Recruitment practices versus privacy and anti-discrimination laws

Recruitment practices versus

privacy and anti-discrimination laws

Romain RobertAvocatULYS

[email protected]

Introduction

1. General principles of privacy law

2. Anti-discrimination laws in Europe

3. Application to recruitment procedures

4. Whistleblowing and privacy


European legal framework:

– Directive 95/46/EC on the protection of individuals with regard to the processing of personnel data and on the free movement of such data

– Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communication sector (Directive on privacy and electronic communications)


Obligation to notify the processing to the national privacy commission

Where ?

-if the Member State where the processor is established (can be one country or more)

- if established outside EU: use of equipment in a Member State (except for transit purpose)


What is a « Personal data » ?

« any information relating to an identified natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference

to an identification number or to one or more factors specifics to his physical, physiological, mental, economic,

cultural or social identity »(ex: IP, cookie, rare know-how, name, email,..)


PERSONAL DATA MUST BEPERSONAL DATA MUST BE (cf. Directive):

(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further

processed in a way incompatible with those purposes;(c) adequate, relevant and not excessive in relation to the purposes for

which they are processed;(d) accurate and, where necessary, kept up to date; (e) not be kept longer than is necessary for the purposes for which the

data were processed.


CRITERIA FOR MAKING DATA PROCESSING LEGITIMATECRITERIA FOR MAKING DATA PROCESSING LEGITIMATE

(a) the data subject has unambiguously given his consent(b) processing is necessary for the performance of a contract to which the data subject is

party or in order to take steps at the request of the data subject prior to entering into a contract; or

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or(e) processing is necessary for the performance of a task carried out in the public interest or

in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection


SENSITIVE PERSONAL DATASENSITIVE PERSONAL DATA

• revealing racial or ethnic origin• political opinions• religious or philosophical beliefs• trade-union membership• physical or mental health• sexual life• data relating to offences or alleged offences, criminal convictions or security measures

Extra protection (in principle: no process allowed – some exceptions)

These data are very similar to the ones used as a basis for anti-discrimination laws


INFORMATION TO BE GIVEN TO THE DATA SUBJECTINFORMATION TO BE GIVEN TO THE DATA SUBJECT

(a) identity of the controller (or his representative)(b) the purposes of the processing for which the data are

intended(c) any further information such as

- the recipients or categories of recipients of the data,- whether replies to the questions are obligatory or voluntary, as well

as the possible consequences of failure to reply,- the existence of the right of access to and the right to rectify the

data concerning him


THE DATA SUBJECT'S RIGHT OF THE DATA SUBJECT'S RIGHT OF ACCESS TO DATAACCESS TO DATA– Right of access– Right to prevent processing where there is justified

objection– Right to prevent processing for the purpose of direct

marketing– Right in relation to automated decision-taking– Right to take action to block, rectify, destroy or erase

inaccurate data


SECURITY OF PROCESSINGSECURITY OF PROCESSING

• appropriate technical and organizational measures to protect personal data against – accidental or unlawful destruction or access– accidental loss, destruction or damage – alteration, in particular where the processing involves the transmission of

data over a network, and against all other unlawful forms of processing.

• level of protection depending on:– art and the cost of their implementation – risks represented by the processing – nature of the data to be protected.


TRANSFER TO THIRD COUNTRIESTRANSFER TO THIRD COUNTRIES

Interdiction of such transfer Main exceptions:

• Countries providing an adequate level of protection

• Consent of the data subject

• Appropriate contractual clauses

• Binding corporate rules (BCR)

2. Anti-discrimination laws

European legal framework:

• « Racial Equity Directive » (COUNCIL DIRECTIVE 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin )

• « Employment framework Directive » (COUNCIL DIRECTIVE 2000/78/ECof 27 November 2000 establishing a general framework for equal treatment in employment and occupation)


The Racial Equality Directive 2000/43/ECThe Racial Equality Directive 2000/43/EC

• equal treatment between people irrespective of racial or ethnic origin. • protection:

– in employment and training, education, social protection (including social security and healthcare), social advantages, membership and involvement in organisations of workers and employers and

– access to goods and services, including housing. • definitions of direct and indirect discrimination and harassment • prohibits the instruction to discriminate and victimisation • allows for positive action measures to be taken, in order to ensure full

equality in practice.


