Recruitment practices versus privacy and anti-discrimination laws
description
Transcript of Recruitment practices versus privacy and anti-discrimination laws
Recruitment practices versus
privacy and anti-discrimination laws
Romain RobertAvocatULYS
Introduction
1. General principles of privacy law
2. Anti-discrimination laws in Europe
3. Application to recruitment procedures
4. Whistleblowing and privacy
1. General principles of privacy law
European legal framework:
– Directive 95/46/EC on the protection of individuals with regard to the processing of personnel data and on the free movement of such data
– Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communication sector (Directive on privacy and electronic communications)
1. General principles of privacy law
Obligation to notify the processing to the national privacy commission
Where ?
-if the Member State where the processor is established (can be one country or more)
- if established outside EU: use of equipment in a Member State (except for transit purpose)
1. General principles of privacy law
What is a « Personal data » ?
« any information relating to an identified natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference
to an identification number or to one or more factors specifics to his physical, physiological, mental, economic,
cultural or social identity »(ex: IP, cookie, rare know-how, name, email,..)
1. General principles of privacy law
PERSONAL DATA MUST BEPERSONAL DATA MUST BE (cf. Directive):
(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further
processed in a way incompatible with those purposes;(c) adequate, relevant and not excessive in relation to the purposes for
which they are processed;(d) accurate and, where necessary, kept up to date; (e) not be kept longer than is necessary for the purposes for which the
data were processed.
1. General principles of privacy law
CRITERIA FOR MAKING DATA PROCESSING LEGITIMATECRITERIA FOR MAKING DATA PROCESSING LEGITIMATE
(a) the data subject has unambiguously given his consent(b) processing is necessary for the performance of a contract to which the data subject is
party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or(e) processing is necessary for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection
1. General principles of privacy law
SENSITIVE PERSONAL DATASENSITIVE PERSONAL DATA
• revealing racial or ethnic origin• political opinions• religious or philosophical beliefs• trade-union membership• physical or mental health• sexual life• data relating to offences or alleged offences, criminal convictions or security measures
Extra protection (in principle: no process allowed – some exceptions)
These data are very similar to the ones used as a basis for anti-discrimination laws
1. General principles of privacy law
INFORMATION TO BE GIVEN TO THE DATA SUBJECTINFORMATION TO BE GIVEN TO THE DATA SUBJECT
(a) identity of the controller (or his representative)(b) the purposes of the processing for which the data are
intended(c) any further information such as
- the recipients or categories of recipients of the data,- whether replies to the questions are obligatory or voluntary, as well
as the possible consequences of failure to reply,- the existence of the right of access to and the right to rectify the
data concerning him
1. General principles of privacy law
THE DATA SUBJECT'S RIGHT OF THE DATA SUBJECT'S RIGHT OF ACCESS TO DATAACCESS TO DATA– Right of access– Right to prevent processing where there is justified
objection– Right to prevent processing for the purpose of direct
marketing– Right in relation to automated decision-taking– Right to take action to block, rectify, destroy or erase
inaccurate data
1. General principles of privacy law
SECURITY OF PROCESSINGSECURITY OF PROCESSING
• appropriate technical and organizational measures to protect personal data against – accidental or unlawful destruction or access– accidental loss, destruction or damage – alteration, in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of processing.
• level of protection depending on:– art and the cost of their implementation – risks represented by the processing – nature of the data to be protected.
1. General principles of privacy law
TRANSFER TO THIRD COUNTRIESTRANSFER TO THIRD COUNTRIES
Interdiction of such transfer Main exceptions:
• Countries providing an adequate level of protection
• Consent of the data subject
• Appropriate contractual clauses
• Binding corporate rules (BCR)
2. Anti-discrimination laws
European legal framework:
• « Racial Equity Directive » (COUNCIL DIRECTIVE 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin )
• « Employment framework Directive » (COUNCIL DIRECTIVE 2000/78/ECof 27 November 2000 establishing a general framework for equal treatment in employment and occupation)
2. Anti-discrimination laws
The Racial Equality Directive 2000/43/ECThe Racial Equality Directive 2000/43/EC
• equal treatment between people irrespective of racial or ethnic origin. • protection:
– in employment and training, education, social protection (including social security and healthcare), social advantages, membership and involvement in organisations of workers and employers and
– access to goods and services, including housing. • definitions of direct and indirect discrimination and harassment • prohibits the instruction to discriminate and victimisation • allows for positive action measures to be taken, in order to ensure full
equality in practice.
