Presentation on theme: "Recruitment practices versus privacy and anti-discrimination laws"— Presentation transcript:
1 Recruitment practices versus privacy and anti-discrimination laws Romain RobertAvocatULYS
2 Introduction 1. General principles of privacy law 2. Anti-discrimination laws in Europe3. Application to recruitment procedures4. Whistleblowing and privacy
3 General principles of privacy law European legal framework:Directive 95/46/EC on the protection of individuals with regard to the processing of personnel data and on the free movement of such dataDirective 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communication sector (Directive on privacy and electronic communications)
4 General principles of privacy law Obligation to notify the processing to the national privacy commissionWhere ?-if the Member State where the processor is established (can be one country or more)- if established outside EU: use of equipment in a Member State (except for transit purpose)
5 General principles of privacy law What is a « Personal data » ?« any information relating to an identified natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specifics to his physical, physiological, mental, economic, cultural or social identity »(ex: IP, cookie, rare know-how, name, ,..)
6 General principles of privacy law PERSONAL DATA MUST BE (cf. Directive):(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;(c) adequate, relevant and not excessive in relation to the purposes for which they are processed;(d) accurate and, where necessary, kept up to date;(e) not be kept longer than is necessary for the purposes for which the data were processed.
7 General principles of privacy law CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE(a) the data subject has unambiguously given his consent(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or(d) processing is necessary in order to protect the vital interests of the data subject; or(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection
8 1. General principles of privacy law SENSITIVE PERSONAL DATArevealing racial or ethnic originpolitical opinionsreligious or philosophical beliefstrade-union membershipphysical or mental healthsexual lifedata relating to offences or alleged offences, criminal convictions or security measuresExtra protection (in principle: no process allowed – some exceptions)These data are very similar to the ones used as a basis for anti-discrimination laws
9 General principles of privacy law INFORMATION TO BE GIVEN TO THE DATA SUBJECT(a) identity of the controller (or his representative)(b) the purposes of the processing for which the data are intended(c) any further information such as- the recipients or categories of recipients of the data,- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,the existence of the right of access to and the right to rectify the data concerning him
10 1. General principles of privacy law THE DATA SUBJECT'S RIGHT OF ACCESS TO DATARight of accessRight to prevent processing where there is justified objectionRight to prevent processing for the purpose of direct marketingRight in relation to automated decision-takingRight to take action to block, rectify, destroy or erase inaccurate data
11 1. General principles of privacy law SECURITY OF PROCESSINGappropriate technical and organizational measures to protect personal data againstaccidental or unlawful destruction or accessaccidental loss, destruction or damagealteration, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.level of protection depending on:art and the cost of their implementationrisks represented by the processingnature of the data to be protected.
12 1. General principles of privacy law TRANSFER TO THIRD COUNTRIESInterdiction of such transferMain exceptions:Countries providing an adequate level of protectionConsent of the data subjectAppropriate contractual clausesBinding corporate rules (BCR)
13 2. Anti-discrimination laws European legal framework:« Racial Equity Directive » (COUNCIL DIRECTIVE 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin )« Employment framework Directive » (COUNCIL DIRECTIVE 2000/78/ECof 27 November 2000 establishing a general framework for equal treatment in employment and occupation)
14 2. Anti-discrimination laws The Racial Equality Directive 2000/43/ECequal treatment between people irrespective of racial or ethnic origin.protection:in employment and training, education, social protection (including social security and healthcare), social advantages, membership and involvement in organisations of workers and employers andaccess to goods and services, including housing.definitions of direct and indirect discrimination and harassmentprohibits the instruction to discriminate and victimisationallows for positive action measures to be taken, in order to ensure full equality in practice.
15 2. Anti-discrimination laws complaint through a judicial or administrative procedure, associated with appropriate penalties for those who discriminate.limited exceptions to the principle of equal treatment (e.g. where a difference in treatment on the ground of race or ethnic origin constitutes a genuine occupational requirement)Shares the burden of proof between the complainant :an alleged victim establishes facts from which it may be presumed that there has been discriminationit is for the respondent to prove that there has been no breach of the equal treatment principle.Establishment in each Member State of an organisation to promote equal treatment and provide independent assistance to victims of racial discrimination.
