EMPLOYEE DATA & PRIVACY

What we do with your data, and why it is protected

If your employer has engaged HumanDynamics, this page explains the nature of that work, the legal basis for it, and what it means for you

WHAT WE LOOK AT — AND WHAT WE DO NOT

We analyse communication metadata. Nothing else

HumanDynamics analyses how organisations communicate. We collect email and chat metadata: who contacts whom, when, and how often. We do not access any message content, subject lines, attachments, or calendar details

Metadata collected
  • Sender and recipient identifiers
  • Timestamp and communication channel
  • Internal or external flag
  • Team, department, location, job band
Never accessed
  • Message content of any kind
  • Subject lines or calendar titles
  • Attachments or documents
  • Performance, salary, or health data
Before any analysis takes place, every name is replaced with a random identifier. We never hold a version of the data that connects those identifiers back to real people — that mapping stays with your employer throughout
WHY YOUR EMPLOYER IS PERMITTED TO DO THIS

The legal basis for this analysis.

Every major data protection framework — GDPR in Europe, UK GDPR, CPRA in California, LGPD in Brazil, PIPEDA in Canada, and their equivalents across Asia-Pacific — permits employers to process employee data where there is a legitimate organisational purpose, the processing is proportionate to that purpose, and employees are informed. This page is part of that notification obligation

The legal basis used across all engagements is Legitimate Interests (or its equivalent under local law). For that basis to hold, the employer must demonstrate a genuine purpose, show that no less intrusive means would achieve it, and confirm that organisational interests do not override individual privacy rights. All three conditions are assessed and documented before any processing begins

The engagement falls into one of the following purposes:

Acquisition
Understanding the acquired organisation

Analysing how the acquired company operates in practice — its informal networks, collaborative patterns, and structural dependencies — to inform decisions about its future management as a standalone entity, independently of any integration decision

Does not extend to: redundancy selection, integration planning, or any individual assessment

Integration
Planning an operational integration

Identifying structural alignment and misalignment between two organisations to inform decisions about the combined entity's design. This purpose only applies once a decision to integrate has been made and documented

Does not extend to: individual redundancy, pay harmonisation, or performance decisions

Redesign
Organisational redesign or restructure

Identifying how existing people can be most effectively deployed within a proposed structure, with the explicit aim of minimising further workforce reduction

Does not extend to: redundancy selection, performance management, or pay decisions

HOW THE ANALYSIS IS STRUCTURED SO YOU CANNOT BE IDENTIFIED

Four controls that protect you.

Outputs are delivered as aggregates, structural groupings, or banded rankings. None refer to individuals by name or identifier in isolation. Every output group contains enough people that no individual within it can reasonably be inferred — the exact threshold is set relative to the organisation's size and is fixed before processing begins

01
Names replaced on arrival

Every individual is assigned a random pseudo-identifier at the point data is received. No analysis takes place on named data

02
Team-level outputs where sufficient

Where a question can be answered at team or department level, it is. No individual appears in those outputs at all

03
Structural groupings where finer resolution is needed

Where individual-level structure matters, people are grouped by actual communication patterns rather than formal reporting lines. The output records group membership only — nothing about activity, influence, or performance

04
Banded outputs, never precise scores

Where structural position is relevant to a specific design question, outputs use band assignments with a minimum number of people per band. Precise coefficients are never delivered

The group size control is technical, not discretionary. It is built into the processing engine and cannot be overridden. No output leaves our system that would allow an individual to be identified from the data alone unless this is agreed in advance and employees have been notified
WHY THIS APPROACH IS LESS INTRUSIVE THAN THE ALTERNATIVE

The same decisions would be made without us

What changes is the basis on which they are made — and the degree of individual exposure involved

Conventional approach
Management interviews and observation

Named individuals assessed, quoted, and documented by consultants

✕ Named individual records
HR data and org chart review

Formal structure reviewed against named employee records. Shows hierarchy, not how work flows

✕ Named data, incomplete picture
Decisions made on management judgment

Outcomes shaped by individual visibility and proximity to decision-makers. No audit trail

✕ No anonymisation at any stage
With HumanDynamics
Metadata collected, names removed immediately

All analysis conducted on pseudonymised data. No names at any stage of processing

✓ No individual records
Actual communication patterns mapped

How the organisation really works — not how it appears on paper, and not dependent on who spoke to the consultant

✓ Structural, not individual
Decisions informed by structural evidence

Outputs are group-level only. Individual identity is not present in any finding delivered to the employer

✓ Anonymised throughout

Every data protection framework's necessity test requires that the same purpose cannot be achieved by less privacy-intrusive means. The conventional approach produces individual exposure at every stage. ONA metadata analysis, structured this way, does not

YOUR RIGHTS

You have the right to know, access, object, and complain

Data protection law gives you the right to know your data is being processed, to access it, to object to its use, to request deletion or restriction, and to complain to your national regulator if you believe your rights have not been respected. Which of these rights applies to you depends on your country

To exercise your rights

Contact your employer's Data Protection Officer or HR team directly. They are the data controller and are legally required to respond

To raise concerns about HumanDynamics

To raise concerns about our processing, methodology, or controls, contact us directly. We respond to all enquiries within five working days

privacy@human-dynamics.io

We recognise that analysis of workplace communication is something employees take seriously. The purpose statements, the group size controls, and the jurisdiction-specific processing rules are all documented in the pre-processing assessment completed before this engagement begins

Last reviewed March 2026. This page reflects EU GDPR, UK GDPR, and the principal employee data protection frameworks in jurisdictions where HumanDynamics operates. It does not constitute legal advice