Fitness bands have become more and more popular over the years and you can bet that most of your employees are wearing some kind of device to track their biometrics. These devices can do everything from counting steps, to administering medical tests, to analyzing one’s quality of sleep. So this means employers could have firsthand access to employees’ personal information, but also to a legal trap.
One use for this biometric data, and probably the most prevalent, is to offer employees insurance premium discounts, bonuses, or other incentives to raise health consciousness or to get employees to reach a certain activity level. Offering such programs gives employers such information as activity levels, nutritional habits, and certain physical characteristics, which if not handled properly by the employer could lead to disability or discrimination claims.
As of right now, Illinois and Texas are the only two states to have enacted statutes that define specifically what constitutes biometric data; and only a few more states – Alaska, California, New York and Washington – have proposed legislation on the issue.
As an employer, what do you do?
Based off of the key provisions of the Illinois and Texas state laws, here are some guidelines for employers that are in possession of its employees’ biometric data:
- Always provide employees with written notice of biometric data collection and storage, and explain the reason for the collection and the length of time the data will be stored;
- Require employees to give written consent to the data collection;
- Protect the collected biometric information from disclosure unless the employee gives prior written consent to disclosure or the disclosure is required or permitted under state or federal statute, or in response to a warrant from law enforcement or a valid subpoena, or to complete a financial transaction requested by the employee;
- Protect stored biometric data in a manner that is at least as protective as the means used to protect other confidential information;
- As with health information in general, separate biometric data from other employee records, and ensure that company access to such data is limited to those with a legitimate need-to-know;
- Never sell, lease, trade, or otherwise profit from the collected data;
- Maintain and make publically available a written retention policy that requires permanent destruction of the data by the earlier of the date when “the initial purpose for collecting or obtaining” the data has been “satisfied” or three years after the employee’s last contact with the organization; and
- Keep abreast of cases that address the appropriate use of biometric data and its collection and handling. For example, this relatively recent case addressed whether requiring biometric screenings as part of a wellness plan violated the Americans with Disabilities Act.
For more information contact firstname.lastname@example.org. The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.Tags: AP Benefit Advisors Blog, Biometric Data, Biometric Data Lawsuits, biometrics, compliance, Confidential Data, Employee Biometric Data, Fitness Bands, wellness programs