Microchipping employees: What are the legal implications?

Clare Gilroy-Scott, a partner in the employment team at Goodman Derrick LLP, talks about microchipping employees.

Wearable technology is now common in the workplace, including employer-provided fitness trackers which can monitor employees’ health and activity levels. It seems that the next step, microchipping employees, is already here.

Swedish manufacturer of the implants, Biohax, is reportedly discussing employee microchipping with a number of UK businesses, having already chipped 4,000 workers in Sweden. UK business, Bioteq, has reportedly chipped 150 of its workers including its directors.

What is microchipping?

The Biohax microchip has a cost of around £150.  It is the size of a grain of rice and is implanted between the thumb and index finger.  It operates in a similar way to the pet microchip, a technology that has been in place for some time and is used to identify lost pets and control access through pet doors.

Although not equipped with GPS tracking, the Biohax microchip reportedly stores data, including medical data, and can be programmed to open doors with a swipe of the hand.  It can be used to ensure that the worker can only access certain business confidential information and access printers.  It can also be used to pay for food at a canteen.

Why would an employer operate such a scheme?

Ease of access, for example to buildings, data and internal systems, and improved security are cited by those businesses championing the employee microchip. Bioteq has said that the technology has followed on logically from assistive technology developed to facilitate disabled employees’ access to premises. Bioteq describes the microchips essentially as an optional alternative to an access card.

A chip in the hand may well be more convenient than carrying an access card but employees are likely to have significant concerns about how the chip’s data may otherwise be used in relation to them.   

What about privacy?

Through these devices, employers may be able to track significant data which leads inevitably and justifiably to questions about about unreasonable control and micromanagement of staff.  Wearable tech can be removed at the end of the working day or otherwise at the control of the employee.  With implants, it is unclear whether the chip collects data that is unrelated to work and what control the employee would have over such data.

Regardless of the physical intrusiveness, for which the employee would surely have to give express consent, there are legal issues relating to the data on the chip. Employers will need to ensure that they are operating lawfully in terms of monitoring, data protection and privacy in relation to the implants. They will need to consider the use of the data on the chip and who will be able to view it.  Data collected by the chip is likely to be personal data and so compliance with GDPR will be required.

Overcoming inherent distrust will probably be the biggest hurdle for employers who want to introduce micro-chipping for their workforce.  If an employer wants to be able to use data from a chip in disciplinary proceedings, then it is perhaps unlikely that employees will consent freely.

Although it seems that some UK workers have agreed to be chipped, others may be more cautious, concerned about who sees their data and whether, and how, the micro-chip data may be used against them. Although pets have been micro-chipped for some years, the technology is still new in terms of the human workforce. Many may want to wait to see and understand the potential impact such implants might have before introducing such a scheme into the workplace and incurring the cost of changing external access and internal security infrastructures to accommodate a micro-chipped workforce.

How can employers introduce and operate a micro-chipping scheme lawfully?

  • Consult with employees about introducing micro-chips.
  • Obtain consent and don’t pressure or otherwise exclude employees who do not want to be micro-chipped.
  • Be clear about the scope of the use of the chip and its data.
  • Formulate clear policies on how the information from such devices may be processed, stored and used.
  • Update existing policies on monitoring and use of IT systems, equipment and communication, and data protection, including privacy notices.
  • Be transparent about all the probable purposes for which the data may be processed.
  • Communicate clearly so that employees appreciate the potential implications of how the data will be used.
  • Process data from micro-chips lawfully in accordance with the data protection principles in the GDPR and the Data Protection Act 2018 including keeping the data up to date and secure.
  • Set limits on and guidelines for employees who deal with or control the data collected, making clear that misuse of such data is a disciplinary offence.