Edinburgh Research Explorer The Ethics of People Analytics

Purpose – This research analyzed the existing academic and grey literature concerning the technologies and practices of people analytics (PA), to understand how ethical considerations are being discussed by researchers, industry experts and practitioners, and to identify gaps, priorities and recommendations for ethical practice. Design/methodology/approach – An iterative “ scoping review ” method was used to capture and synthesize relevant academic and grey literature. This is suited to emerging areas of innovation where formal research lags behind evidence from professional or technical sources. Findings – Although the grey literature contains a growing stream of publications aimed at helping PA practitioners to “ be ethical, ” overall, research on ethical issues in PA is still at an early stage. Optimistic and technocentric perspectives dominate the PA discourse, although key themes seen in the wider literature on digital/data ethics are also evident. Risks and recommendations for PA projects concerned transparency and diversestakeholderinclusion,respectingprivacyrights,fairandproportionateuseofdata,fosteringasystemiccultureofethicalpractice,deliveringbenefitsforemployees,includingethicaloutcomesinbusinessmodels,ensuringlegalcomplianceandusingethicalcharters. Research limitations/implications – This research adds to current debates over the future of work and employment in a digitized, algorithm-driven society. Practicalimplications – Theresearchprovidesanaccessiblesummaryoftherisks,opportunities,trade-offs and regulatory issues for PA, as well as a framework for integrating ethical strategies and practices. Originality/value – By using a scoping methodology to surface and analyze diverse literatures, this study fills a gap in existing knowledge on ethical aspects of PA. The findings can inform future academic research, organizations using or considering PA products, professional associations developing relevant guidelines and policymakers adapting regulations. It is also timely, given the increase in digital monitoring of employees working from home during the Covid-19 pandemic.

Introduction the significant risks to privacy and autonomy these innovations present for employees" (Tursunbayeva et al., 2018), suggesting a need for further investigations.
The European General Data Protection Regulation (GDPR) has begun to orient vendors and users of PA innovations to their vulnerabilities and potential liabilities (e.g. Politou et al., 2018), but leaves gaps for which ethical guidelines are needed (Sodeman and Hamilton, 2019). This includes the new types of risk presented by predictive algorithms and biometric data, which have implications for choice, control and identity in the context of work.
Although no research-driven framework of ethical considerations for PA so far exists, the literature on HR ethics offers high-level principles which are relevant to this discussion. For example, the Chartered Institute for Personnel and Development (CIPD) draws on a range of perspectives when considering HR ethics, at the heart of which is fairness, a concept grounded in moral philosophy (Clark, 2015), as well as principles around work as a force for good, respect for employees and the importance of integrity for the "people profession" (CIPD, 2020).
The specialist community of practice involved in the development and implementation of PA systems has also recently started to take ethical issues more seriously, giving rise to an untapped literature in need of synthesis (Mixson, 2019).
This rapid scoping review aimed to respond to this gap through a targeted examination of the ethical issues described within existing academic and professional discourse on PA. The objectives were to map the risks/opportunities and recommendations expressed in these communities, alongside related literature and real-world examples. As such, it complements existing socio-legal analyses on topics such as workplace surveillance and the gig economy (e.g. Ajunwa et al., 2017;Wood et al., 2019) and contributes to emerging discourses on the future of work. It uses plain English to summarize and synthesize the issues in a way that can be easily interpreted by our target audiences (see Figure 1) and used in practice.

Method
Scoping review methods are suited to emerging areas of innovation, where formal research may be sparse but sources of relevant evidence and knowledge are nonetheless accumulating (Arksey and O'Malley, 2005). Rather than attempting to be exhaustive and replicable, as with systematic evidence reviews, these reviews are designed to rapidly understand the scope, key considerations and maturity of an area, typically to inform research or policy.
Search strategy and article screening and selection Scoping academic literature. Seven HR-related keywords from recent human resource information systems (HRIS) and PA literature reviews (Tursunbayeva et al., 2016(Tursunbayeva et al., , 2018 were Box 1. The changing context of accountability (1) The public has become more critical and less forgiving of corporate misbehavior (Rivera and Karlsson, 2017) (2) Regulations and laws on the protection of personal data have become more proactive and punitive in many countries (e.g. European Commission, 2020) (3) More companies are pursuing growth in emerging markets where ethical risks may be heightened or relying on extended global supply chains that increase counterparty risks (4) Digital communication has become the norm, exposing companies and the executives who oversee them to new information risks (5) The 24/7 news cycle and social media can rapidly spread and amplify reputationally damaging stories (6) Employee lawsuits are on the rise, with personal data abuse set to join gender and racial bias as top trends (e.g. Fernandez-Campbell, 2018) The ethics of people analytics combined with ethics-related keywords to iteratively search the Web of Science Core Collection (WoS) for literature published prior to December 31, 2019, as shown in Figure 2. WoS is an interdisciplinary online literature database covering publications from the sciences, social sciences, arts and humanities. Snowballing from qualifying article reference lists was used to find other relevant works.
Scoping socially curated grey literature. Seven PA hashtags were created mostly from the HR-related keywords used to search the academic literature, and then combined with the #ethics hashtag ( Figure 2). Twitter's "advanced search" function was then used to identify tweets linking to relevant articles, studies, industry reports or other information sources, which we refer to as "socially curated" grey literature. The preliminary search period was March 21, 2006the date when Twitter was createdand December 31, 2019. The full texts of articles identified via the Twitter hashtag searches were located and analyzed. Additional articles identified through "snowballing" from these publications and recent relevant papers known to the authors were also integrated during the synthesis and interpretation phase.

