of their employment with your organisation, they must comply with the DPA when undertaking such processing on your behalf.

Difficulties arise, however, where your employees use their own wearable technology in the workplace in the course of their employment. What if an employee uses a smartwatch camera to take photographs of confidential documents or to make an audio recording of the proceedings of a client meeting? Both of these activities involve the processing of personal data in the course of employment for which your organisation, as the data controller for the purposes of the DPA, may be responsible.

Such employee devices are unlikely to have the same levels of security as your corporate network, and the storage and onward transmission of recorded personal data on and by such devices will present significant data security risks for your organisation. Will that photograph of confidential documents find its way onto an unrestricted public page of an employee's Facebook account and result in your organisation being found to be in breach of a key supplier contract?

Also, when your employee made that audio recording of that meeting with your client, did the employee comply with the fair processing requirements of the DPA and inform the client that such a recording was being made? If not, not only would your organisation be in breach of the DPA but your client could also make a DPA subject access request for a copy of that audio recording insofar as the recording constitutes the client's personal data.

With the increasing proliferation and range of wearable technology devices available, it is more, rather than less, likely that your employees will bring such devices into the workplace and use them in the course of their employment with your organisation. While it may be extreme and difficult to police an outright ban on employee use of wearable technology within the workplace, your organisation should begin to think about the policies and procedures that it needs to put in place to regulate employee use.