2. Anti-discrimination laws
• complaint through a judicial or administrative procedure, associated with appropriate penalties for those who discriminate.
• limited exceptions to the principle of equal treatment (e.g. where a difference in treatment on the ground of race or ethnic origin constitutes a genuine occupational requirement)
• Shares the burden of proof between the complainant :– an alleged victim establishes facts from which it may be presumed
that there has been discrimination– it is for the respondent to prove that there has been no breach of
the equal treatment principle. • Establishment in each Member State of an organisation to promote
equal treatment and provide independent assistance to victims of racial discrimination.
2. Anti-discrimination laws
Employment framework Directive Employment framework Directive 2000/78/EC2000/78/EC
• equal treatment in employment and training irrespective of – religion or belief, – disability – age – sexual orientation
• Protection in employment, training and membership and involvement in organisations of workers and employers (narrower scope than racial Equality Directive)
2. Anti-discrimination laws
• Identical provisions to the Racial Equality Directive on definitions of discrimination and harassment, the prohibition of instruction to discriminate and victimisation, on positive action, rights of legal redress and the sharing of the burden of proof.
• Requires employers to make reasonable accommodation to enable a person with a disability who is qualified to do the job in question to participate in training or paid labour.
• limited exceptions to the principle of equal treatment (e.g. where the ethos of a religious organisation needs to be preserved, or where an employer legitimately requires an employee to be from a certain age group to be recruited)
2. Anti-discrimination laws
FRANCEFRANCE
Legal framework :• Criminal Code: discrimination is set out as a
criminal offense• Loi n°2001-1066 of 16/11/2001 (for work
relationships)• Loi n°2004-1486 of 30/12/2004 (broader scope
e.g. housing)
2. Anti-discrimination laws
Criterias upon which discrimination is assessed:Criterias upon which discrimination is assessed:Age, sex, origin, marital status, sexual orientation, sex life, moral standards, genetic characteristics, effective or supposed ethnic origin, nation, or race, physical appearance, handicap, health condition, patronymic name, political or religious beliefs, membership to a work a union
close to sensitive data as defined under Data Protection Directive
2. Anti-discrimination laws
National body for anti-discrimination:
HALDE
(Haute Autorité de Lutte contre les Discriminations et pour l’Egalité)
2. Anti-discrimination laws
BELGIUMBELGIUMLegal framework:
• Loi du 25 février 2003 tendant à lutter contre la discrimination• Convention Collective n°38 du 5 décembre 1983 concernant le
recrutement et la sélection des travailleurs• Loi du 30 juillet 1981 tendant à réprimer certains actes inspirés par le
racisme ou la xénophobie• Interdiction de fixer une limite d’âge lors du recrutement et de la
sélection (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi)
• Regional decrees
2. Anti-discrimination laws
Convention Collective n°38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleurs:
- Information regarding the proposed job:- Nature and function- Requirements- Location- Intention to create a recruitment database (for the future)- The solicitation mode
- Obligation to respect privacy rights (including the interdiction to ask questions not relevant with the function)
- Obligation of confidentiality
2. Anti-discrimination laws
Interdiction to impose a limitation of age for the recruitment (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi)
Some exceptions :- legal basis
- Royal Decrees
3. Application to recruitment procedures
A. Recruitment and selection
B. Privacy law principles
C. Anti-discrimination policy
A. Recruitment and selection
See Employment Practice Code (Information Commissionner’s Office See Employment Practice Code (Information Commissionner’s Office - UK)- UK)
• AdvertisingAdvertising
• Information of the individuals who will provide the information– of the name of the organisation in the recruitment advertisements– how the information will be used (unless it is self-evident)
• Recruitment agencies should identify themselves and mention how the information will be disclosed and to whom
• When receiving the information about a individual, ensure that the applicants are aware of the name or the organisation holding their information
A. Recruitment and selection
2. Applications2. Applications
• Application forms: state to whom the information will be provided and how it will be used
• Only seek personal information that is relevant to the recruitment decision to be made
A. Recruitment and selection
CNIL deliberation 21 March 2002 on the collection of CNIL deliberation 21 March 2002 on the collection of personal data in a recruitment procedure:personal data in a recruitment procedure:
• Elaboration with Syndicat du Conseil en recrutement Syntec: standard questionnaire (model for recruitment sector professionals)
• The Commission established a list of personal data that should not be considered as adequate and proportionate (according to Privacy law) :