Data analysis
The disciplinary affiliation of academic journals publishing PA research was assessed with reference to their classification in the Scimago Journal Ranking Portal (SJR) (2019). Seven articles were classified manually, as the journals were not covered by SJR. Finally, we checked the number of citations appearing for each article in Google Scholar to identify the most impactful ones and extracted and grouped the key concepts covered in the included articles.

PR
In the absence of a theoretically informed framework for classifying PA ethical risks, we used open-coding to identify themes in the eligible academic and curated grey literature to create a set of categories for organizing the findings.

Results
Publication characteristics Academic research. Searching WoS yielded 226 articles, 204 of which were in English. After screening by title, 51 of these articles were judged as potentially relevant, and their full texts were reviewed, together with a further nine articles identified through snowballing from the reference lists (see Figure 2). Articles that simply mentioned the need to consider ethical issues in PA (e.g. Mesko et al., 2018) or did not focus specifically on both PA and ethics (e.g. Newman et al., 2017) were excluded, leaving a total of 14 articles in the final sample of relevant academic papers (see appendix 1).
Seven of these publications appeared in the last couple of years, peaking in 2017 (n 5 5), although the first relevant article was published in 2005. Four of the articles published in journals available in SJR (n 5 5) appeared in multi-disciplinary journals.
Fourteen of the papers' authors are affiliated with academic institutions in the USA. The remaining authors are affiliated with academic institutions located in the UK, Germany, Ireland, Thailand, Singapore, Australia, Finland and Sweden. Overall, ten relevant articles were discussion or conceptual papers, three were empirical papers and one reported on an experiment.
A total of 271 tweets remained after removing duplicates. The first relevant tweets appeared in 2015; however, the majority were posted in 2019 (n 5 126) (see Figure 3).
Conference live tweets, links to webinars, YouTube videos, other posts, non-working links or articles that we were unable to find were removed from further analysis, leaving 118 tweets containing links to articles. Of these, 52 unique articles were included for full-text analysis alongside 16 additional grey literature publications that were snowballed or that the authors were familiar with based on the background readings (see appendix 2). Most of these publications (n 5 23) were published in 2019.

Analysis and discussion
Relevant issues identified in the PA literature fell into two broad categoriesethical risks (and conversely opportunities) and recommendations, with a range of specific themes evident within each of these, as summarized in Table 1. To aid contextualization and interpretation, we discuss these categories alongside other relevant literature and real-world examples in the following section. Eligible articles identified with our search strategy are marked with an asterisk to differentiate them from other sources.

Risks for employees
Operationalizing bias and discrimination. Arguments favoring the use of PA solutions rely on the notion that they are objective; indeed, many are designed with the "good" intention of enabling HR decisions based on data rather than flawed or biased human reasoning. Nevertheless, since these systems are designed by humans, the potential for prejudice, misunderstanding and bias to be encoded into their algorithms remains.
In 2015, Amazon discovered that its "recruitment engine," used for screening and prioritizing potential software developers, had been systematically discriminating against female applicants. The system had been trained, using machine learning, to look for key patterns and terms in resumes submitted to the company over ten years, primarily from men. "In effect, it had taught itself that male candidates were better" (Dastin, 2018*). Although Amazon sought to correct this bias, it finally abandoned the system in 2018. The case illustrates how purely algorithmic PA systems can potentially have unintended discriminatory consequences by using data about race, age, gender, sexual orientation and disability to sort candidates.
Such bias may also be purposefully designed; for example, Facebook's ad-targeting algorithms were implicated in a lawsuit filed by the Communications Workers of America on behalf of its 7,000þ members. Originating with a complaint against T-Mobile by a jobseeker who discovered that she was not seeing the same ads as her daughter, this has extended to a Class Action against hundreds of other companies that used Facebook's platform for allegedly ageist job advertising (Fernandez-Campbell, 2018). Writers such as Kim (2017*) point out that this type of "classification bias" is not adequately covered in existing legislation, such as the US Age Discrimination in Employment Act.
Psychological or social profiling. PA has its roots in psychometrics and may embed tests of personality and aptitude in its hiring and promotion algorithms. According to the

Risks for employees Risks for organizations
Operationalizing bias and discrimination Ethics as a point of risk for PA projects Psychological or social profiling Behavior shaping Reducing performance/people to numbers Creating inconvenience or income insecurity Threatening privacy or autonomy through tracking and surveillance