16 2. Anti-discrimination laws Employment framework Directive 2000/78/ECequal treatment in employment and training irrespective ofreligion or belief,disabilityagesexual orientationProtection in employment, training and membership and involvement in organisations of workers and employers (narrower scope than racial Equality Directive)
17 2. Anti-discrimination laws Identical provisions to the Racial Equality Directive on definitions of discrimination and harassment, the prohibition of instruction to discriminate and victimisation, on positive action, rights of legal redress and the sharing of the burden of proof.Requires employers to make reasonable accommodation to enable a person with a disability who is qualified to do the job in question to participate in training or paid labour.limited exceptions to the principle of equal treatment (e.g. where the ethos of a religious organisation needs to be preserved, or where an employer legitimately requires an employee to be from a certain age group to be recruited)
18 2. Anti-discrimination laws FRANCELegal framework :Criminal Code: discrimination is set out as a criminal offenseLoi n° of 16/11/2001 (for work relationships)Loi n° of 30/12/2004 (broader scope e.g. housing)
19 2. Anti-discrimination laws Criterias upon which discrimination is assessed:Age, sex, origin, marital status, sexual orientation, sex life, moral standards, genetic characteristics, effective or supposed ethnic origin, nation, or race, physical appearance, handicap, health condition, patronymic name, political or religious beliefs, membership to a work a union close to sensitive data as defined under Data Protection Directive
20 2. Anti-discrimination laws National body for anti-discrimination:HALDE(Haute Autorité de Lutte contre les Discriminations et pour l’Egalité)
21 2. Anti-discrimination laws BELGIUMLegal framework:Loi du 25 février 2003 tendant à lutter contre la discriminationConvention Collective n°38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleursLoi du 30 juillet 1981 tendant à réprimer certains actes inspirés par le racisme ou la xénophobieInterdiction de fixer une limite d’âge lors du recrutement et de la sélection (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi)Regional decrees
22 2. Anti-discrimination laws Convention Collective n°38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleurs:Information regarding the proposed job:Nature and functionRequirementsLocationIntention to create a recruitment database (for the future)The solicitation modeObligation to respect privacy rights (including the interdiction to ask questions not relevant with the function)Obligation of confidentiality
23 2. Anti-discrimination laws Interdiction to impose a limitation of age for the recruitment (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi)Some exceptions :- legal basis- Royal Decrees
24 3. Application to recruitment procedures Recruitment and selectionPrivacy law principlesAnti-discrimination policy
25 A. Recruitment and selection See Employment Practice Code (Information Commissionner’s Office - UK)AdvertisingInformation of the individuals who will provide the informationof the name of the organisation in the recruitment advertisementshow the information will be used (unless it is self-evident)Recruitment agencies should identify themselves and mention how the information will be disclosed and to whomWhen receiving the information about a individual, ensure that the applicants are aware of the name or the organisation holding their information
26 A. Recruitment and selection 2. ApplicationsApplication forms: state to whom the information will be provided and how it will be usedOnly seek personal information that is relevant to the recruitment decision to be made
27 A. Recruitment and selection CNIL deliberation 21 March 2002 on the collection of personal data in a recruitment procedure:Elaboration with Syndicat du Conseil en recrutement Syntec: standard questionnaire (model for recruitment sector professionals)The Commission established a list of personal data that should not be considered as adequate and proportionate (according to Privacy law) :
28 A. Recruitment and selection date of arrival in Francedate of naturalizationhow the nationality was acquiredprior nationalitysocial security numbermilitary statusprior addressfamilial surroundinghealth condition, weight, view, heighthousing details (landlord, occupant)involvement in an associationautomatic bank ordersloans
29 A. Recruitment and selection Explain the sources from which information may be obtained about the applicant in addition to the information directly suppliedWhen collecting sensitive data:Ensure the purpose satisfies one of the sensitive data conditionsAssess whether the information is relevant or notAssess whether the information is necessary at this stage of the recruitment processAccording to CNIL: event the consent is not enough if the data are not necessaryProvide a secure method for sending applicationsE.g.: limit the number of people able to receive the information
30 A. Recruitment and selection 3. Information of the applicant (cf. CNIL)indicate whether replies are mandatory or voluntary and the consequence of the failure to replyperiod of conservation of the datawhether the information will to communicated to a third party and the name of this party (e.g. anonymous employer)Information and consent of the applicant is mandatory in this casewhat are the recruitment methods used. The results must be kept confidential.