A. Recruitment and selection
• date of arrival in France• date of naturalization • how the nationality was acquired • prior nationality • social security number • military status• prior address• familial surrounding• health condition, weight, view, height• housing details (landlord, occupant)• involvement in an association • automatic bank orders• loans
A. Recruitment and selection
• Explain the sources from which information may be obtained about the applicant in addition to the information directly supplied
• When collecting sensitive data:– Ensure the purpose satisfies one of the sensitive data conditions– Assess whether the information is relevant or not– Assess whether the information is necessary at this stage of the
recruitment process– According to CNIL: event the consent is not enough if the data are
not necessary
• Provide a secure method for sending applications– E.g.: limit the number of people able to receive the information
A. Recruitment and selection
3. Information of the applicant (cf. CNIL)3. Information of the applicant (cf. CNIL)• indicate whether replies are mandatory or voluntary and
the consequence of the failure to reply• period of conservation of the data• whether the information will to communicated to a third
party and the name of this party (e.g. anonymous employer)– Information and consent of the applicant is mandatory in this case
• what are the recruitment methods used. The results must be kept confidential.
A. Recruitment and selection
4. Verification of the information4. Verification of the information• Explain the nature of the verification of the information and the methods used
to carry it out– E.g. indicate what external sources could be used (current employer)
• Restrict the use of a disclosure from Criminal record– Only if necessary to protect business, customers, clients or others– Only at a advanced stage when the applicant is about to be appointed
• Ensure to have the applicant’s consent to obtain documents from external sources
• Give the applicant the opportunity to explain about the eventual inconsistencies that are discovered
• According to CNIL: obtaining information from current employers can be carried out if the applicant is informed
A. Recruitment and selection
5. Short-listing5. Short-listing• Be consistent with the applicable rules with
regard to selection and recruitment (see above)
• If an automated short-listing system is used: – inform the applicant – give him the right to represent
A. Recruitment and selection
6. Interviews6. Interviews
• Inform the applicant that they can have access to their interview notes
• Destroy notes after reasonable time
• Inform the applicant on how the information and notes will be stored
A. Recruitment and selection
7. Vetting (7. Vetting ( privacy intrusion) privacy intrusion)
• Only if significant risk involved– vetting must be justified – no justified for any job: selection case-by-case– only at a late stage
• Inform the applicant – of the vetting procedure– make clear to which extent information about
the applicant will be released
A. Recruitment and selection
8. Retention of recruitment records8. Retention of recruitment records• Establish a retention period for recruitment
records based on a clear business need• Regularly destroy information obtained from a
recruitment process if not needed• Inform the applicant that the collected information
can be retained for future vacancies (if appropriate) and ask for the applicant’s consent
• Ensure that the information is securely stored or are destroyed
B. Privacy law principles
(See CNIL recommendation)
Access rightAccess right: the applicant has the right to ask to access the information collected about him
Right to rectify the dataRight to rectify the data: if the data are not correct or have changed, the applicant has the right to ask for the rectification
B. Privacy law principles
Prohibition to use the data for other Prohibition to use the data for other purposes than recruitment purposes than recruitment
e.g.: no commercial purposes without applicant’s consent
no emailing without opt-in
no transfer to third parties
B. Privacy law principles
Notify the processing to the national Notify the processing to the national authorityauthority
No decision based solely on automated No decision based solely on automated processing of data processing of data human intervention human intervention + inform the applicant of the reasoning + inform the applicant of the reasoning
B. Privacy law principles
Interdiction of transfer to third countriesInterdiction of transfer to third countriesMain exceptions:
• Countries providing an adequate level of protection
• Consent of the data subject
• Appropriate contractual clauses
• Binding corporate rules (BCR)
B. Privacy law principles
Binding Corporate Rules (BCR)Binding Corporate Rules (BCR)
2 WP 29 documents were adopted on 14 April 2005
““Working Document Establishing a Model Working Document Establishing a Model Checklist Application for Approval of Checklist Application for Approval of
Binding Corporate Rules”Binding Corporate Rules”
B. Privacy law principles
““Working Document Establishing a Model Checklist Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules”Application for Approval of Binding Corporate Rules”
