What are the legal challenges of embracing big data and the internet of things?

“Big data” and the “internet of things”  is fundamentally transforming how mining businesses conduct their operations, and helping companies significantly improve safety and productivity.  

While this technology presents big opportunities, employers need to consider the legal ramifications, including the discrimination and privacy aspects of collecting and using such information. 

“Big data” enables operators to analyse large amounts of data by applying algorithms to find correlations and identify trends or make predictions.  The “internet of things” enables operators to obtain real-time data from devices connected to machinery, vehicles and employees. 

“Big data” and the “internet of things” can assist businesses by: 

• capturing the flow of information to reduce variations in decision making;
• mechanising operations through tele-remote and assisted control equipment; 
• predicting mechanical failures;
• optimising material and equipment flow; and
• monitoring employee performance in real time. 

Wealth of opportunities

It is not difficult to envision how such technologies could have a tremendous impact on employee productivity and safety.  “Smart” glasses or goggles could provide employees with instructions on how to perform a job, or carry out repairs.  Personnel could be equipped with sensors to alert managers of hazardous conditions or the physical condition of the worker (e.g. by tracking their fatigue or alcohol consumption).  Fitbits could form part of a company’s wellness initiative or be used to reduce health care costs (a practice used by some large organisations in US).  Analytic tools could be a valuable recruitment tool and programmed to identify whether prospective employees possess valued characteristics (based on the attributes of previous successful employees). 

Big data could also be used to correct unconscious bias that sometimes arises in recruitment, resulting in some managers choosing candidates with characteristics similar to themselves. By using big data, algorithms could ensure that objective criteria are applied and that the correct skill set is identified in recruitment and promotion decisions.    

Legal hurdles

Collecting and using such data however also presents a number of legal challenges for employers, particularly in relation to discrimination and privacy. 

• Discrimination

The “internet of things” presents challenges for compliance with anti-discrimination legislation.  For example, an employer could unintentionally collect a broad range of information about an employee’s health and habits through a device such as a ‘fitbit’.  The mere possession of such information could form the basis of a discrimination complaint. In Queensland, for example, an employer is prohibited from collecting information on which discrimination may be based. 

Another example could see a prospective employee allege they were discriminated against in the recruitment process if an algorithm contained an historical bias, or had a disparate impact on some groups (whether intentional or not), or harvested irrelevant data (e.g. their social media use).  A similar allegation could be made by an employee if a discriminatory algorithm was applied in relation to promotion decisions.

• Privacy

Big data can also present privacy challenges for both prospective employees and current employees, given the broad range of data organisations might collect for recruitment and management purposes.  Collecting and using such data raises privacy issues relating to notice, consent, accuracy, data security, period of retention and cross-border data flow. 

In Australia, the Office of the Australian Information Commissioner (OAIC) has published a draft Guide to Big Data and the Australian Privacy Principles (May 2016).  While the Privacy Act 1988 (Cth) does not apply to ‘employee records’, there is no similar exemption in relation to potential employees and it is unclear whether ‘employee records’ extends to the wide range of information that could be collected about an employee, for example, by a Fitbit.

The OAIC’s draft guide makes two key recommendations to entities subject to the Privacy Act 1988 (Cth) prior to engaging in big data activities:

• Entities should embed privacy into their culture, processes and systems at the outset (“privacy by design”).  A privacy impact assessment identifying the risks of big data activities should be conducted at the outset. 
• Entities should de-identify (where possible) information collected and used for big data activities.  This involves considering what method of de-identification is appropriate for the nature of the data, the appropriate uses and disclosures of the de-identified information, the stage at which de-identification should occur and the cost, practicality and likelihood that the information can be re-identified. 

Do the benefits outweigh the risks?

Although “Big data” and the “Internet of Things” provide immensely valuable opportunities to improve productivity and safety, businesses may need to examine or re-examine their uses in relation to employees to ensure compliance with privacy and anti-discrimination laws.

This article first appeared in National resources review magazine.