Standard social audits are used by business to understand, amongst other things, how workers are treated in its supply chains. Social audits often (even always) involve collecting data directly by interviewing selected workers.

This post is prompted by a statement we recently saw online:

This got us thinking. Surely social auditors are not stealing data?

So we set out to understand:

This is quite an involved topic - so apologies that this has ended up being a long post. It is a very important question and worth exploring.

Standard social audit versus specialist investigations

IMPORTANT: this article is specifically focussing on standard social audits, typically commissioned by workplaces or their customers on an annual or bi-annual basis using a standard template (eg: SMETA).

There are many kinds of "social audits" that can be undertaken, including by specialist consulting firms and where deeper dives on individual issues are being considered - and these usually operate differently with respect to workers, typically avoiding the issues that are discussed in this article.

We asked ChatGPT about collecting data from workers in a standard social audit

We have our own views – but we felt it would be interesting to ask ChatGPT to analyse the question.

That is not because we are lazy; we wanted to see what came back.

AI systems are based on large language models that are trained on large amounts of public data and can provide interesting insights into how people generally might be thinking.

We asked ChatGPT two questions because the answer given to our first question showed (in our view) a lack of depth. The follow-up question caused ChatGPT to think more carefully about its answer and the response was significantly better considered.

Please read both of the questions and both of the answers, not just the first.

Please note that these are the views provided by ChatGPT and not necessarily the views of the Ask the workers team. As a team we are strongly supportive of social audit and the important role it plays in labour rights due diligence.

You may also note that ChatGPT does make a couple of unsolicited and unsubstantiated recommendations to use continuous workplace monitoring (platforms like Ask the workers). That’s simply what it did – we did not ask it to do that!

ChatGPT analysis: our summary - collecting data via social audit

1. It can be okay for social auditors to collect data directly from workers in interviews if this is done in the right way and it is not stealing regardless. But the key point is whether, in practice, data is actually collected in the right way during standard social audits.

   
   

2. Standard social audits, if poorly approached, can easily end up crossing acceptable legal and ethical boundaries with respect to their direct interactions with workers – exposing social audit firms and their clients to potential reputational and other risks, especially if suppliers arrange their own audits. Using a good approach for collecting data from workers in a standard social audit is difficult to achieve in practice.
   

3. The information provided can be questionable if worker interviews are organised in the wrong way, especially if the supplier itself arranges and pays for the audit or if workers feel that can't say no to participating. This can also lead to the potential for harm to the participating workers.
   

4. There are better approaches that avoid these risks and which provide more reliable information. One example, would be to use continuous monitoring (technology like Ask the workers) alongside social audits, perhaps reducing the scope of audits to those matters which they best address.

   
   

What does the social audit industy say about worker interviews?

The industry and authorities publish standards that should apply when workers are interviewed as part of a standard social audit (QIMA, ILO, Sedex, others).

There is no news here - these are standards that the social audit industry itself sets out to observe and auditors are trained professionals.

Based on this article (see below), here are a few of the important points that are set out in policies but which probably hard to observe in practice - and which are clear sources of ethical and legal risks:

What does voluntary mean?

This is the question at the heart of the debate in this article.

If worker data can only be legitimately used if it is voluntarily given by the workers involved, how does this square with the typical audit process?

Does voluntary mean that workers should volunteer?

• The workplace calls an "all-hands" meeting.

• Volunteers are requested to come forward to participate in audit interviews.

But the value of that process from an audit point of view is clearly very limited - as it could be that the employer has hand-picked individuals to participate behind the scenes - or that a distorted picture emerges when the only volunteers are trouble-makers.

If workers "have to say no" - is that still volunteering?

• Selected workers are invited to interviews.

• Workers are allowed to decline to participate.

That's also not "volunteering" given the pressure that can be put on workers to say "yes" to participate and the potential consequences for workers that decline.

Conclusion?

The standard social audit may find itself is an uneasy place here.

OUR 1st QUESTION TO ChatGPT:

If workers, as part of a regular social audit of a supplier, provide data to a social auditor in an interview, is the social auditor stealing that data?

ChatGPT ANSWER:

That’s a really good, nuanced question. The short answer is: no, social auditors are not “stealing” worker data in the legal sense, but there are some important caveats about consent, ownership, and ethical use of worker-provided information that boards should be aware of.

1. Who “owns” the data that workers give in interviews?

• Workers themselves are the source and primary owners of their personal information (identity, working conditions, pay, grievances).

• When workers share it with an auditor in the context of an interview, the auditor is collecting data under implied consent—the worker voluntarily responds, usually because the audit context suggests it’s for workplace assessment.

• However, in many jurisdictions, data protection law (e.g., GDPR in the UK/EU) says the auditor (or the commissioning company) becomes the data controller or processor with legal duties (e.g., purpose limitation, lawful basis, safeguarding anonymity).

  
  

2. Why it isn’t “theft” in the strict sense

• Theft in law requires taking property dishonestly with intent to permanently deprive.

• Personal information provided in an interview doesn’t fit that category: workers are voluntarily disclosing information, and auditors aren’t depriving workers of it.

• So it isn’t stealing. But the bigger issue is whether it is ethical and compliant with privacy and labour-rights standards.

  
  

3. What is problematic about traditional social audits

• Studies show many workers are not told what will happen to their data, who will see it, or how it might be used. This lacks informed consent and can expose them to reprisals from employers if confidentiality fails.

• Workers often don’t receive feedback or benefit from providing their testimony—the audit results are reported to the buyer, not to them. In that sense, workers’ lived experiences are extracted for the value of the buyer, without reciprocity.