Recommendations
Transparency and fairness Legal compliance Ethical guidelines and charters Proportionality and protection Data rights and consent Inclusion of stakeholders People skills and culture Evaluation Ethical business models Table 1. Risks and recommendations emerging from the analysis PR Association of Graduates, 60-70% of prospective employers in the USA and the UK are using online personality tests in recruitment, which has been estimated as a $500 million business growing by 10-15% a year (O'Neil, 2016a*). Opponents of this form of human quantification argue that such tests can overlook moral character (Geller, 2018) and cultural or ethnic differences (Kirke, 2019). They might also identify differences that could be labeled as disabilities or mental health conditions, and thus be illegal under the Americans with Disabilities Act of 1990 (O'Neil, 2016a*), particularly if they are used as "a mask for discriminating against a protected class" (Anderson, 2018). Although few job applicants rejected on the basis of such tests contact a lawyer, incomplete feedback and lack of expert knowledge on sources of bias mean they are unlikely to be aware or empowered to do so (Kim, 2017*). Greater transparency is called for in this regard, particularly since personality tests could potentially be poor predictors of job performance and may thus be both unfair on candidates and inefficient for employers (e.g. O'Neil, 2016b*;O'Neil, 2018). Meanwhile, with some recruiters now harnessing cross-platform analytics to profile potential employees from their "digital exhaust" trails, psychometric testing may soon be supplanted by passive data mining, presenting new ethical challenges around transparency, choice and privacy rights (Cappelli, 2019).

Behavior shaping
Data on individual employees' performance patterns, combined with other data obtained from emails and questionnaire responses, are also being used to feed algorithms that can send personalized messages to shape or "nudge" behavior. Based on principles from behavioral economics and persuasive psychology, these aim to encourage the achievement of workrelated goals for the individual, team or organization. An example referenced in our grey literature results is the company Humu, founded by former Google executive Lazlo Bock. Humu's "nudge engine" can set up reminders, prompt questions during meetings, as well as encourage employee-centric activities like saving for retirement or opting for healthier snacks (Wakabayashi, 2018;High, 2019*). While the company has been keen to show its ethical credentials by emphasizing its respect for privacy and its ability to influence employees' personal job satisfaction (e.g. High, 2019*), critics have pointed to a lack of transparency around the purposes of nudges and uncertainties over whether employees know they are being nudged, raising ethical questions around users' information rights, effects on their personal autonomy and protection from manipulation (Wakabayashi, 2018).
Reducing performance/people to numbers. HR departments and senior managers are widely using PA tools to monitor and measure (e.g. Guenole et al., 2018*) the performance of individuals, teams and their workforce as a whole, presenting a range of ethical challenges.
Individuals: in contrast to screening and recruitment, performance management and promotion require a stronger emphasis on compliance with training, the achievement of targets and subjective ratings by managers. In the era of PA, these are becoming more automated, with enterprise software making it easier for HR managers to quantify and profile performance and time usage even at a distance. Proponents of PA argue that this can provide workers with objective insights about their performance, optimize their development and improve the objectivity of promotion decisions (Chowdhury, 2018*). Despite these worthy goals, reducing employee performance to numbers can devalue other important characteristics that are harder to measure, and has also been criticized for lacking context (O'Neil, 2016b*). Technologies that allow keystrokes to be logged and work to be viewed by supervisors also create a panopticon effect, reducing workers' privacy and autonomy, with potentially negative effects on work satisfaction and mental health (Booth, 2019*). They have also been shown to affect employees' inclusion in and access to future training and development opportunities (Jeske and Calvard, 2020).

