The 'biggest cash cow there is' - the potential (or threat) of DNA profiling as part of organizational HCM

Profile picture for user catheverett By Cath Everett July 23, 2020
Summary:
While employee monitoring is nothing new, advances in DNA profiling raise the stakes immeasurably without care being taken.

DNA
(Pixabay )

In the post-COVID workplace, employees are going to find themselves tracked, scanned and generally kept a close eye on more than ever. Health factors aside, employee monitoring has become increasingly widespread in the workplace over recent years, but  staff surveillance activity could be about to take a great leap forward in the form of DNA profiling.

In some ways, believes Dr Paul Bernal, Associate Professor at the University of East Anglia’s Law School, such a shift is a “predictable step”. Although employee monitoring has been gone on for decades in the shape of workers clocking in and out, the rise of wearable tech, which includes smart ID cards on lanyards to enable staff to access buildings and rooms, has been a particularly “significant development” here, he says.

Certain industries have been more enthusiastic proponents than others though, with financial services, retail and manufacturing especially keen on keeping an eye on employee behaviour in a bid to prevent fraud, embezzlement and theft. The fact that more and more office workers are currently home-based is also likely to lead to a rise in activity monitoring – despite the potential invasion of privacy risks, especially if staff are using their own computers.

In fact, according to Gartner, since COVID-19 lockdowns took place around the world,  some 16% of employers are now inspecting what their employees are up to more frequently than was the case in the past. Common means of doing so include tracking work computer usage and monitoring emails and internal chat applications.

The most common reasons for going down this route, Bernal says, are either to measure productivity or, increasingly, to monitor health and wellbeing. But he is not convinced that using tech to do so is always the best approach. He explains:

Some employers want to know what their staff are doing as they have the sense that people are trying to cheat them all the time, or that if they could make them more efficient, they’d be more successful. There’s a certain logic to it, but it’s a bit of an illusion of control, and it can have repercussions elsewhere. For example, if employees don’t feel trusted, they won’t trust you, which in turn can have an impact on their productivity.

A new report by the Chartered Institute of Personnel and Development - 'Workplace technology: the employee experience'  - appears to back his statement up. It reveals that while 45% of staff believe employee monitoring is currently taking place and 86% expect it to become more commonplace in future, a huge 73% feel that introducing the technology required to do it damages trust between themselves and their employer. 

An example of one such trust-harming situation occurred not long before lockdown when Barclays Bank introduced a monitoring system that tracked how much time employees spent at their desks and sent warnings if their breaks were deemed too long. The organization was eventually forced to axe the software following a staff outcry.

The shift to DNA profiling

But while this kind of approach may have already ruffled a few feathers, the advent of employee DNA profiling would seem to raise the stakes to another level. 

One example of such activity today takes the form of employers collecting staff blood samples to test for COVID-19 antibodies - Gartner indicates that as many as 5% plan to do this as part of their return to work safety programme. But as Brian Kropp, Head of Research for the analyst company’s HR practice, points out:

While the blood testing situation is a rare and limited one, the idea of collecting biological data and DNA profiling is becoming more plausible as time goes on. While collecting employee DNA is no longer a futuristic proposition, there is monumental concern about how this data will be used.

An example of one player that is doing just that is Big Data specialist Muhdo Health. It sells a DNA test based on an individual’s saliva together with an epigenetic tracking service that helps to understand the impact of nutrition and exercise on current and long-term health. Key areas of focus include evaluating the efficiency with which the testee’s body absorbs vitamins and minerals and how it responds to different food groups to help people manage their weight more effectively.

The company has just partnered with health insurance company Mercer Marsh Benefits, which plans to incorporate access to the test and tracking service into its package of corporate wellbeing services. Optional advice on possible lifestyle changes will also be made available from specialist practitioners, which include nutritionists, mental health professionals and experts in muscular-skeletal disorders. Nathan Berkeley, Chief Executive of Muhdo, says:

Everyone has different needs around health so it’s hard for an employer to personalise support. Therefore, our aim is to give employees a long-term health solution that is hyper-personalised and unique to them to help them change their lifestyle. It’s powered by genetics and AI to mitigate the long-term effects of poor nutrition by giving people actionable interventions backed by science…If employees are happier and healthier, they’ll take less time off work, which also means less time lost for the business. 

