Employment Data Protection
- Executive Summary
- Working Knowledge
- Technical Spec
ReGenesis operates in the highest-sensitivity zone of workplace technology: a platform funded by employers that processes deeply personal employee content. The fundamental risk is that coaching data — personal reflections, emotional struggles, developmental gaps — could be used by employers for performance management, promotion decisions, or termination. This would be a catastrophic betrayal of trust that would destroy the platform's value proposition and expose ReGenesis to significant legal liability.
The architectural commitment is absolute: ReGenesis is not an employee surveillance tool. Coaching data and HR performance data are separated by design. Executives and organizational administrators see only aggregated, anonymized analytics with a minimum 5-person anonymity threshold. No individual coaching content is ever surfaced to anyone in an employer role unless the coachee explicitly grants access. Break-glass emergency access exists for safety-critical situations but requires documented justification and generates audit alerts.
In the EU, this commitment must also satisfy works council consultation requirements and national employment laws that provide additional protections beyond GDPR. The architecture is designed to satisfy these requirements so that ReGenesis can serve EU-based enterprises without restructuring.
The Core Principle: Not Surveillance
The single most important architectural and legal decision in ReGenesis:
Individual coaching content is NEVER shared with the employer (organization admin, HR, executive) without explicit, voluntary, informed consent from the coachee. This is non-negotiable. This is the trust foundation that makes the entire platform possible.
What Employers CAN See (Admin/Executive View)
| Data | Format | Example | Why It's Allowed |
|---|---|---|---|
| Program participation rates | Aggregated % | "78% of enrolled coachees completed 3+ sessions" | Legitimate interest: program ROI |
| Engagement scores | Aggregated average | "Average engagement: 4.2/5.0" | Legitimate interest: program quality |
| Theme prevalence | Anonymized trends | "Top themes: leadership communication, decision-making" | Legitimate interest: organizational development |
| Goal completion rates | Aggregated % | "62% of coachees achieved 2+ goals" | Legitimate interest: program effectiveness |
| Satisfaction scores | Aggregated average | "Net Promoter Score: +45" | Legitimate interest: program value |
What Employers CANNOT See
| Data | Why Not |
|---|---|
| Individual session transcripts | Core coaching confidentiality |
| Individual coaching notes | Coach-coachee privileged content |
| Individual Sasha insights | Personal development data |
| Individual goals and progress | Could be used for performance review |
| Individual emotional/personal content | Deeply sensitive; purpose limitation |
| Which specific employees said what | Anonymity threshold (min 5 persons) |
The Anonymity Threshold
All aggregated data shown to organization admins and executives must meet a minimum anonymity threshold:
Rule: No aggregated metric is displayed unless it represents data from at least 5 individuals.
This prevents:
- Small team analytics that could identify individuals (e.g., "the team of 3 — only one talked about burnout")
- Cross-referencing aggregated data with known team composition to infer individual content
- Time-based inference (e.g., "only one person had a session this week, and the theme was conflict")
How It Works
| Scenario | People in Group | Displayed? | Alternative |
|---|---|---|---|
| Company-wide theme report | 150 coachees | Yes | Full report |
| Department theme report | 12 coachees | Yes | Full report |
| Small team engagement score | 3 coachees | No | "Insufficient data for anonymized reporting" |
| Single coachee progress | 1 coachee | No | Only visible to coachee and their coach |
| Time-filtered report (1 week) | 2 sessions | No | Expand time window until threshold met |
Separation of Coaching Data and HR Data
Key architectural decisions:
- No API integration between ReGenesis and HR systems
- No import of HR performance data into coaching platform
- No export of individual coaching data to HR systems
- Coaching goals are not linked to HR performance goals unless the coachee explicitly chooses to share
- The platform does not generate "performance scores" or "readiness ratings" that could be used for employment decisions
Works Councils and Unions (EU Context)
In many EU countries, introducing a platform like ReGenesis requires works council consultation or even co-determination (the works council must agree before the platform can be deployed).
Key EU Employment Law Considerations
| Country | Requirement | Impact on ReGenesis |
|---|---|---|
| Germany | Works council (Betriebsrat) has co-determination rights on employee monitoring tools | Must demonstrate ReGenesis is NOT a monitoring tool; works council must be consulted before deployment |
| France | Works council (CSE) consultation required; CNIL guidelines on employee monitoring | Consultation before deployment; DPIA shared with works council |
| Netherlands | Works council consent for systems that monitor employee data | Written consent from works council; clear documentation of data flows |
| Italy | Workers' Statute (Art. 4) restricts remote worker monitoring | Must demonstrate coaching platform is not remote monitoring |
| Austria | Works council agreement required for systems processing employee data | Formal agreement before deployment |
ReGenesis Response to Works Council Concerns
- "This is not a monitoring tool" — Provide technical documentation showing no individual data flows to employer
- "What data is collected?" — Share RoPA extract, data classification, and visibility model
- "Who can see what?" — Demonstrate the four-tier visibility model with live examples
- "Can the employer fire someone based on coaching data?" — Show architectural separation and aggregate-only employer access
- "What about Sasha?" — Explain AI transparency, Evidence Packs, and human-in-the-loop design
- "Can employees refuse?" — Confirm voluntary participation (where employment law requires it)
Permission Grants for Admin Access
In rare cases, an admin may need to access individual coaching data (e.g., compliance investigation, safety concern). This requires a formal permission grant:
Standard Permission Grant
- Admin submits request through compliance portal
- Request includes: reason, scope, duration, legal basis
- DPO reviews request (within 24 hours)
- If approved: time-limited access granted with full audit trail
- Coachee is notified (unless notification would compromise investigation — rare exception with legal sign-off)
- Access automatically revokes at end of granted period
- Access log reviewed in next governance board meeting
Break-Glass Emergency Access
For immediate safety concerns (e.g., coachee expressed intent to harm self or others):
- Authorized person (DPO, CEO, or designated safety officer) triggers break-glass
- Immediate access granted to relevant coaching content
- All access is logged with full audit trail
- Automated alert sent to governance board
- Post-access review within 24 hours
- Incident report filed
Break-glass access generates high-severity audit alerts and requires a documented post-access review. Any abuse of break-glass access is a terminable offense and may constitute a data breach requiring notification.
Employee Privacy and Autonomy
Beyond legal requirements, ReGenesis makes commitments to employee autonomy:
- Voluntary engagement: Where possible, coaching is offered as a benefit, not mandated
- Content control: Coachees choose what to share in sessions and what to write in notes
- Visibility control: Coachees can see exactly what data exists about them
- Deletion rights: Coachees can request deletion of their coaching data at any time
- Consent withdrawal: Coachees can withdraw consent for sensitive data processing at any time
- No retaliation: The platform displays a commitment that withdrawal or reduced engagement will not result in negative employment consequences (contractual term with enterprise client)
When selling to large enterprises (especially EU-based), be prepared for the question: "How do you prevent managers from using coaching data for performance reviews?" The answer is: architectural separation, aggregation with anonymity thresholds, no HR system integration, and contractual commitments. This page provides the detailed backing for that answer.