• complaint through a judicial or administrative procedure, associated with appropriate penalties for those who discriminate.

• limited exceptions to the principle of equal treatment (e.g. where a difference in treatment on the ground of race or ethnic origin constitutes a genuine occupational requirement)

• Shares the burden of proof between the complainant :– an alleged victim establishes facts from which it may be presumed

that there has been discrimination– it is for the respondent to prove that there has been no breach of

the equal treatment principle. • Establishment in each Member State of an organisation to promote

equal treatment and provide independent assistance to victims of racial discrimination.


Employment framework Directive Employment framework Directive 2000/78/EC2000/78/EC

• equal treatment in employment and training irrespective of – religion or belief, – disability – age – sexual orientation

• Protection in employment, training and membership and involvement in organisations of workers and employers (narrower scope than racial Equality Directive)


• Identical provisions to the Racial Equality Directive on definitions of discrimination and harassment, the prohibition of instruction to discriminate and victimisation, on positive action, rights of legal redress and the sharing of the burden of proof.

• Requires employers to make reasonable accommodation to enable a person with a disability who is qualified to do the job in question to participate in training or paid labour.

• limited exceptions to the principle of equal treatment (e.g. where the ethos of a religious organisation needs to be preserved, or where an employer legitimately requires an employee to be from a certain age group to be recruited)


FRANCEFRANCE

Legal framework :• Criminal Code: discrimination is set out as a

criminal offense• Loi n°2001-1066 of 16/11/2001 (for work

relationships)• Loi n°2004-1486 of 30/12/2004 (broader scope

e.g. housing)


Criterias upon which discrimination is assessed:Criterias upon which discrimination is assessed:Age, sex, origin, marital status, sexual orientation, sex life, moral standards, genetic characteristics, effective or supposed ethnic origin, nation, or race, physical appearance, handicap, health condition, patronymic name, political or religious beliefs, membership to a work a union

close to sensitive data as defined under Data Protection Directive


National body for anti-discrimination:

HALDE

(Haute Autorité de Lutte contre les Discriminations et pour l’Egalité)


BELGIUMBELGIUMLegal framework:

• Loi du 25 février 2003 tendant à lutter contre la discrimination• Convention Collective n°38 du 5 décembre 1983 concernant le

recrutement et la sélection des travailleurs• Loi du 30 juillet 1981 tendant à réprimer certains actes inspirés par le

racisme ou la xénophobie• Interdiction de fixer une limite d’âge lors du recrutement et de la

sélection (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi)

• Regional decrees


Convention Collective n°38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleurs:

- Information regarding the proposed job:- Nature and function- Requirements- Location- Intention to create a recruitment database (for the future)- The solicitation mode

- Obligation to respect privacy rights (including the interdiction to ask questions not relevant with the function)

- Obligation of confidentiality


Interdiction to impose a limitation of age for the recruitment (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi)

Some exceptions :- legal basis

- Royal Decrees

3. Application to recruitment procedures

A. Recruitment and selection

B. Privacy law principles

C. Anti-discrimination policy


See Employment Practice Code (Information Commissionner’s Office See Employment Practice Code (Information Commissionner’s Office - UK)- UK)

• AdvertisingAdvertising

• Information of the individuals who will provide the information– of the name of the organisation in the recruitment advertisements– how the information will be used (unless it is self-evident)

• Recruitment agencies should identify themselves and mention how the information will be disclosed and to whom

• When receiving the information about a individual, ensure that the applicants are aware of the name or the organisation holding their information


2. Applications2. Applications

• Application forms: state to whom the information will be provided and how it will be used

• Only seek personal information that is relevant to the recruitment decision to be made


CNIL deliberation 21 March 2002 on the collection of CNIL deliberation 21 March 2002 on the collection of personal data in a recruitment procedure:personal data in a recruitment procedure:

• Elaboration with Syndicat du Conseil en recrutement Syntec: standard questionnaire (model for recruitment sector professionals)

• The Commission established a list of personal data that should not be considered as adequate and proportionate (according to Privacy law) :


• date of arrival in France• date of naturalization • how the nationality was acquired • prior nationality • social security number • military status• prior address• familial surrounding• health condition, weight, view, height• housing details (landlord, occupant)• involvement in an association • automatic bank orders• loans