• Recognizes BCR as a appropriate mean for protection of personal data
• Authorization has to be filed with one national authority– Several criterias to determine the most appropriate authority– Mains criteria: establishment of the operational headquarter
• Several information has to be supplied– Contact detail – Justification of the choice of the data protection authority– Binding corporate rules
B. Privacy law principles
• Evidence that the measures are legally binding– Within the organisation (codes, corporate or
contract rules, statutory codes, employment contract,…)
– Externally for the benefit of individuals• Effective judicial remedy in one Member State
• Effective financial resources if breach of the BCR
B. Privacy law principles
• What the BCR should contain and provide– Nature of the data– Purpose of the process– Extent of the transfer
• Identify any member of the group from which and to which data can be transferred
– Transparency and fairness to data subjects– Purpose limitation– Data quality– Security– Right of access, rectification and objection
C. Anti-discrimination policy
See CNIL 9/7/2005
Internal anti-discrimination policy may be Internal anti-discrimination policy may be a legitimate purposea legitimate purpose
e.g.: statistical tools/surveys regarding diversity in a company
C. Anti-discrimination policy
What data may be collected for this purpose ?What data may be collected for this purpose ?• Name and surname• Nationality• Prior nationality• Place of birth• Nationality of the parents• Address• NOT ethnic or racial information
C. Anti-discrimination policy
Internal policy to be discussed
applying relevant legislation
defining criterias
C. Anti-discrimination policy
Conditions:Conditions:• Sole purpose: anti-discrimination policy• Prohibition to search and find out the ethnic-racial
origin !!!• Information of the employees about the purposes,
the means, their rights• Processing by a limited number of people and with
a secured computer environment• Statistical and anonymous data• Destruction after obtaining statistical results
C. Anti-discrimination policy
Anonymous CVAnonymous CV
French act on Equal opportunity (loi n° 2006-396 du 31 mars 2006)
• Imposes the use of anonymous CV for company of more than 5O employees
• Data such as name, surname, email, pictures, sex, age, address
• The data will be processed and the first contact will be made via a third party (independent agency of internal entity)
4. Whistleblowing and privacy
Whistleblowing schemes are imposed by several laws with respect to accounting, auditing matters, fight against bribery, banking and financial crime
Present in several European national laws (fight against fraud) but main act : Sarbanes-Oxley Act
4. Whistleblowing and privacy
SOX:– “procedures for the receipt, retention and treatment of complaints
received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuers of concerns regarding questionable accounting or auditing matters”
– protection of the employees of publicity traded companies who provide evidence of fraud from retaliating measures taken against them
Applicable to All US companies and EU-based affiliates Provisions mirrored in the NASDAQ and NYSE rules.
4. Whistleblowing and privacy
SOX vs. privacy:
• “Document d’orientation” adopted by CNIL (10 November 2005)
• Opinion 1/2006 of Article 29 working party on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime
4. Whistleblowing and privacy
Legitimacy of whistleblowing systems ?
• legal obligation to which the controller is subject (article 7 c Directive)– Only by virtue of EU legislation or EU Member
State : several national legislation on combating bribery,…
– SOX may not be considered as a legitimate basis on thi basis for legimitacy of the purpose
4. Whistleblowing and privacy
• Purpose of legitimate interest pursued by the controller (article 7 f Directive)– For the Members States where no whistleblowing
obligations are imposed, good corporate governance is considered as a legitimate interest of the companies (see OECD, EU positions)
– However, article 7 f requires a struck between the legitimate interest of the processor and the fundamental rights of the data subject balance of interests
4. Whistleblowing and privacy
Adequacy, proportionality and quality of the data Adequacy, proportionality and quality of the data ??
• Possible limitation of the numbers of people entitled to report alleged improprieties or misconducts through whistleblowing schemes
• Possible limitation of the numbers of people who may be incriminated through whistleblowing schemes
4. Whistleblowing and privacy
Anomymous reportsAnomymous reports
• Not encouraged:– Does not prevent to guess who raised the
concern– Harder to investigate: no follow-up– Whistleblower already protected– May deteriorate social climate
4. Whistleblowing and privacy
Recommendations about anonymous reports:• data should be collected fairly: only identified reports
should be allowed:• But GR 29 accepts anonymous reports under some
conditions :– Not encourage neither advertise anonymous reports possibility– Advertise the protection offered by the scheme
• If, despite of this information, the person reporting still wants to remain anonymous, the report will eb accepted
• Difference in investigating the anonymous report ?
