The world of technology is always changing, often accelerated by the social and cultural realities of the time. These changes are sometimes incremental and have a seemingly imperceptible impact on our lives, or we can find ourselves in the midst of a paradigm shift. We are arguably entering such a period now. The development of extended reality (XR) platforms is being thrust centre stage at a time when we as a society have collectively become more comfortable with our primary interactions occurring in digital spaces as a result of the COVID-19 pandemic.

One of the main areas of our lives impacted by this shift has been the workplace, affecting how many of us work and interact with our clients, customers, and colleagues. As organizations find themselves making a more permanent shift to an increasingly virtual and hybrid model of working, many are looking for new technologies to better support this moving forward. Enter XR. While this may seem like a perfect solution for this new normal, adopting these immersive technologies in the workplace highlights both existing and new information governance (IG) challenges and risks. Organizations will be forced to consider how these technologies and the associated information produced through their use fit into existing IG policies and frameworks, and what steps should be taken to mitigate potential risk.

What is XR Anyway?

Numerous buzzwords and acronyms are associated with these immersive technologies, and many people may find themselves asking what does it all mean? Extended reality or ‘XR’ “refers to all real-and-virtual environments generated by computer graphics and wearables. The ‘X’ in XR is simply a variable that can stand for any letter. XR is the umbrella category that covers all the various forms of computer-altered reality, including: Augmented Reality (AR), Mixed Reality (MR), and Virtual Reality (VR)”.[1] Each of these provides users with a different degree of sensory immersion and interaction between the real world and the digital content they create.[2] AR overlays digital content onto the real environment viewable by the use of technology such as smartphones/tablets or AR glasses, while VR completely obscures the real world and immerses users in an interactive, digitally generated environment using head-mounted displays (HMD).[3] MR combines the two, allowing a user to interact with responsive digital content integrated into the real environment via a dedicated headset.[4] XR technologies work by sending digital information to the human senses, requiring the use of sensors and cameras to track and gather information and accept commands, creating immersive experiences by enabling real-time responses to virtual stimuli using supporting technologies.[5]

While XR inherently requires the collection of user data to operate effectively, the specific type of immersive technology used (i.e. AR, MR, or VR) will dictate the type and quantity of data required. XR technology is quickly progressing, and it is possible that more advanced tracking technologies such as pupil dilation hardware; advanced hand, limb and eye tracking; and haptic or neurological interfaces will soon become standard features of these systems.[6] The advancing technical landscape of XR makes it even more important for organizations to start immediately considering the implications of implementing them in the workplace. This will help organizations stay ahead of the curve in dealing with the associated IG challenges and better mitigate risk. A key to success will be to understand these issues early on and create a solid foundation of policies, processes, and procedures from which to build an effective XR strategy. As a starting point, organizations should consider potential uses for this technology in their workplaces.

Possible Use Cases in the Workplace

With all the hype surrounding these immersive technologies, it is likely that many organizations have started asking how they can leverage XR to support their business. While it is important to start considering their potential uses and subsequent impact now, organizations must also understand that despite the push for development, it is still early days and XR is not necessarily ready to be widely implemented yet. Some possible use cases follow.

Training & Education

While not a new concept, the use of VR in particular for employee training in the workplace has received increased attention thanks to the shift to remote working. The immersive qualities of VR training make it easier for employees to learn quickly, retain more knowledge, and gain a deeper comprehension of the subject matter.[7] VR has been particularly effective in soft skills training for new and existing employees.[8] XR can also be useful for training related to expensive and/or dangerous procedures, helping organizations cut costs and better ensure worker safety.[9] That said, the use of VR for training purposes requires assessment on a case-by-case basis, and organizations need to ensure they are meeting training requirements in specific circumstances if VR is used.[10]

Hiring & Recruitment

Hiring and recruitment is another area where XR may aid employers, helping identify the best candidates for the job. Providing prospective candidates with an opportunity to virtually experience what working in a particular role would be like, not only allows employers to see how the applicant might perform, but also allows applicants to evaluate whether they think it would be a good fit for them, helping to reduce turnover.[11] Using XR for recruitment purposes will require extra care in addressing privacy considerations, particularly relating to non-hired applicants, an area which often includes maximum retention requirements for personal data, and which may attract additional considerations in relation to discrimination.

Collaboration & E-Communications

XR also has the potential to provide organizations with improved opportunities for collaborative digital working environments, connecting workers from around the world and supporting collaborative design, planning and decision-making.[12] Similar to the video conferences that have defined remote work for many, XR would hypothetically allow for more immersive meetings and informal chats to take place between individuals virtually, better replicating the in-office experience. This might include the ability to view and work collaboratively on a document or on a white board “face-to-face” with colleagues in a virtual environment offering a similar experience to a boardroom.

Connecting With Clients or Customers

The potential proliferation and widespread adoption of XR across the various spheres of our lives may allow for the future use of this technology as a means of interacting with an organization’s clients or customers. Whether utilizing VR platforms to conduct customer support interactions, or reimagining how consumers shop online, caution will also be required regarding the collection and use of personal data in these situations as well.