• Explain the sources from which information may be obtained about the applicant in addition to the information directly supplied

• When collecting sensitive data:– Ensure the purpose satisfies one of the sensitive data conditions– Assess whether the information is relevant or not– Assess whether the information is necessary at this stage of the

recruitment process– According to CNIL: event the consent is not enough if the data are

not necessary

• Provide a secure method for sending applications– E.g.: limit the number of people able to receive the information


3. Information of the applicant (cf. CNIL)3. Information of the applicant (cf. CNIL)• indicate whether replies are mandatory or voluntary and

the consequence of the failure to reply• period of conservation of the data• whether the information will to communicated to a third

party and the name of this party (e.g. anonymous employer)– Information and consent of the applicant is mandatory in this case

• what are the recruitment methods used. The results must be kept confidential.


4. Verification of the information4. Verification of the information• Explain the nature of the verification of the information and the methods used

to carry it out– E.g. indicate what external sources could be used (current employer)

• Restrict the use of a disclosure from Criminal record– Only if necessary to protect business, customers, clients or others– Only at a advanced stage when the applicant is about to be appointed

• Ensure to have the applicant’s consent to obtain documents from external sources

• Give the applicant the opportunity to explain about the eventual inconsistencies that are discovered

• According to CNIL: obtaining information from current employers can be carried out if the applicant is informed


5. Short-listing5. Short-listing• Be consistent with the applicable rules with

regard to selection and recruitment (see above)

• If an automated short-listing system is used: – inform the applicant – give him the right to represent


6. Interviews6. Interviews

• Inform the applicant that they can have access to their interview notes

• Destroy notes after reasonable time

• Inform the applicant on how the information and notes will be stored


7. Vetting (7. Vetting ( privacy intrusion) privacy intrusion)

• Only if significant risk involved– vetting must be justified – no justified for any job: selection case-by-case– only at a late stage

• Inform the applicant – of the vetting procedure– make clear to which extent information about

the applicant will be released


8. Retention of recruitment records8. Retention of recruitment records• Establish a retention period for recruitment

records based on a clear business need• Regularly destroy information obtained from a

recruitment process if not needed• Inform the applicant that the collected information

can be retained for future vacancies (if appropriate) and ask for the applicant’s consent

• Ensure that the information is securely stored or are destroyed


(See CNIL recommendation)

Access rightAccess right: the applicant has the right to ask to access the information collected about him

Right to rectify the dataRight to rectify the data: if the data are not correct or have changed, the applicant has the right to ask for the rectification


Prohibition to use the data for other Prohibition to use the data for other purposes than recruitment purposes than recruitment

e.g.: no commercial purposes without applicant’s consent

no emailing without opt-in

no transfer to third parties


Notify the processing to the national Notify the processing to the national authorityauthority

No decision based solely on automated No decision based solely on automated processing of data processing of data human intervention human intervention + inform the applicant of the reasoning + inform the applicant of the reasoning


Interdiction of transfer to third countriesInterdiction of transfer to third countriesMain exceptions:

• Countries providing an adequate level of protection

• Consent of the data subject

• Appropriate contractual clauses

• Binding corporate rules (BCR)


Binding Corporate Rules (BCR)Binding Corporate Rules (BCR)

2 WP 29 documents were adopted on 14 April 2005

““Working Document Establishing a Model Working Document Establishing a Model Checklist Application for Approval of Checklist Application for Approval of

Binding Corporate Rules”Binding Corporate Rules”


““Working Document Establishing a Model Checklist Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules”Application for Approval of Binding Corporate Rules”

• Recognizes BCR as a appropriate mean for protection of personal data

• Authorization has to be filed with one national authority– Several criterias to determine the most appropriate authority– Mains criteria: establishment of the operational headquarter

• Several information has to be supplied– Contact detail – Justification of the choice of the data protection authority– Binding corporate rules


• Evidence that the measures are legally binding– Within the organisation (codes, corporate or

contract rules, statutory codes, employment contract,…)

– Externally for the benefit of individuals• Effective judicial remedy in one Member State

• Effective financial resources if breach of the BCR


• What the BCR should contain and provide– Nature of the data– Purpose of the process– Extent of the transfer

• Identify any member of the group from which and to which data can be transferred

– Transparency and fairness to data subjects– Purpose limitation– Data quality– Security– Right of access, rectification and objection