The ethics of people analytics
Teams: Advocates of PA also claim that it can bring insights about how teams are working, which can improve their productivity and engagement. For example, using PA to help basketball teams understand their players and to track and review mistakes is reported to have had good results (O'Neil, 2016b*). Companies like Google and Microsoft are exploring how this can be achieved in business settings (Hogan, 2016), although preliminary evidence suggests that such analytics may offer limited value. For example, despite collecting multiple data points, Google's Aristotle project was unable to identify consistent characteristics of successful teams or team members (Bodie et al., 2016). These approaches also run the ethical risk of reducing teams to the status of machines, in which "suboptimal" components can be replaced, as well as ignoring the value of both diversity and synergistic working (O'Neil, 2016a*).
Populations: Some PA projects have been criticized for targeting organizational populations more than teams and individuals, creating the potential for data and machine learning to overprioritize and incentivize prototypically ideal characteristics at the risk of creating a homogeneous workforce that fails to reap the benefits of individuality (O'Neil, 2016a*).
Creating inconvenience or income insecurity. Some PA tools have also been blamed for causing inconvenience to employees, particularly by automatically altering work schedules in sectors with fluid workforces. For example, Starbucks used diverse types of datafrom the weather to pedestrian patternsto feed its scheduling software, resulting in uncertainty about available shift work (O'Neil, 2016b*). Data compiled by the US government suggests that two-thirds of food service workers consistently get short-term notice of scheduling changes. Following an expos e in the New York Times, legislation was introduced in Congress to rein in scheduling software, but its progress has been stalled (O'Neil, 2016b*). In the on-demand "gig" workforce, this problem is likely to become more prominent, adding to income insecurity (Crerar, 2018). For example, a study of Uber drivers, highlighted in our grey literature results, found that while they are theoretically in control of their work, deviating from the company's algorithms could result in being banned from the platform (Mohlmann and Henfridsson, 2019*). Some governments are seeking to tackle this with expectations of guaranteed-hours employment and equal pay (e.g. UK), but competition and globalization of the labor market are likely to make this hard to implement.
Threatening privacy or autonomy through tracking and surveillance. Issues around privacy and surveillance dominated the ethical considerations examined in both the academic and grey literatures. PA is often promoted as a means of enabling managers and organizations to track and monitor their employees, both in the workplace and, in some cases, even in their personal lives, for example, where these are linked to mobile phones or social media accounts. Some scholars have speculated that the global variation in levels of workplace monitoring reflects technological more than ethical differences (Pitesa, 2012*), while others point to the role of political and cultural influences (Guenole et al., 2018*).
A number of academic articles have analyzed the diverse methods through which employees can be monitored or surveilled. These can include pre-employment checks including credit reports, driving records, criminal records and drug-testing data checks; as well as on-the-job monitoring including electronic performance monitoring, e-mail monitoring, audio, video (Pitesa, 2012*) and location surveillance (Kaupins and Minch, 2005*).
Recently, the research firm Gartner found that more than 50% of the 239 large corporations it surveyed are using "nontraditional" monitoring techniques, including scrutinizing who is meeting with whom, analyzing the text of emails and social media messages, scouring automated telephone transcripts and even gleaning genetic data (Wartzman, 2019*). Other research revealed similar results, reporting that leading PA users are monitoring people data from diverse sources, including surveys (76%), integrated data from HR and financial systems (87%) and social media (17%) (Agarwal et al., 2018*). Career Builder's independent survey of 2,300 hiring managers reported that 70% of respondents in PR 2017 also used personal information obtained from social media to screen candidates, while 54% reported finding information on social media that led them not to hire a prospective candidate for an open role (Mann et al., 2018*). The most commonly cited factor for this was the candidate posting provocative or inappropriate content. The survey also reported that third-party data brokers are often used to acquire this information, raising additional challenges for governance and accountability (Mann et al., 2018*).
In contrast, narratives in the grey literature (mostly industry sources) suggest that most employees are accepting of digital monitoring. For example, in a blog for the Academy to Innovate HR, Mann and et al. (2018*) cite a survey by ExecuNet suggesting that 82% of employees expect prospective employers to "Google" them, although only 33% bother to Google themselves. It has been argued that this acceptance is a result of organizations' success in persuading employees that sharing personal information is in their interest, thus shifting perceptions of workplace monitoring away from "authoritarian regimes" toward something that "evinces an ostensibly participatory character" (Wartzman, 2019*) or to "participatory surveillance" (Marchant, 2019*).
Employee tracking and monitoring projects were mentioned as particularly risky in the creative and innovative industries, where people can require time-out for brainstorming ideas, which might be measured by PA software as time spent not working (Booth, 2019*). Likewise, as noted by Kim (2017*), a system cannot know when an employee has an upset stomach and needs to be away from their desk -it just senses that they are not currently working.
Not only might monitoring tools and programs provide organizations with incomplete or low-quality data about work, as in the examples above, surveillance may have unintended negative effects on work itself. One academic experiment revealed that the prospect of active monitoring reduced potential employees' impressions of an organization's ethics as well as the likelihood of job acceptance and job satisfaction (Holt et al., 2017*). While higher pay significantly increased the likelihood of job acceptance, it only marginally increased perceived job satisfaction. The same experiment also revealed that none of the potential justifications given by an employer for monitoring changed participants' perspectives on its ethicality or their willingness to work at such a company (Holt et al., 2017*).
Employee "wellness programs" represent a particular class of workplace monitoring, which may require staff to share their medical data, wear a biometric monitoring device or even to be microchipped. An employee survey on wearables by PwC reported that 37% did not trust their employer not to use the data against them in some way (Jacobs, 2017*). Nevertheless, many organizations are still in the process of adopting wellness programs, despite little evidence of their effectiveness. The Illinois Workplace Wellness Study (Jones et al., 2019) enrolled 5,000 employee volunteers in a randomized controlled trial of a program involving biometric health screening and online health risk assessment, linked to health and wellness classes and financial incentives. The results revealed no impact on employee health outcomes, productivity or company medical spending, and there was a strong self-selection effect, with healthier employees more likely to participate. From an ethical perspective, this suggests that such programs may inadvertently widen health inequalities. Such programs have also been criticized for placing undue responsibility for health on the individual, and for penalizing those who cannot comply, such as the disabled (Carroll, 2018*). Moreover, while they are typically framed as benign and helpful, they are often designed more to reduce corporate costs than benefit workers (Kellar-Guenther, 2016).
Even strong opponents of workplace monitoring, such as the American Civil Liberties Union, acknowledge that employers have a right to undertake some monitoring (Kim, 2017*), although it calls for ethical standards. Indeed, the academic literature already contains proposals on how to make workplace monitoring less stressful. This can include, for example, informing employees about the monitoring system, setting fair performance benchmarks; and using documentation or records for benign purposes rather than for sanctions The ethics of people analytics (Moussa, 2015*). Educating and communicating with employees about monitoring are also identified as the best ways to attain their consent and agreement (Kim, 2017*).