These examples represent only some of the possible use cases. The implementation of any of these examples or others will require organizations to consider the potential IG implications and risks, including how information associated with the use of XR will fit into existing IG frameworks and identifying where updates may be required.

Integrating XR into Your IG Program

Many of the IG challenges faced by organizations seeking to implement these technologies into their programs will not be new. However, they will take on a new level of complexity.

Data Privacy Considerations

The topic understandably causing the greatest concern in relation to XR is data privacy. In order to deliver the desired immersive experiences, XR technology must collect large amounts of user data, the nature of which is different from the data generally collected by connected devices, both in terms of the volume and the type of data collected. In addition to collecting data such as location, social ties, verbal communication, search queries, and product preferences, XR technology also collects and measures biometric and biometrically-inferred data.[13] This includes collecting data on an individual’s bodily movement, level of interest, and emotional or physiological state, accomplished through tracking things like posture, eye gaze, pupil dilation, gestures and gait, facial expressions, electrical activity in the brain, etc. [14] To provide some perspective, spending only 20 minutes in a VR simulation can produce just under 2 million unique records of body language.[15] This biometrically-inferred data is something organizations should be particularly careful about when implementing XR technology, as it can reveal non-visible attributes of an individual such as medical conditions like autism, schizophrenia, Parkinson’s disease, and ADHD, creating concerns relating to discrimination in employment and insurance.[16]

Meaningful, informed consent will be critical, given the sensitive nature and quantity of data collected through XR, coupled with a general lack of user knowledge and understanding of the technology and the full range of potential consequences of the collection and use of this data. It will be important for organizations to ensure they capture and retain appropriate records of consent, in addition to records of other processing activities, to support and defend their use of XR.[17]

Further complicating considerations for the implementation of XR in the workplace, it is unclear at this time whether data collected through XR is sufficiently covered under existing data privacy legislation, especially as the technology continues to develop. One concern centres on existing legal definitions of biometric information and their applicability to various new types of data collected through XR. Despite some of the uncertainly surrounding how personal data collected and used through XR is regulated, and given the sensitive nature of this data and the potential for harm, as a best practice organizations using these emerging technologies should exercise caution in how they collect, use, retain, and secure this data. It will be important for organizations to ensure they are applying storage limitation and data minimization principles when implementing XR in the workplace. In order to ensure they are not retaining data for longer than necessary or permitted, organizations will need to understand the nature and scope of data being collected and ensure that it is adequately captured under data and records retention schedules and policies.

Records and Data Retention

Organizations looking to implement XR technology will need to ensure they capture and retain any relevant records created while using or relating to its use, as required by law and in accordance with their records retention schedules. Given the types of personal data implicated, this will include the need to balance privacy considerations with retention obligations. For example, if an organization is using a VR platform to interact with a customer as part of offering customer support services, the organization will need to consider the types of records and information it needs to capture and retain as part of this interaction. This may require recording the interaction in some capacity, such as a video of the virtual environment and/or a transcript of the conversation. It may be for quality control purposes, as well as to monitor for harassment and discrimination. Similarly, if an organization is using XR for training, any relevant records demonstrating successful completion or scoring will need to be captured and retained. The implementation of XR technology may also require the retention of new records, such as those relating to specific health risks associated with the use of XR and employer monitoring of adverse effects on employees. This can include not only simulation sickness, but also adverse psychological responses to virtual stimuli while in an immersive environment.[18] Organizations may also need to start considering recordkeeping in relation to digital assets existing in XR spaces.

Data Storage

When considering issues related to data storage, organizations should also factor in potential challenges relating to storage location and data transfers, particularly as they relate to personal data. Due to the sensitive nature of the data collected, the uncertain regulatory landscape, and the likelihood of multi-jurisdictional implications, organizations will need to consider the best approach for where to store their data. “The retention of sensitive user data should ideally be situated in the HMD itself, and not sent, stored, or retained on external servers.”[20] This helps protect data, by keeping it in the possession of the user rather than third parties, and can aide in keeping the data safe from access by foreign governments or other parties.[21]

How organizations intend to deal with these challenges, including storage costs and constraints, is something they will have to consider when evaluating the implementation of XR technology in their workplace, along with selecting the appropriate technology and XR service provider. Organizations will also need to consider the potential data formats, ensuring they have systems in place that are able to maintain and access this data, including the ability to fulfil any legal obligations such as data subject access, deletion, and data portability requests. These records may also be subject to legal hold during investigations or litigation and will need to be discoverable.

In addressing the array of challenges in integrating XR technologies into the workplace, organizations will need to ensure they put measures in place to reduce and mitigate any risks.

Mitigating the Risks of XR from an IG Perspective

Effective risk mitigation will be crucial for any organization looking to implement XR technologies into their workplace. Organizations should consider the risk mitigation measures they intend to implement during the early planning phases as part of their overall XR strategy, re-evaluating these as the strategy develops and potential use cases for the technology become more concrete. An important step for organizations will be to review and update any existing information governance policies (e.g. retention policy, e-communications policy, privacy policy, workplace harassment policy, codes of conduct, etc.) to ensure that the necessary changes resulting from the implementation of this technology are captured. This may include updating and/or adding definitions, changing the scope, or potentially creating new policies to address these areas. In addition to reviewing and updating policies, organizations will also need to ensure employees are properly educated and trained on these new areas. It will also be important for organizations to update any of their external facing documentation, such as privacy statements, XR-specific data-disclosures, etc. This will help to ensure transparency and accountability to both internal and external parties regarding how organizations are approaching the use of XR, helping to build trust.