31 A. Recruitment and selection 4. Verification of the informationExplain the nature of the verification of the information and the methods used to carry it outE.g. indicate what external sources could be used (current employer)Restrict the use of a disclosure from Criminal recordOnly if necessary to protect business, customers, clients or othersOnly at a advanced stage when the applicant is about to be appointedEnsure to have the applicant’s consent to obtain documents from external sourcesGive the applicant the opportunity to explain about the eventual inconsistencies that are discoveredAccording to CNIL: obtaining information from current employers can be carried out if the applicant is informed
32 A. Recruitment and selection 5. Short-listingBe consistent with the applicable rules with regard to selection and recruitment (see above)If an automated short-listing system is used:inform the applicantgive him the right to represent
33 A. Recruitment and selection 6. InterviewsInform the applicant that they can have access to their interview notesDestroy notes after reasonable timeInform the applicant on how the information and notes will be stored
34 A. Recruitment and selection 7. Vetting ( privacy intrusion)Only if significant risk involvedvetting must be justifiedno justified for any job: selection case-by-caseonly at a late stageInform the applicantof the vetting proceduremake clear to which extent information about the applicant will be released
35 A. Recruitment and selection 8. Retention of recruitment recordsEstablish a retention period for recruitment records based on a clear business needRegularly destroy information obtained from a recruitment process if not neededInform the applicant that the collected information can be retained for future vacancies (if appropriate) and ask for the applicant’s consentEnsure that the information is securely stored or are destroyed
36 B. Privacy law principles (See CNIL recommendation)Access right: the applicant has the right to ask to access the information collected about himRight to rectify the data: if the data are not correct or have changed, the applicant has the right to ask for the rectification
37 B. Privacy law principles Prohibition to use the data for other purposes than recruitmente.g.: no commercial purposes without applicant’s consentno ing without opt-inno transfer to third parties
38 B. Privacy law principles Notify the processing to the national authorityNo decision based solely on automated processing of data human intervention + inform the applicant of the reasoning
39 B. Privacy law principles Interdiction of transfer to third countriesMain exceptions:Countries providing an adequate level of protectionConsent of the data subjectAppropriate contractual clausesBinding corporate rules (BCR)
40 B. Privacy law principles Binding Corporate Rules (BCR)2 WP 29 documents were adopted on 14 April 2005“Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules”
41 B. Privacy law principles “Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules”Recognizes BCR as a appropriate mean for protection of personal dataAuthorization has to be filed with one national authoritySeveral criterias to determine the most appropriate authorityMains criteria: establishment of the operational headquarterSeveral information has to be suppliedContact detailJustification of the choice of the data protection authorityBinding corporate rules
42 B. Privacy law principles Evidence that the measures are legally bindingWithin the organisation (codes, corporate or contract rules, statutory codes, employment contract,…)Externally for the benefit of individualsEffective judicial remedy in one Member StateEffective financial resources if breach of the BCR
43 B. Privacy law principles What the BCR should contain and provideNature of the dataPurpose of the processExtent of the transferIdentify any member of the group from which and to which data can be transferredTransparency and fairness to data subjectsPurpose limitationData qualitySecurityRight of access, rectification and objection
44 C. Anti-discrimination policy See CNIL 9/7/2005Internal anti-discrimination policy may be a legitimate purposee.g.: statistical tools/surveys regarding diversity in a company
45 C. Anti-discrimination policy What data may be collected for this purpose ?Name and surnameNationalityPrior nationalityPlace of birthNationality of the parentsAddressNOT ethnic or racial information
46 C. Anti-discrimination policy Internal policy to be discussed applying relevant legislation defining criterias
47 C. Anti-discrimination policy Conditions:Sole purpose: anti-discrimination policyProhibition to search and find out the ethnic-racial origin !!!Information of the employees about the purposes, the means, their rightsProcessing by a limited number of people and with a secured computer environmentStatistical and anonymous dataDestruction after obtaining statistical results
48 C. Anti-discrimination policy Anonymous CVFrench act on Equal opportunity (loi n° du 31 mars 2006)Imposes the use of anonymous CV for company of more than 5O employeesData such as name, surname, , pictures, sex, age, addressThe data will be processed and the first contact will be made via a third party (independent agency of internal entity)
49 4. Whistleblowing and privacy Whistleblowing schemes are imposed by several laws with respect to accounting, auditing matters, fight against bribery, banking and financial crimePresent in several European national laws (fight against fraud) but main act : Sarbanes-Oxley Act
50 4. Whistleblowing and privacy SOX:“procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuers of concerns regarding questionable accounting or auditing matters”protection of the employees of publicity traded companies who provide evidence of fraud from retaliating measures taken against themApplicable to All US companies and EU-based affiliatesProvisions mirrored in the NASDAQ and NYSE rules.