• This is why many critiques describe audits as exploitative of worker voice, even if not “theft.”

  • Verité notes traditional audits are “superficial, tick-box, and fail to uncover hidden abuses” and may silence workers if done poorly.

  • Research by the Modern Slavery PEC and academic reviews of audits have shown they often fail to detect forced labour or systemic issues.

    
    

4. What effective practice looks like

• Informed consent: workers should be told why the data is collected, how it will be used, and how their anonymity will be protected.

• Anonymity and non-retaliation must be guaranteed—without this, data collection risks harming workers.

• Feedback loops: workers should see tangible improvements based on the information they provide, otherwise it’s extractive.

• Continuous monitoring platforms (e.g., anonymous worker-voice channels like “Ask the Workers”) are seen as better practice because they:

  • protect anonymity,

  • cost workers nothing,

  • give workers a safe way to speak up,

  • and allow businesses to see issues in real time instead of one-off audits.

    
    

5. Board-level takeaway

• A social auditor isn’t “stealing” worker data—but traditional audit models risk being extractive, failing to protect workers’ rights over their own information, and failing to deliver genuine improvements.

• To avoid ethical and legal pitfalls (especially under GDPR and modern due-diligence expectations), companies should move towards worker-centric, continuous, anonymous feedback models that protect data rights and deliver actual remediation.

OUR 2nd QUESTION  TO ChatGPT:

You say "So it isn’t stealing. But the bigger issue is whether it is ethical and compliant with privacy and labour-rights standards" because workers give their data voluntarily. But, in a typical social audit, the social auditor may require the workplace to provide access to nominated workers noting that, if the nominated workers are not provided for interview, this could lead to an adverse report finding. Workers, in the interview, might not then be giving data voluntarily - and this might invalidate the permission that they have seemingly given.

ChatGPT ANSWER:

You’re absolutely right to challenge that point. In practice, in many conventional social audits, the way worker interviews are arranged and conducted does not meet any meaningful test of voluntariness.

Let’s break it down clearly:

1. How “worker interviews” usually happen in audits

• Access is employer-controlled: the auditor pressures management to provide a list or make a group of workers available. Workers are chosen, escorted, and observed—already undermining voluntariness.

• Implied coercion: workers know that refusing to be interviewed could create problems for their employer (and by extension, themselves).

• Power imbalance: workers often feel obliged to answer questions because the auditor is seen as an authority figure linked to their employer’s buyer.

• No real informed consent: most workers are not told what will happen to their data, how it will be used, or whether they can safely decline.

  
  

2. Why this invalidates “voluntary” consent

• Consent requires freedom: under human-rights law (ILO, ETI Base Code, UNGPs) and data-protection frameworks (e.g. GDPR), consent must be freely given, specific, informed, and unambiguous.

• If workers participate only because their employer told them to, or because they fear consequences of saying no, then it is not voluntary.

• Under GDPR, “consent under pressure” is invalid; processing personal data on that basis could be unlawful.

  
  

3. What this means for the “stealing” analogy

• While still not “theft” in the criminal sense, the data extraction is involuntary. That makes it closer to an abuse of power or non-consensual appropriation of worker information.

• Ethically, it resembles exploitation: the company and auditor gain value (compliance reports, reputational cover) while workers bear the risk (retaliation, breach of privacy) without benefit.

• That is why many NGOs, academics, and even some auditing firms now acknowledge that audit-based worker interviews are deeply flawed and often a liability, not a safeguard.

  
  

4. Why it fails as “due diligence”

• False assurance: auditors often report “no findings” while systemic issues (wage theft, harassment, forced overtime) remain hidden.

• Risk to workers: workers can face retaliation if employers suspect what they disclosed.

• No feedback loop: workers rarely see improvements resulting from what they disclose.

• Regulatory and legal exposure: because consent was not valid, businesses may be non-compliant with GDPR/data laws, and claims could arise if workers suffer harm as a result.

  
  

5. What effective worker-data practice looks like

• Anonymity protected by design (e.g. independent, confidential reporting channels not controlled by employers).

• Voluntariness safeguarded (workers choose freely, with no employer involvement).

• Transparency (workers told clearly why information is collected and how it will be used).

• Worker benefit (feedback loops and demonstrable remediation from their input).

• Continuous, not episodic (so issues are identified in real time, not once a year).

  
  

This is exactly why the “continuous monitoring” model (like Ask the Workers) has been recognised as the only genuine way to achieve true, voluntary worker feedback at scale—because it separates the employer’s control from the worker’s right to speak safely.

✅ Board takeaway:

If worker interviews in audits are employer-arranged, pressured, and non-confidential, then the apparent “permission” is invalid. From a compliance and ethics perspective, this turns the audit into involuntary data extraction, which exposes the business to legal and reputational risk. Boards should treat such audits not as “due diligence” but as a high-risk liability—and shift investment into worker-centric, anonymous, continuous systems that genuinely respect worker rights.

Would you like me to now recast this note into a one-page visual board slide (icons, colour-coded risks vs. benefits), so directors can absorb the contrast in 30 seconds?

YES, PLEASE MAKE THE ONE PAGE VISUAL

You can try these questions yourself!

You can see the questions we asked ChatGPT in this post because they are highlighted like this.

You can see the answers we got back because they are highlighted like this.

Let us know what you think about this topic.

You can contact us in numerous ways:

• WhatsApp on our website via the chat box

• By email using the button at the bottom of our home page (here) or just send an email to info@es3g.com.

• Or book a short call directly with us (here)