In further supporting this trust and transparency, organizations should update existing and/or establish new mechanisms for reporting complaints and conducting investigations related to XR, whether initiated by employees, or externally by customers, regulatory authorities, and other outside parties. This will require organizations to effectively identify and retain data and records relevant to the use of XR, and to include them in their legal hold procedures. To help facilitate this, it will be important for organizations to understand what data they have and where it is; data mapping can help with this. Data mapping will also help organizations address any customer requests relating to the access to or deletion of their data, and assist in dealing with potential cybersecurity incidents.

One of the most important risk mitigation measures organizations will need to implement in supporting the use of XR technology is cybersecurity. Due do the volume, sensitive nature of the personal data involved, and strong potential for the re-identification of de-identified data, a single data breach could carry a profound risk of harm to impacted individuals. Organizations will need to take steps to ensure they have proportional safeguards in place including access controls, data segregation and policies limiting data aggregation, procedures for updating hardware and software, and enforcement though contractual clauses, or other mechanisms with third parties.

These risk mitigation measures will be especially important as organizations navigate this space with little-to-no specific regulatory or statutory guidance, but a high risk of potential harm (e.g. sensitive personal data, discrimination, and harassment). Regardless, while there may be little XR-specific guidance so far, organizations should look to other potentially relevant legislation as a starting point when considering relevant issues. The areas of law to consider will depend on the specific situation, but may include employment, consumer protection, data privacy, online harms, etc. XR is a quickly developing area, with the potential to affect how we live and work. Advancing at a time of our collective awareness of not only the benefits of technology for connecting us to the workplace, but also the potential for harm, organizations looking to use XR technology should take steps now to ensure its responsible and successful implementation.

[1] Heller, B. (2020, June 12). Reimagining Reality: Human Rights and Immersive Technology. Carr Center Discussion Paper Series, 2020-008.

[2] (2022, January 26) Science & Tech spotlight: Extended reality technologies. U.S. Government Accountability Office.

[3] Ibid.

[4] Science & Tech spotlight: Extended reality technologies; Heller, B. Reimagining Reality: Human Rights and Immersive Technology

[5] Science & Tech spotlight: Extended reality technologies

[6] Heller, B. Reimagining Reality: Human Rights and Immersive Technology

[7] Nunn, D. J. (2021, April 6). Emerging virtual reality trends for workplace training. Forbes.; Zielinski, D. (2021, March 8). The growing impact of virtual reality training. Society for Human Resource Management.

[8] (2021, June 4) How virtual reality is redefining soft skills training. PwC.

[9] Science & Tech spotlight: Extended reality technologies

[10] (2020, August 10) Standard Interpretations – Virtual Reality Safety Training, Various OSHA Standards. Occupational Safety and Health Administration.

[11] Fade, L. (2021, April 5). Council post: What is virtual reality, and how can it be used in the workplace? Forbes.

[12] Science & Tech spotlight: Extended reality technologies

[13] Bailenson, J.N. (2018, August 6). Protecting Nonverbal Data Tracked in Virtual Reality. JAMA Pediatrics. doi:10.1001/jamapediatrics.2018.1909

[14] Bailenson, J.N. Protecting Nonverbal Data Tracked in Virtual Reality; Heller, B. Reimagining Reality: Human Rights and Immersive Technology; See also, Nagy, S., & Douglas, L. (2022, March 3). I Spy Something That Is … Omnipresent: Regulating the Use and Retention of Biometric Information in Remote Working. Connect On Tech.

[15] Bailenson, J.N. Protecting Nonverbal Data Tracked in Virtual Reality

[16] Heller, B. Reimagining Reality: Human Rights and Immersive Technology

[17] Quackenbush, A., & Douglas, L. (2021, May 7). Integrating Privacy Compliance Records into information governance programs. Connect On Tech.

[18] Heller, B. Reimagining Reality: Human Rights and Immersive Technology; Science & Tech spotlight: Extended reality technologies

[19] Starr, M. (2018, May 3). Virtual reality presents new data storage challenges. Data Center Knowledge.

[20] Heller, B. Reimagining Reality: Human Rights and Immersive Technology

[21] Ibid.


Amy Quackenbush is an Information Governance Specialist with the global Information Governance group within Baker McKenzie’s Information Technology & Communications Practice in Canada. She has a background in records and information management, knowledge management, and user experience design. She helps advise clients on information governance matters relating to records and data retention, data privacy and localization, cross-border transfer, media/format, and digital transformation


Lisa Douglas is a member of Baker McKenzie’s Technology Practice. She currently focuses on information governance, drawing on a rich background in knowledge management, legal research, and library science to provide compliance advice on the enterprise information lifecycle.