Risks for organizations
Ethics as a point of risk for PA projects. A theme seen in the grey literature concerned the role of ethics as a challenge for PA projects, reflecting a growing acknowledgment in the profession that successfully implementing these innovations is highly dependent on their privacy and acceptability. In an Insight222 survey of 57 companies, 81% of respondents reported that their workforce analytics projects were sometimes or often jeopardized by data ethics/privacy concerns (Petersen, 2018*). Some organizations have been criticized for spending money on PA systems but failing to act on the insights they bring about unproductive work (Smith, 2015*), creating a gap between leaders and laggards in PA adoption (Fleming et al., 2018*).
PA projects are relatively new, so organizations currently lack an extensive history of legal, ethical or risk precedents to consult. It has been claimed that existing risk management strategies are not fully applicable to PA projects because organizations may be unable to recognize indicators of potential failure (Calvard and Jeske, 2018*).
Other concerns, reflected in both the academic and grey literature, relate to employees' lack of trust in PA projects or their outcomes. A recent study concluded that 63% of employees believe that their employer is tracking or gathering sensitive data about them, and 72% believe their companies are not telling them what data they are collecting (Pease, 2018*). Employees who do not trust their employers are less likely to provide relevant, truthful information. Knowing one is being observed and judged or ranked on a second-by-second basis can also lead to people gaming the system (Jacobs, 2017*).
Organizations are also reportedly putting PA projects on hold due to uncertainty over their regulatory compliance, particularly with the high-profile GDPR. Despite this, in the run-up to its enforcement in May 2018, only 53% of companies reported that they had been getting ready for GDPR and only 22% that they had excellent safeguards to protect employee data (Green, 2018*). The penalties for breaching GDPR can be severe, with organizations failing to safeguard or misusing personal information facing fines of up to V20m or 4% of annual worldwide turnover (Mann et al., 2018*). However, while GDPR represents a significant advancement of employee rights in the digital era, its primary focus on protecting personally identifiable information leaves open questions around the uses of anonymized or nonidentifiable data. More significantly, it only applies to European Union (EU) citizens, albeit also to companies processing their data overseas. Australia and New Zealand are also reported to have comprehensive regulations to protect employees' privacy (Pitesa, 2012*). However, there is a regulatory deficit in other regions, particularly in developing countries. Nevertheless, even in the EU, legislation on diverse types of privacy is not equally mature. For example, the right of an individual (whether an employee or not) to location privacy has not been established anywhere in the world, albeit this is implicitly covered by broader laws on personal data in several countries. As an illustration, the Finnish Personal Information Law and Law about Privacy and Security of Telecommunications are said to apply to location privacy although "there are no laws in Finland that concern location information" (Sami, 2004 as cited in Kaupins and Minch, 2005*). Conflicting rules on the data rights of employers and employees also create complications when it comes to PA, with the invocation of "legitimate interest" under GDPR giving rise to ambiguity when it comes to privacy rights (Petersen, 2018*).
The lack of robust legal protections in diverse parts of the world, including the USA, has been exacerbated by the declining role of trade unions as a force to advocate for workers' rights (including privacy rights). In the USA, this has been made worse by "at-will" employment contracts, in which employees can be fired for any reason, giving employers greater coercive powers over their employees (Suk, 2007), including through surveillance.

PR
Judging what is acceptable and what is possible was mentioned as another huge dilemma for HR and PA professionals. Many authors mentioned not only legal but also moral or ethical dilemmas. One observation was that the agenda in PA projects is often left to technologists, computer scientists or PA vendors, when what is really needed are experts in human behavior and ethics (Calvard and Jeske, 2018*).
Increasingly, employees are putting pressure on corporate leaders to be more ethical, in some cases staging protests and walkouts in response to perceived misuses of data or algorithms (e.g. Helmore, 2019). State-sponsored programs applying PA-like tools to workers are also raising concerns. For example, secretive data-mining company Palantir was recently found to have covertly installed an app on manual workers' phones to monitor their movements, social networks and communications. The project, conducted in association with the US immigration authorities, resulted in multiple sackings and deportations of undocumented migrants (Joseph, 2019).

