This article, originally published on 1 April 2019 on the website of the Latin American Corporate Counsel Association, provides an overview of data protection from an employment perspective across Mexico, Colombia and Chile.
By: Marcela Salazar, Catalina Santos, Alvaro Gonzalez-Schiaffino and Teresa Espinosa
Firm: Munita & Olavarria, Brigard & Urrutia and Basham, Ringe y Correa SC
It has become increasingly clear that data is now one of our world’s most precious resources, and over the last few years, businesses have been learning how to use data to become more successful and profitable. While the benefits of collecting and analysing large amounts of information are vast, the rapid development of technology has also left businesses facing a host of new risks and challenges, one of which relates to the collection and use of employee data.
Although companies have always held sensitive data on their workforces, rapid advances in technology are providing powerful new tools that allow employers
unprecedented access to employee information, raising important questions from an ethical point of view. Indeed, companies are confronted with a core tension between what they can do with employee data, and what they should do with this data.
In practice, lawyers suggest businesses should consider which data protection legislation is applicable to their business and conduct a thorough analysis of the benefits that gathering certain data offers the company as well as the potential damages that it can cause to workers. Companies should also be transparent in regards to the processing of data, involve employees in the processes and ensure that participation in the use of these technologies is optional.
In Latin America, most countries now have data protection legislation which helps employers determine what new technologies should or shouldn’t be implemented in the workplace, while employees have certain rights that can allow them to minimise the collection of their personal data and restrict how it is processed.
In Mexico, the right to data protection was established in the Constitution in 2009. In 2010, the Federal Law on Protection of Personal Data Held by Private Parties was enacted and in subsequent years, regulations of the law and several guidelines on the matter were also issued. This comprehensive legislation applies at a federal level and not on a state-by-state basis.
The country has an independent Data Protection Authority - the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) - that oversees the enforcement of the data protection laws and promotes best practices across the country.
Among the obligations the legislation establishes for data controllers is the requirement to provide a privacy notice to data subjects where data protection practices are clearly explained to employees. The notice must specify clearly why the data is being processed, such as for the payment of wages, and what could be considered voluntary data processing, such as data obtained from the implementation of new technologies, including wearable devices. While processing data for conventional purposes does not require consent from employees, consent for processing data for additional purposes is required. Another obligation is to allow data subjects, in this case, employees, the exercise of their rights over personal data (i.e. access, rectification, cancellation, objection, etc). These obligations are basic when looking at technology in the employment context; however, they are not the only ones.
While there have been some disputes relating to the processing of employees’ personal data in Mexico, they have concerned matters relating to the requirement for consent and privacy notices and none have involved the use of new technologies in the workplace so far. Indeed, lawyers are waiting to see how the right to data protection develops and is strengthened with resolutions by INAI and the local courts.
For many, the use of new technologies and analysis of data in the labour context can be beneficial for both employees and employers, providing there is a clear understanding of what is legal and ethical.
Whether it is to increase automation and efficiency, cut costs or establish systems for quality assurance, there are numerous technological tools that are available for organisations looking to leverage the benefits of big data and stay competitive. One such method is the use of monitoring technologies to optimise processes. This often involves the constant and large-scale collection of personal data, which sometimes can be unlawful or unethical and can even be used for discriminatory purposes. It is therefore necessary to set limits for companies aimed at guaranteeing that the use of data is based on ethical principles, even if the gathering of data has been authorised by the data subject.
Local laws in Colombia establish two fundamental personal data rights: the right to privacy and the right to data rectification. Similar to the EU’s General Data Protection Regulation (GDPR), regulations in Colombia are based on the principle that the processing of private, semi-private and sensitive personal data requires the data subject’s prior, express and informed consent.
Even if employees expect little privacy while on company premises or when using company equipment, there have been several decisions in Colombian courts recognising minimum privacy, or tolerable personal use for employees using internal hardware or software tools. Since the gathering of employee data from these new tools has not been directly regulated by local employment law, but broadly regulated by constitutional and GPDR law, nowadays employers have the responsibility for setting specific limits that can solve the tension between productivity and the fundamental rights of employees, starting from the principle that the gathering of information must respond to legitimate and ethical interests.
Considering that so far companies are forced to rely on precedents, where the limits of what is legitimate and not are often very blurry, there is an urgent need for local employment regulations recognising the new forms of work that technology has created and the need to set parameters of conduct specifically for employers harmonised with technological environments and its advances.
Indeed, as workplaces are becoming smarter, labour legislation in Colombia must evolve and new limits must be cemented by employers and included in employment contracts.