But Richard Hollis, Director of information risk management consultancy Risk Crew, believes this kind of approach is a slippery slope. He explains:

Mark Zuckerberg [CEO of Facebook] taught us that data equals cash, or in other words, all data has intrinsic value. And the most sensitive data of all is DNA as it’s the key to who we are as human beings. So if you’re hacking, you go where the money is – the focus used to be on medical information, but now it’s DNA.

But the collection of DNA is not just happening among the criminal fraternity. It is now widespread across both the public and private sector. Hollis points to China’s creation of a DNA database of Uighur Muslims in Xinjiang alongside the US collection of DNA samples from anyone who faces charges and has been arrested or convicted, or who has been detained as an immigrant and held in Immigration and Customs Enforcement facilities. Genealogical services providers, such as Ancestry.com and Gedmatch, are another example of where genetic material is being stockpiled and used for commercial gain. 

The cow is out of the barn

On top of the obvious privacy issues though, another worrying factor is that all computer systems are “insecure by their very nature”. Hollis explains the problem:

There’s no such thing as a secure computer – it’s an oxymoron. So if you’re putting DNA on a system that’s inherently insecure, there’s a risk that it’ll be stolen from you. But it’s not just about ones and zeros – it’s data on, and about, people’s lives. So if you put DNA in a system that’s inherently insecure, I see it as an unacceptable risk. Once it’s gone, it’s gone – you can’t change your DNA.

But Muhdo’s Berkeley attests that the way the company’s system is set up means that the “data is 100% protected”. This is because, he says, all identifying information is stored on four separate servers, one handling personal information, another genetic and a third lifestyle tracking data. A fourth machine runs the algorithm that processes the information and brings it all together.

But there are other concerns too, with a key one being the use that unscrupulous employers and insurance companies could put such information to. Gartner’s Kropp explains:

I would guess around 95% of people don’t know the level of information that their DNA contains. Imagine sharing your fertility data with your employer or your likelihood of developing a terminal illness – when described in this context, it changes the way some people value their DNA data. Some employees may worry that if their employer knows this amount of information, they may be discriminated against based on underlying medical issues or potential health problems a few years down the line.

In an insurance context, meanwhile, there is a danger that employers might be tempted by incentives to provide DNA information about their workforce. This data could subsequently be used to increase the premiums of certain employees or deny them cover if they have particular conditions. 

But Muhdo’s Berkeley insists that, in its case, neither employers nor its partner Mercer Marsh Benefits have access to any staff member’s DNA data. Moreover, such information is not sold on to third parties but is processed and researched on a purely internal basis:

The system’s not been built to allow them to see it. Mercer has no access to the data at all and employers can only look at amalgamated views to see, for example, that 45% of the workforce is deficient in vitamin D so they can take action to improve things. Also we only collect nutrigenomics and exercise data. We don’t look at anything to do with disease diagnostics and so don’t get that information.

But whatever the reality, Hollis ultimately believes that it is already too late to put the DNA genie back into the bottle:

Data equals cash and DNA is the biggest cash cow there is. This situation has been evolving for years, but by the time we start to see it, it’s already too late. This kind of data has been collected for the last 15-20 years and by the time people are selling products and services based on it, it’s already sitting in a big database. We won’t ever get out in front of this now because the cow’s out of the barn and once people are making millions from it, it’s too late to get it back in.

My take

I tend to agree with Gartner’s Kropp that there is a need for more scrutiny and control over this concerning area. He sums it up thus:

When the reality of how much information DNA holds about a person sets in, trust becomes a massive consideration, not only from employees but from their families and society at large. There will be a big desire for regulation to be put in place but I don’t think it will be an effective in getting companies to treat the data correctly. It’s going to take societal pressure and scrutiny.