Recommendations
In addition to the concerns raised in the academic and grey literature, a number of suggestions and recommendations for managing the ethical risks of PA projects were seen in the literature, which we have clustered into the categories shown in Table 1 and are discussed below.
Transparency and fairness. Transparency was identified as being one of the most critical considerations for PA projects. Diverse articles recommend that organizations communicate their reasons for pursuing PA projects and the kind of benefits employees should expect from them, rather than only describing what they will involve. PA projects lacking transparency may be perceived by employees as unfair and thus encounter resistance to participation or acceptance, although there is also a lack of clarity in how to define or measure fairness (Manyika, 2019).
Legal compliance. Adherence with legislation is an essential building block of all HR data policies. A survey by Privacy International and freedominfo.org found that 57 countries, mostly from Europe and North America, have passed privacy legislation, while a further 37 countries, mostly in Africa and South America, have pending efforts (Kim, 2017*).
Many authors referred to the introduction of GDPR as an opportunity for European organizations to review their compliance with relevant laws and regulations. It was also recognized that technology is rapidly evolving in ways that may be difficult to anticipate, and a pressing question for HR practitioners is what to do in new situations that are not covered adequately by legislation, bearing in mind that what may be legal is not automatically ethical.
Ethical guidelines and charters. Reports in the grey literature strongly recommend that organizations develop and publish clear guidance in the form of an ethical charter, potentially in collaboration with other organizations. A recent survey revealed that almost half of respondents do not have a PA-related ethical charter in place yet (Petersen, 2018*). Aligning the charter with the social norms of the country in which the organization is located was also seen as important, since attitudes toward personal data collection and analysis can vary between countries and cultures (e.g. Guenole et al., 2018*). The PA-related guidance recently developed by consulting firm Insight222 (Green, 2018*) was cited as a useful resource, while it was also noted that HR professionals are bound by broader professional standards (e.g. CIPD) that should also guide their ethical standards of practice in relation to PA (Green, 2019).
Proportionality and protection. Articles in our review emphasize that PA practitioners need to understand which approaches to data storage, access or analysis are permitted in their jurisdiction, who their stakeholders are and their access rights, and who "owns" the data on employee-held devices such as laptops and mobile phones (Jones, 2017*). They call for a better mapping of the data types and methods used in PA, recognizing that "the ethical issues with big data lie not so much with its collection but with the weaknesses in organizational processes and systems that enable it" (Nunan and Di Domenico, 2015, p. 10 as cited in Calvard and Jeske, 2018*). They also acknowledge the co-dependencies between technologies, laws and social attitudes about what data should be protected and what should not (e.g. as for employees with disabilities, where data may potentially be used both to discriminate and to prevent discrimination).
It is strongly recommended that data collected for PA projects should be strictly jobrelated, though it is acknowledged that it is not easy to draw a line between what is personal and what is job-related, especially where data are collected from employer-owned cell phones or notebooks (Bersin, 2019*).
The use of aggregated, non-identifying data is recommended where possible, to demonstrate to employees that the purpose behind PA projects is to capture larger organizational trends. For small teams, it is recommended to present a generic overview of the results, ensuring that no single response can be attributed to a specific employee (Kumar, 2018*). Moreover, data that are not permitted or no longer useful should be deleted, as it is claimed that about 60% of organizations possess such data and HR departments are among the worst offenders (Jacobs, 2017*).
As employees' awareness of PA grows, they will start exercising their rights and may request that HR correct or erase their data, increasing the need for transparency and security on the part of HR/PA software providers and teams (Haim, 2018*). Blockchain is suggested as one opportunity for good governance, enabling digital verification of employees' profiles, as well as allowing potential new-hires to own and manage their data during the recruitment process (Spence, 2018*). Approaches to "privacy by design" are also advocated, both when creating procedures for the use of legacy HRIS and developing new digital platforms (Lingard, 2018*), with a requirement to review their compliance on a regular basis. When selecting PA solutions, organizations also need to follow ethical procurement processes and supplier management procedures (Haim, 2018*).
It was also proposed that organizations should adopt the best practices already used for the governance of algorithms in other sectors, such as healthcare and pharmaceuticals, as well as standards for data collection, integrity, preservation and model validity (Kim, 2017*).
Data rights and consent. Aside from the legal requirements, it is recommended that organizations inform employees of their right to opt-out of relevant data collection processes and give them the opportunity to do so. For example, employees' right to informed consent is part of the privacy guidelines from the Organisation for Economic Co-operation and Development (Kaupins and Minch, 2005*). Organizations also need to consider whether employees are making choice to participate freely (Mann et al., 2018*) or because they fear negative consequences. It is also recommended that consent be renewed regularly (e.g. once every quarter).
Inclusion of stakeholders. There is an agreement, across the grey and academic literatures, that diverse stakeholders need to be consulted and involved in PA projects to ensure these are sustainable and successful (Calvard and Jeske, 2018*). Stakeholder-specific recommendations include the following: HR and PA professionals should execute only PA projects which they can be proud of, can communicate openly about and which are compliant with the company's privacy comfort zone (Guenole et al., 2018*). They are also encouraged to engage with work councils where these exist. The specific recommendation for HR teams was to take control of the PA agenda, rather than letting it be led by suppliers, and to rigorously monitor "machine-related" decisions to make sure they are reasonable and unbiased, while also evidence-based (Agarwal et al., 2018*).
Consulting legal and/or compliance officers is important for ensuring compliance with data anonymization policies and regulations, since "HR teams cannot know everything about data privacy, legal requirements or ethics" (Green, 2018*).
Employees are critical stakeholders in PA projects and should never feel afraid to speak up about their concerns (Leong, 2017*). Listening to employees' opinions can elucidate questionable practices that management has potentially not considered (Kumar, 2018*) and may be collected via anonymized surveys. For employees to feel safer in PA projects, it is important to let them maintain a sense of ownership of the data that are being gathered (Jones, 2017*). The need to ensure that employees experience the benefits of PA projects, and not just the organization, is also seen as critical (Marritt, 2016).
Managers are also seen as crucial in creating a safe space for employees to discuss corporate ethics, to maximize transparency and minimize the dangers of whistle blowing (Leong, 2017*).
New organizational roles such as Chief Data Officer, Chief Information Governance Officer or Chief Privacy Officer, alongside information governance committees, are seen as ways of protecting employee privacy while staying in line with corporate objectives (Leong, 2017*).
Ethicists are seen as valuable consultants by some commentators, helping decisionmakers and PA professionals to ensure the integrity of new projects (West, 2018*).
International organizations and governments have a macro-role to play in PA projects, as they are responsible for the creation of and monitoring of adherence to the policies related to PA practices (Kim, 2017*).
People skills and culture. Several qualifying articles from the grey literature mentioned the importance of PA skills and talent. It was recommended that employers should ideally try to fill PA roles with internal candidates, who can have extensive company knowledge and serve as translators in communicating the results of PA projects (Fleming et al., 2018*). Desirable characteristics of PA leaders noted in the articles included patience, innovation, holistic thinking, project and process management, adaptive leadership, ability to catalyze or broker analytics and being a good brand ambassador (Green and Chidambaram, 2018*). However, very few authors specified ethics amongst these soft skills. Of those that did so, it was recommended that ethics should not only be included in PA training activities but also in daily work, so employees operationalize ethical considerations (West, 2018*).
Evaluation. Monitoring and evaluation are key considerations for PA projects, and communicating "quick wins" can encourage buy-in. It is recommended that in addition to their benefits for employers tied to the organization's strategic challenges and broader transformational initiatives, decisions about future analytics investments can be made more ethical by taking into account their impacts on "people outcomes," and that decisions should be made by HR professionals and the company management rather than by suppliers. In making these decisions, it is important to consider the potential harms that PA projects may bring to employees and to plan strategies for managing risk and avoiding unintended consequences (Pease, 2018*).
Ethical business models. It was noted in the grey literature that PA leaders are beginning to realize that "risk may be a bigger strategic issue than growth" and are adjusting their business models to include not only financial profits but also ethical aspects of doing business (Bersin, 2018*). As remarked in one of the grey literature publications, "thankfully, with each new data scandal, helped by GDPR rules, a new [HR technology] product is launched with a different business model" (Spence, 2018*). This recognition is reflected in the growing interest in ethics amongst global technology companies, including the partnership between Amazon, Apple, Facebook, Google, IBM and Microsoft aimed at studying and advancing public understanding of AI and its influences on people and society, including ethical influences (Bersin, 2018*).