51 4. Whistleblowing and privacy SOX vs. privacy:“Document d’orientation” adopted by CNIL (10 November 2005)Opinion 1/2006 of Article 29 working party on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime
52 4. Whistleblowing and privacy Legitimacy of whistleblowing systems ?legal obligation to which the controller is subject (article 7 c Directive)Only by virtue of EU legislation or EU Member State : several national legislation on combating bribery,…SOX may not be considered as a legitimate basis on thi basis for legimitacy of the purpose
53 4. Whistleblowing and privacy Purpose of legitimate interest pursued by the controller (article 7 f Directive)For the Members States where no whistleblowing obligations are imposed, good corporate governance is considered as a legitimate interest of the companies (see OECD, EU positions)However, article 7 f requires a struck between the legitimate interest of the processor and the fundamental rights of the data subject balance of interests
54 4. Whistleblowing and privacy Adequacy, proportionality and quality of the data ?Possible limitation of the numbers of people entitled to report alleged improprieties or misconducts through whistleblowing schemesPossible limitation of the numbers of people who may be incriminated through whistleblowing schemes
55 4. Whistleblowing and privacy Anomymous reportsNot encouraged:Does not prevent to guess who raised the concernHarder to investigate: no follow-upWhistleblower already protectedMay deteriorate social climate
56 4. Whistleblowing and privacy Recommendations about anonymous reports:data should be collected fairly: only identified reports should be allowed:But GR 29 accepts anonymous reports under some conditions :Not encourage neither advertise anonymous reports possibilityAdvertise the protection offered by the schemeIf, despite of this information, the person reporting still wants to remain anonymous, the report will eb acceptedDifference in investigating the anonymous report ?
57 4. Whistleblowing and privacy Proportionality and accuracy of data collected and processedShould be restricted to the minimum and to what is necessary under the relevant obligationIf data out of the scope of whistelblowing: find another basis for legitimate purposeSee “document d’orientation” of CNIL: some data are subject to a “décision d’autorisation unique”. If the purpose, the data or the process is out of the scope of the document standard rules apply
58 4. Whistleblowing and privacy Strict data retention periodRecommendation: 2 months after completion or investigationCan be longer if :legal proceedings of the incriminated person or the whisteblowerNational rules relating to archiving of data
59 4. Whistleblowing and privacy Information aboutthe existence, purpose and functioning of the schemethe recipients of the reports and the right of access rectification and erasureconfidentiality of the person reportingPossibility of a sanction if abuse
60 4. Whistleblowing and privacy Information of the data subjectEntity responsible for the whistleblowing schemeThe facts he is accused ofThe department or services which might receive the report within his own company or in other entities or companies of the group of which the company is partHow to exercise his right of access and rectification
61 4. Whistleblowing and privacy PROBLEMThat would jeopardize the ability of the company to effectively investigate or gather the necessary evidenceSOLUTIONThe information of the incriminated individual may be delayed as long as such risk exists
62 4. Whistleblowing and privacy Right of access, rectification and erasureHere again, these rights may be restricted in order to ensure the protection of the people involved in the scheme on a case-by-case basisUnder non circumstances can the person accused obtain information about the whistleblower on the basis of his right of access, except in case of false statement !!
63 4. Whistleblowing and privacy All reasonable technical and organizational measures to preserve the security o the dataConfidentiality of reports must be guaranteed Use of dedicated means in order to prevent any diversion from is original purpose
64 4. Whistleblowing and privacy Specific internal organizationdedication of a group or department to handling whistleblowing and leading investigationthe system should be strictly separated from other departmentsinformation only transmitted to other people specifically responsible
65 4. Whistleblowing and privacy b) Possibility of using external providersPossible use of external providers (specialised companies, call centers, law firms)Companies still remain responsible for the processing of the dataObligation of a contract containgin specific clauses for compliance with the principles of the Directive
66 4. Whistleblowing and privacy c) Principle of investigation in the EU companies and exceptionsProportionality principle: take the nature and seriousness of the alleged offense to determine at what level, and in what country assessment of the report should take placeAs a rule, art 29 WP believes that groups should deal with reports locallySome exceptions however:data received through a whistleblowing system may be communicated within the groupif such communication is necessary for the investigation,depending on the nature or the seriousness of the reported misconduct or results from how the group is set up
67 4. Whistleblowing and privacy Transfer to third countriesTransfer are likely to occur for EU affiliates of third country companiesGeneral principle:transfer only allowed to a country with adequate level of protection
68 4. Whistleblowing and privacy What if the third country does not ensure an adequate level of protection ?data may be transferred on the following grounds: where the recipient of personal data is an entity established in the US that has subscribed to the Safe Harbor Scheme; where the recipient has entered into a transfer contract with the EU company transferring the data by which the latter adduces adequate safeguards, for example based on the standard contract clauses issued by the European Commission in its Decisions of 15 June 2001 or 27 December 2004; where the recipient has a set of binding corporate rules in place which have been duly approved by the competent data protection authorities. binding corporate rules
69 CONCLUSIONAssessment of privacy laws vs. whistleblowing laws on a case by case basisDifferent approach in each country towards combinations of privacy and recruitment rulesOrientation papers: CNIL, WP 29, BCR efforts to harmonize and to give guidance for businessUnexpected effect: SOX makes companies respect privacy laws because they have to pay attention to data protection laws
Your consent to our cookies if you continue to use this website.