4. Whistleblowing and privacy
Proportionality and accuracy of data collected Proportionality and accuracy of data collected and processedand processed
• Should be restricted to the minimum and to what is necessary under the relevant obligation
• If data out of the scope of whistelblowing: find another basis for legitimate purpose
• See “document d’orientation” of CNIL: some data are subject to a “décision d’autorisation unique”. If the purpose, the data or the process is out of the scope of the document standard rules apply
4. Whistleblowing and privacy
Strict data retention periodStrict data retention period
Recommendation: 2 months after completion or investigation
Can be longer if :– legal proceedings of the incriminated person or the
whisteblower– National rules relating to archiving of data
4. Whistleblowing and privacy
Information aboutInformation about– the existence, purpose and functioning of the
scheme– the recipients of the reports and the right of
access rectification and erasure– confidentiality of the person reporting – Possibility of a sanction if abuse
4. Whistleblowing and privacy
Information of the data subjectInformation of the data subject
• Entity responsible for the whistleblowing scheme• The facts he is accused of• The department or services which might receive
the report within his own company or in other entities or companies of the group of which the company is part
• How to exercise his right of access and rectification
4. Whistleblowing and privacy
PROBLEMPROBLEM
That would jeopardize the ability of the company to effectively investigate or gather the necessary evidence
SOLUTIONSOLUTION
The information of the incriminated individual may be delayed as long as such risk exists
4. Whistleblowing and privacy
Right of access, rectification and erasure
Here again, these rights may be restricted in order to ensure the protection of the people involved in the scheme on a case-by-case basis
Under non circumstances can the person accused Under non circumstances can the person accused obtain information about the whistleblower on the obtain information about the whistleblower on the basis of his right of access, except in case of false basis of his right of access, except in case of false statement !!statement !!
4. Whistleblowing and privacy
All reasonable technical and organizational measures to preserve the security o the
data
Confidentiality of reports must be guaranteed
Use of dedicated means in order to prevent any diversion from is original purpose
4. Whistleblowing and privacy
a)a) Specific internal organizationSpecific internal organization
• dedication of a group or department to handling whistleblowing and leading investigation
• the system should be strictly separated from other departments
• information only transmitted to other people specifically responsible
4. Whistleblowing and privacy
b) Possibility of using external providersb) Possibility of using external providers
• Possible use of external providers (specialised companies, call centers, law firms)
• Companies still remain responsible for the processing of the data
• Obligation of a contract containgin specific clauses for compliance with the principles of the Directive
4. Whistleblowing and privacy
c) Principle of investigation in the EU companies and exceptions
• Proportionality principle: take the nature and seriousness of the alleged offense to determine at what level, and in what country assessment of the report should take place
• As a rule, art 29 WP believes that groups should deal with reports locally
• Some exceptions however: data received through a whistleblowing system may be communicated within the group
– if such communication is necessary for the investigation, – depending on the nature or the seriousness of the reported misconduct or results
from how the group is set up
4. Whistleblowing and privacy
Transfer to third countriesTransfer to third countries
Transfer are likely to occur for EU affiliates of third country companies
General principle:General principle: transfer only allowed to a country with
adequate level of protection
4. Whistleblowing and privacy
What if the third country does not ensure an adequate level of protection ?What if the third country does not ensure an adequate level of protection ?
data may be transferred on the following grounds:
[1] where the recipient of personal data is an entity established in the US that has subscribed to the Safe Harbor Scheme;
[2] where the recipient has entered into a transfer contract with the EU company transferring the data by which the latter adduces adequate safeguards, for example based on the standard contract clauses issued by the European Commission in its Decisions of 15 June 2001 or 27 December 2004;
[3] where the recipient has a set of binding corporate rules in place which have been duly approved by the competent data protection authorities.
[4] binding corporate rules
CONCLUSION
Assessment of privacy laws vs. whistleblowing laws on a case by case basis
Different approach in each country towards combinations of privacy and recruitment rules
Orientation papers: CNIL, WP 29, BCR efforts to harmonize and to give guidance for business
Unexpected effect: SOX makes companies respect privacy laws because they have to pay attention to data protection laws
Thank you
Questions
Comments