Conclusions and implications
Interest in digital ethics has risen at an exponential rate in the last few years, with governments, academics and the technology industry racing to create new ethical principles, manifestos, guidelines and frameworks. This is reflected in the results of recent meta-review of AI ethics guidelines, published in the Nature journal (Jobin et al., 2019) whose authors remark on the variation in interpretation and the difficulty of translating principles into regulations and practices. Despite this activity, ethical considerations for PA have received relatively little attention, compared to other areas with a strong focus on data analytics, such as education or medicine.
This study set out to identify, map and describe the existing published academic and grey literature covering ethical considerations for PA, up to the end of December 2019. Our analysis indicates that discussion of ethical issues in PA has appeared in the academic and grey literature mainly (although not extensively) in the last three yearsmore than a decade after the first PA articles were published (Tursunbayeva et al., 2018). Searching the academic literature revealed little formal research into ethical aspects of PA, although searching social media exposed a growing stream of grey literature aimed at helping managers to recognize the ethical issues and adopt more ethical practices (e.g. Green, 2018). These literatures touched on philosophical, legal, societal and data security considerations, as well as risks and potential benefits.
The majority of articles revealed by the searches were discussion papers, technical descriptions, subjective case reports, blog posts and educational resources, rather than empirical studies. Despite this apparent evidence gap, many organizations are developing, planning or already using PA, exposing employees to potential risks for their privacy, autonomy, career options, income and well-being. The accuracy of the data underpinning PA and the algorithms it drives also create new questions around error and bias, while the legality of PA practicesin terms of employment law and data protection regulationsremains unclear. A shift in the emphasis of PA projects, from managing individuals to managing larger organizational populations, suggests a desire to avoid these uncertainties.
While similar issues associated with rights, fairness and power dynamics have been discussed for many years in relation to HR and employment ethics (Ekuma and Akobo, 2015), the "datafication" of work and the workforce, aided by predictive analytics and connected digital devices, casts a new light on these. The literature exposed by our review points not only to increased monitoring and surveillance but also to the automation of processes in recruitment, talent analytics, performance assessment and the shaping of behavior, aided by developments in behavioral economics and AI, adding to concerns about work-by-numbers and the demise of choice, opportunity and fairness.
Despite these concerns, the literature yielded by our searches typically casts PA in a positive light, more so in the case of content posted via Twitter, where the majority of references to PA ethics were found, reflecting professional communities of practice. The optimistic view promotes the ethical use of data and automation to eliminate human bias from hiring, promotion and remuneration decisions, such as through eliminating gender discrimination. It nonetheless acknowledges that such approaches can backfire if the source data is skewed, as in the case of Amazon's hiring algorithms, which had been trained using data primarily from male applicants. The value of PA for exposing unethical practices such as absenteeism or intellectual property theft is framed as a way of protecting organizations. In addition, while wellness apps and cellphone tracking could be seen as a form of backdoor surveillance, if used benignly they may potentially support employees' health and security.
The articles appearing in our search results also highlight the challenges involved in implementing PA projects in organizations while ensuring they are ethical and legally compliant, as well as recommendations for addressing them. This is seen as particularly problematic for international organizations operating in diverse contexts with multiple regulations and differing cultural or political expectations. It is also acknowledged that PA is an emerging innovation with as-yet-unknown consequences, and organizations need to envision and mitigate potential risks as PA projects are happening. This need, for what might be termed "anticipatory ethics," is embodied within frameworks for responsible innovation, such as the one proposed by the EU (RRI Tools Consortium, 2016) or the UK's Engineering and Physical Sciences Research Council (2016).
It is interesting to contrast the way in which ethical issues are discussed in the PA-specific literature, compared with broader academic discourse on data ethics and the future of work, seen in the legal, social and political sciences. These meta-narratives are dominated by concerns about privacy, rights, power and fairness, particularly in relation to the rise of the platform-driven "gig economy," the algorithmic shaping of behavior and the role of AI in replicating and replacing the human workforce (e.g. Dastin, 2018*). In contrast, much of the PA-specific literature derives from industry sources and tends to express more optimism about the potential of PA, although it is recognized that adherence with ethical practices is needed to realize this potential. Ethical issues and recommendations described in the broader literature on data/digital ethics were nevertheless reflected in PA narratives, including the need for transparency and fairness in PA projects, proportionality and protections in the use of data, respect for the participants' rights and choices (e.g. through obtaining consent) and inclusion of diverse stakeholders into PA initiatives (see Figure 1). Other ethical recommendations arising in this literature include the need to ensure legal compliance whilst also covering areas overlooked by existing regulations within ethical charters, providing training in PA ethics, fostering a systemic culture of ethical practice, ensuring that PA provides reciprocal benefits for employees (e.g. data for personal development), evaluating PA projects and including ethical outcomes in business models.
This exploratory scoping review makes several important contributions to theory, practice and policy on PA. As academic research on PA is still in its infancy, this review can help to inform and guide future work. It provides an accessible summary of the risks, opportunities, trade-offs and regulatory issues for PA, as well as a framework for integrating ethical strategies and practices, and could thus help organizations to avoid potentially catastrophic unintended consequences, not only for their employees but also for their resilience and reputation. Finally, this paper can provide a channel through which to inform and engage relevant policymakers.
The rise of PA raises new questions for interdisciplinary management science and adds to current debates over the future of human work and employment in a digitized, algorithm-driven society. Such innovations present a dilemma for organizations seeking to optimize their workforce and maximize their effectiveness while also risking employee surveillance, depersonalization and dissatisfaction, alongside new legal vulnerabilities. Using the scoping review method has provided an opportunity to go beyond the nascent academic literature on PA ethics to explore how industry, the consulting sector and PA professionals themselves are discussing these issues. Although the PA literature remains optimistic and somewhat technocentric, we were able to discern ethical themes around risk, regulation and people factors that reflect similar considerations in the wider literature on digital ethics. Uses of data and analytics also offer opportunities to enhance organizational ethics through reducing human bias or increasing wellness and safety, which can be lost in both sociopolitical and technocentric discourses. These dilemmas call for a new social contract between employers and employees, which could help organizations to avoid catastrophic unintended consequences for their resilience, reputation and bottom line. New legal and policy research is also needed to accommodate the changing technological, regulatory and cultural contexts of PA (e.g. Duggan et al., 2020).
While PA practitioners and analysts have recently proposed a set of ethical principles (Green, 2018*), concerted academic effort is needed to develop evidence-based and inclusive frameworks to guide regulators, industry and practitioners in how to respond to these innovations, particularly given their steady penetration into scaled enterprise software and platforms.
As we have noted in the methodology section, no theoretically driven, PA ethics guidelines exist, and for this reason we chose to be guided by the data rather than by a specific framework. One of our recommendations is that such guidelines should be developed, which our results can help to inform. There is a need for primary research to understand how these methods are changing work within different types of organization and their intended and unintended impacts on employees. As more research is published, the case for using systematic review methods, in preference to the scoping approach adopted here, will grow. For the reasons explained in the methods section, the present analysis is the natural first step in what is an emerging field and builds directly from observations about the lack of ethical discourse seen in our published review on the value propositions of PA.