In Chile, employers receive and have access to a lot of information on their employees and gather data on them throughout the employment relationship. Since the company has access to personal data from employees, questions arise about the limits regarding the treatment of this personal data, including how to use this information without violating the dignity and privacy of employees.
Chilean legislation includes several rules on the protection of personal data applicable to an employment relationship, which help mitigate the ethical problems that may arise for the employer.
The Political Constitution of the Chilean Republic, Law No. 19,628 regarding the protection of private life or personal information, and the Labour Code contain the most important provisions relating to gathering employee data in Chile.
Article 19 No. 4 of the Chilean Constitution provides the protection of personal data as a constitutional right. This rule guarantees the respect and protection of private life and the honour of the person and their family, and also, the protection of their personal data.
Law No. 19,628 states that personal data may only be processed when determined by law or when the owner of the data gives written consent, in this case, the employee. The law also provides that the employee must be informed about the purpose of the processing of their personal data and its possible communication to the public. However, there are exceptions to this provision. Authorisation is not required when private entities process personal data for their own exclusive use or that of their agents and affiliates, and it is for their own benefit. This applies to companies when processing employee data for their own exclusive internal use.
According to the law, personal data relates to ‘any information concerning individuals, identified or identifiable.’ This includes basic human resources data, such as, but not limited to, the employee's name, date of birth or age, date of starting employment, remuneration and benefits, home address, marital status, number of dependent children, national registration number or identity card number, social insurance number, employee number, position in the organisation, evaluations and complaints.
On the other hand, the processing of sensitive personal data is prohibited. Data considered to be sensitive may only be processed when determined by law, when the data owner gives written consent, or for obtaining health benefits, like those necessary for granting complementary health insurance to employees.
Sensitive personal data is defined in Chilean law as information regarding a person’s physical or moral characteristics, and facts or circumstances of their private life and intimacy, such as personal habits, racial background, political opinions, religious beliefs, physical and mental health and sexuality.
Chilean labour legislation expressly states that it is the employer’s responsibility to respect the guarantees of the constitution within the framework of labour relations in the company, ensuring the protection of employee data and especially the employee’s rights to privacy. In this context, article 154-bis of the Labour Code sets forth the employer’s confidentiality obligation to keep all information and private data related to its employees safe.
Employer obligations in respect to the protection of employee data may be clear, but companies in Chile are faced with a core tension between what they can do with employee data, and what they should do with this data. While this tension also exists with respect to the collection of customer data, the power imbalance between employers and employees makes employee data collection a particularly sensitive issue – one on which it is imperative that the HR function has a voice. HR should therefore be involved in data protection matters, helping to inform the business on decisions and craft policies from the very beginning of any data collection effort. To be effective in this role, HR professionals should have a good knowledge of their tools and the potential consequences of using them, including unintended consequences.
In general terms, some recommendations for legal counsel and HR professionals successfully navigating ethical dilemmas in employee data collection include:
- Start with legal obligations. Every legal entity exists within some legal and regulatory framework that will inform the collection and use of employee data. These standards vary by country, and organisations with employees in different regions will need to take this into account when determining data policies. For example, unlike most countries in Latin America, in the US data generated by employees at work is judged to be the company’s property, but in Europe, the balance of control is more in favour of the employee. That balance has shifted further towards employees since GDPR came into force.
- Understand the privacy culture at the organisation. What does privacy mean to your employees? What are their expectations for how it will be respected? Do beliefs and expectations vary by region, and if so, how?
- Be as transparent as possible about data collection and clarify your employees’ rights in terms of data collection and use. What control do they have over their data? Is there a process by which employees can make their voices heard on the issue?
- Define and share guidelines on privacy within the organisation. Share examples of good practice (for example, using company devices only for business).
- Request feedback from your employees. Create a safe space for the discussion of ethics and encourage employees to provide feedback. Earn their trust and goodwill. Companies need to help employees trust the data, the company’s intentions, decisions being made based on the data, and that those decisions will lead to better and fairer outcomes. Transparency and channels for offering feedback will also help build this trust.
- Continually audit your data collection and use. Decision-making should not be a one-off process. Revisit your policies as the context changes. Be informed about the limitations of your data and keep a critical eye on emerging technologies and the ethical landscape in general.
Regardless of the technology available which can monitor employees in a thorough way, employers must follow data protection principles and rules to legally process and monitor employee data. Employers must always try to guarantee the employee’s right to privacy and respect the expectation of privacy they may have in certain contexts or circumstances, without losing sight of the main purpose of monitoring, which is security.
It is critical that companies revisit their data protection practices and should do so with the advice of experienced legal counsel. Large companies and public companies in stock markets should rely on counsel that advise clients with the highest international compliance standards to avoid any undesired consequences.
The online link to the article can be found here.