IEEE plans development of standards to advance security of employee’s personal data

As biometric ID authentication technologies proliferate to validate worker identities, the protection and security of these records also become more challenging. Workers and employees are increasingly uneasy over whether their biometric and other personally identifiable information (PII) is not only secure but that it is used ethically and transparently.

The Institute of Electrical and Electronics Engineers (IEEE) is leading the effort to improve the protection of employee biometric data under the C/S2ESC – Software & Systems Engineering Standards Committee.

“The standard defines specific methodologies to help employers to certify how they approach accessing, collecting, storing, utilizing, sharing, and destroying employee data. The standard provides specific metrics and conformance criteria regarding these types of uses from trusted global partners and how vendors and employers can meet them.”

The IEEE Standards Association in 2017 initiated the IEEE P7005 Standard for Transparent Employer Data Governance, a project that is sponsored by the IEEE Computer Society.

According to IEEE, “(t)he standard [which continues to be reevaluated, defined, changed, and adapted] defines specific methodologies to help employers to certify how they approach accessing, collecting, storing, utilizing, sharing, and destroying employee data. The standard provides specific metrics and conformance criteria regarding these types of uses from trusted global partners and how vendors and employers can meet them.”

The IEEE P7005 working group intends to classify and characterize “specific methods for employers to certify how they collect, access, use, share, store, and destroy employee data” and to delineate recommendations to “provide safe, trustworthy environments for employees to share their information.” The working group’s 30 members include representatives from global multinational companies, trade unions, human resource sectors, and employees, and workers.

As the IEEE P7005 working group has explained, its purpose is the development of a “standard [that] is designed to provide organizations with a set of clear guidelines and certifications guaranteeing they are storing, protecting, and utilizing employee data” ethically and transparently. It is also designed to help employers understand most individuals may not be tech-savvy enough to understand the underlying issues of data usage, but still adequately informed about the safety of their employee data, and to be provided with the tools and services that offer proper opportunities to content-based, pre-informed choice regarding how they share their information in the workplace.

Modeled upon the EU GDPR legislation, the standard is being “designed to be a form of” the European Union’s General Data Protection Regulation (GDPR), which went into effect in 2018, for employees, “guaranteeing that workers facing widespread automation issues potentially displacing their jobs will have control and influence over the personal information that directly represents a core asset of their identity and lives whether derived from workflow monitoring or personal data storage.”

Explaining the need for the project, the IEEE working group explained, “Today, employees are at the whim of their employers in terms of how their personal data is stored, tracked, and utilized while on the job. In many situations, biometric or other employee data is monitored in good-intention efforts for health or other programs. Still, organizations may lack adequate knowledge or tools to implement these efforts in a safe and trusted manner for long-term care of worker’s digital information.”

“Furthermore,” the working group emphasized that “as digital technologies develop, the necessity of transparent, ethical and responsible handling and utilization of all forms of personally identifiable information (PII) that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data, will rise.”

And, “In addition, as an increasing number of organizations monitor employee activities during working hours to optimize workflows and processes, employees should have insight into how this data is stored, used, and applied,” the IEEE working group has said, noting that “This also applies to data and PII derived from activities outside of work. Ideally, to improve transparency and workplace trust, employees and their representatives should have access to the data store and influence over what data can be collected.

The stakeholders identified for the standards include everyone “within the value chain of an organization, including but not limited to shareholders, C-Suite level management, managers, HR, CSR, and all other staff, their trade unions, shop stewards, and representatives.” The standard includes education, training and support to ensure stakeholders can protect and utilize their data and ensure trusted data exchanges with employers.

The standard reflects a variety of existing data privacy laws, including the GDPR, IEEE Member Ulf Bengtsson, chair of the working group, has stated. Bengtsson recently told IEEE Spectrum a draft of the standard proposed so far is undergoing legal review and is expected to be made available sometime later this year. Until then, he and the IEEE working group have put forward, there are fundamental moralities and “best practices” employers should practice when developing internal policies, procedures, control, security, and use employees’ biometric and other PII information.

“The employer, of course, has autonomy over the data on its employees,” Bengtsson said, however, “that information should only be used for a particular reason,” as should the compilation of PII, which he said ought to be expressly made clear to employees that they have given their consent.

Additionally, PII should be purged after it the time it is no longer needed, and that when an employee departs a business that that business promptly destroys the employee’s PII data.
Employees’ PII also should not be communal with third parties without employees’ express – preferably written or otherwise documented – consent.

Bengtsson told IEEE Spectrum the upcoming IEEE working group’s proposed standard would request that third-parties act in accordance with the eventual privacy protections called for by the rules.

IEEE P7005 is part of a growing portfolio of more than 30 technical and impact standards that promote innovation, foster interoperability, and recognize human values. The standards are part of the AI systems portfolio of work in the IEEE SA, including the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems, an IEEE SA Industry Connections activity that produced the Ethically Aligned Design document published a year ago.

In February, the IEEE Standards Association announced the completion of the first phase of work of The Ethics Certification Program for Autonomous and Intelligent Systems (ECPAIS) “to develop critical certification criteria for responsible innovation and delivery of autonomous and intelligent systems (A/IS). The AI Ethics oriented certification criteria, created by a trusted expert body of peers in ECPAIS Phase I, are focused on transparency, accountability, and algorithmic bias. They are intended to enable cities, and public and private organizations in diverse vertical industries, such as healthcare and medical devices, financial services, automotive, manufacturing and elder services, to identify themselves as being trustworthy and beneficial in their use of A/IS products, services, and systems they develop or operate.”

IEEE is also working on technical considerations for InBody Wireless Devices. “Medical devices (‘wearables’) applied on us, in us, and around us, present great opportunities for clinical research, early prediction of disease, care delivery, and healthcare management” that “maybe injected, implanted, or ingested and, when paired with complementary medical devices, may support remote patient monitoring, therapy delivery, or diagnostic purposes. Each of these use cases follows a different technical architecture as it relates to the communication channel, power source, device encryption, and overall security.”

IEEE had planned a series of workshops this month to address the “technical challenges with in-body wireless devices as it relates to communication channel disruption in different environments; understanding the different security vulnerabilities associated with the various communication channels and with the device;” the “technical challenges as it relates to device sustainability in terms of power and in-body durability;” and “providing technical insight on how to best evaluate the appropriate in-body and wearable devices for” use cases,” but they were postponed due to the burgeoning spread of Covid-19.

Article Topics

best practices  |  biometric data  |  biometrics  |  data collection  |  data protection  |  identity verification  |  IEEE  |  privacy  |  standards