Postscript: PA in the era of Covid-19
The searches undertaken for this review extend to the end of 2019 and thus pre-date the beginning of the Covid-19 pandemic. The results are nevertheless timely, given the rapid rise in working from home, creating greater dependencies on technology and bringing people's professional and personal lives much closer together. In addition to generating new organizational requirements for managing workers remotely, this has ramped-up the use of methods for monitoring, assessing and shaping the behavior and performance of workers and teams, some of which could be ethically problematic (Hern, 2020). These include covert keystroke logging, communications monitoring and harnessing employees' device cameras and microphones, in some cases without consultation or consent (Gifford, 2020). The risks and benefits are likely to vary between settings, types of work, and countries with different legislation; for example, workers' privacy rights are somewhat less protected in the US compared to the EU (Dale, 2017). Nevertheless, the growing use of "bossware" is presenting new risks that even HR departments may not be fully aware of (Schwartz, 2020). Concerns have also been raised about the potential for such technologies to unfairly stigmatize women having to balance work with childcare responsibilities, to "gamify" productivity using digital rewards and to decrease people's ability to decouple work from leisure time (Nguyen, 2020).
Given the long-term threat of new outbreaks, it is also likely that technologies such as facial recognition cameras, biometric scanners and mobile-tracking apps will begin to enter physical work environments, alongside analytical tools integrated into computers or networks. These will inevitably create closer links between measures of well-being and performance, magnifying the types of ethical dilemma already discussed in relation to workplace wellness programs (Pagliari, 2020). So far, ethical debates around PA and worker surveillance have been relatively undifferentiated, but it is likely that more research focused specifically on PA methods will emerge in the coming months, helping to shape new frameworks for ethical practice as organizations and workers transition to the "new normal" in a post-pandemic world.