Employers, personal contact data, and informed consent

Under what circumstances might an employer need to know your personal mobile phone number?

In full recognition that there is a wide range of very different cases out there, from employers who provide not only IT systems but also mobile phones to those who rely entirely on personal devices and commercial (but usually free) platforms, I want to focus on the increasingly common case where the employer provides email (and maybe some other systems) but not mobile phones.

I am also going to make another assumption, namely that email, and especially work email, is not a reliable way to contact someone in an urgent or even emergency situation. Even if some people have notifications for every new email popping up on their phone, only the unwise will have such notifications for work email out of working hours. Many will not have work email on their phone at all so they can resist the temptation to check more easily. In contrast, a phone call, SMS or WhatsApp is very likely to generate a notification or otherwise be noticed out of hours, even if it comes from an employer.

Thus, if you give an employer your personal mobile number, you are giving them the power to invade your (virtual) personal space and take your attention from your personal life to your work life at a time they are not paying you to work.1

Why would anyone do that?

Uses and Abuses

Clearly this personal information can be, and has been, abused with well-known examples of failing to respect work-life balance, general and specific creepiness, and avoiding difficult conversations.2 But there are also some clear use cases where both employer and employee benefit:

  1. Short notice changes to working patterns, such as asking someone to come in early or (going the other way) calling in sick.3
  2. Well-being checks relating to personal circumstances, e.g. if an employee is off sick or has mentioned a personal issue.
  3. Well-being checks on an employee working remotely or abroad who has not responded to emails for several days.
  4. Emergencies or outages in the work-place or on the commute, such as flood, fire or cyber attacks.
  5. Major and unpredicted workplace news, such as the death of a colleague.
  6. Optional workplace based social and leisure activities - though this would be a limited and specific permission.

In recognition of these legitimate uses, I suspect many people are very happy to share their personal mobile number, trusting that personal information not to be abused.

Two Questions

An obvious question is whether an employer can ever require an employee to provide a personal mobile number.

Remembering that we are considering only employers who provide email and other IT systems, there seems to be an important difference between BYOD and 'Bring Your Own Account' (BYOA). This applies to both phone numbers and email addresses.4

(Here I am not thinking about the application stage, where applicant is supplicant and has to conform to the employer's preferences, or the post-employment stage where regulated industries may need to be able to contact ex-employees at the behest of the regulator.)

BYOD - e.g. checking email on a personal phone or laptop - is appropriate where the work required to be done on the device is light and infrequent enough to make it not cost-effective for the employer to provide a device nor for the employee to come into work, and there does remain an alternative for the employee of using a work owned device, even if that is inconvenient.

BYOA is different because the benefits are unequal. The employer saves a cost, such as providing a mobile phone, but the benefit for the employee is not their convenience but, to put it crudely, their performance. An employee who practices BYOA makes it easier and cheaper for their employer, and thereby makes themselves a 'better' employee from the employer's perspective. This might make their employment more secure and their career progress more quickly, but only because they are allowing themselves to be exploited (though usually in a very trivial manner). They are, to a small degree, subsidising their employer.

The second question one might ask presupposes that the employee is willing to help their employer out in this way and also that we are talking about a medium-to-large organisation (we have already assumed they are large enough to provide email services).

Is there a significant difference between sharing a personal number with your line manager and sharing it with your employer as an organisation, e.g. having it on your staff record?

Companies vs Colleagues

Assuming the employing company/organisation has good data privacy policies and governance, and even better is GDPR compliant, then any data or security professional would tell you that sharing your number with the organisation for it to be securely stored with your other personal data is the best possible way to avoid the abuses I mentioned above.

They are not wrong in principle, but they are wrong in practice, given human nature. Put simply, the data protections around a staff record are an inconvenience, so after a line manager has accessed that once, either in one of the circumstances listed above or in expectation of one - they are likely to keep that number on their phone. Or they may just ask their staff directly for numbers and by-pass the staff record entirely. All the institutional protections disappear and new privacy and data security risks are introduced.

There are also some important normative considerations. When deciding whether or not to share personal data (such as a phone number), there are three aspects of the relationship between sharer and recipient which are particularly relevant: power, trust, and loyalty.

Now it seems fairly obvious that an employee might have different relations of power, trust, and loyalty with the organisation which employs them and the colleague who manages them. They might then have good normative grounds for sharing their personal data with their line manager but not their organisation.

Informed Consent?

However, when organisations ask employees to provide a personal phone number for their staff record, most do. The normative reasons referred to above are either weak or not salient. They consent, but is it informed consent?

Consider the case of informed consent to medical procedures. Here we recognise that the patients decision needs to be based on awareness of the pros and cons. We could summarise that point as:

Informed consent requires the consenting party to be aware of any reasons there are not to consent5

If we were really sticking to this principle when employers ask for a personal phone number, they would have to point out that some employees might prefer to only share that information with a line manager (on the understanding that colleague will not share it further). Thus a 'single source of truth' policy which required line managers to not keep separate records of their staff's personal contact details would be ethically problematic. It would mean that some who consented, but were unaware of the potential relevance of different relations of power, trust and loyalty they might hold to the organisation and a specific colleague, had not given fully informed consent.

The general problem here is that data protection policies and regulations focus on informing people about what will happen to their data, how it will be stored and used. This makes them aware of one reason not to consent, namely abuse of the data. But it does not necessarily make them aware of all reasons not to consent. And in the specific case of sharing your personal phone number with the organisation rather than just your line manager, it misses the potentially different normative structures of those relationships.

Closing anecdote

I manage a Department of >50. During the pandemic I asked them to give me an emergency number for out of working hours contact and made clear that only myself and my Department Manager would have access to it. I have continued the practice and we get 100% consent. But when I look at their staff records, fewer than 50% have entered a personal phone number.

To me that suggests that many see themselves as having a different relationship to the organisation than they do to me, and this affects what they are willing to share.

If there are good reasons for some to make this choice, then genuinely informed consent to sharing personal contact information such as mobile numbers with the organisation requires the request for that information to include a paragraph starting:

You may prefer to only share this with your line manager. We discourage this because ...

  1. If you are a remote worker, then the employer may also use this in 'their' time as a way of interrupting and redirecting your work for them. 

  2. Another abuse is not keeping this information secure so that it is accessible by hackers or snoopers.  

  3. It is important to remember that if you use a personal mobile to call in sick, you have given your employer that number. You almost certainly haven't given them permission to use it, but they may not realise that. 

  4. An exception is with respect to contracts, pay slips, tax documents, and pension information which would have been sent to a home address in a pre-digital age and now are sent to a personal email address. In this case the employer isn't communicating about the work the employee is doing but the terms and conditions of employment. Perhaps a time will come when employees prefer to have such formal communications sent by a phone-based messenger like WhatsApp, but for now it is email. 

  5. I am using 'reasons' in the strong sense, so that some conspiracy theories do not count as reasons not to consent 

You'll only receive email when they publish something new.

More from Tom Stoneham
All posts