See CNIL 9/7/2005

Internal anti-discrimination policy may be Internal anti-discrimination policy may be a legitimate purposea legitimate purpose

e.g.: statistical tools/surveys regarding diversity in a company


What data may be collected for this purpose ?What data may be collected for this purpose ?• Name and surname• Nationality• Prior nationality• Place of birth• Nationality of the parents• Address• NOT ethnic or racial information


Internal policy to be discussed

applying relevant legislation

defining criterias


Conditions:Conditions:• Sole purpose: anti-discrimination policy• Prohibition to search and find out the ethnic-racial

origin !!!• Information of the employees about the purposes,

the means, their rights• Processing by a limited number of people and with

a secured computer environment• Statistical and anonymous data• Destruction after obtaining statistical results


Anonymous CVAnonymous CV

French act on Equal opportunity (loi n° 2006-396 du 31 mars 2006)

• Imposes the use of anonymous CV for company of more than 5O employees

• Data such as name, surname, email, pictures, sex, age, address

• The data will be processed and the first contact will be made via a third party (independent agency of internal entity)


Whistleblowing schemes are imposed by several laws with respect to accounting, auditing matters, fight against bribery, banking and financial crime

Present in several European national laws (fight against fraud) but main act : Sarbanes-Oxley Act


SOX:– “procedures for the receipt, retention and treatment of complaints

received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuers of concerns regarding questionable accounting or auditing matters”

– protection of the employees of publicity traded companies who provide evidence of fraud from retaliating measures taken against them

Applicable to All US companies and EU-based affiliates Provisions mirrored in the NASDAQ and NYSE rules.


SOX vs. privacy:

• “Document d’orientation” adopted by CNIL (10 November 2005)

• Opinion 1/2006 of Article 29 working party on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime


Legitimacy of whistleblowing systems ?

• legal obligation to which the controller is subject (article 7 c Directive)– Only by virtue of EU legislation or EU Member

State : several national legislation on combating bribery,…

– SOX may not be considered as a legitimate basis on thi basis for legimitacy of the purpose


• Purpose of legitimate interest pursued by the controller (article 7 f Directive)– For the Members States where no whistleblowing

obligations are imposed, good corporate governance is considered as a legitimate interest of the companies (see OECD, EU positions)

– However, article 7 f requires a struck between the legitimate interest of the processor and the fundamental rights of the data subject balance of interests


Adequacy, proportionality and quality of the data Adequacy, proportionality and quality of the data ??

• Possible limitation of the numbers of people entitled to report alleged improprieties or misconducts through whistleblowing schemes

• Possible limitation of the numbers of people who may be incriminated through whistleblowing schemes


Anomymous reportsAnomymous reports

• Not encouraged:– Does not prevent to guess who raised the

concern– Harder to investigate: no follow-up– Whistleblower already protected– May deteriorate social climate


Recommendations about anonymous reports:• data should be collected fairly: only identified reports

should be allowed:• But GR 29 accepts anonymous reports under some

conditions :– Not encourage neither advertise anonymous reports possibility– Advertise the protection offered by the scheme

• If, despite of this information, the person reporting still wants to remain anonymous, the report will eb accepted

• Difference in investigating the anonymous report ?


Proportionality and accuracy of data collected Proportionality and accuracy of data collected and processedand processed

• Should be restricted to the minimum and to what is necessary under the relevant obligation

• If data out of the scope of whistelblowing: find another basis for legitimate purpose

• See “document d’orientation” of CNIL: some data are subject to a “décision d’autorisation unique”. If the purpose, the data or the process is out of the scope of the document standard rules apply


Strict data retention periodStrict data retention period

Recommendation: 2 months after completion or investigation

Can be longer if :– legal proceedings of the incriminated person or the

whisteblower– National rules relating to archiving of data


Information aboutInformation about– the existence, purpose and functioning of the

scheme– the recipients of the reports and the right of

access rectification and erasure– confidentiality of the person reporting – Possibility of a sanction if abuse


Information of the data subjectInformation of the data subject

• Entity responsible for the whistleblowing scheme• The facts he is accused of• The department or services which might receive

the report within his own company or in other entities or companies of the group of which the company is part

• How to exercise his right of access and rectification


PROBLEMPROBLEM

That would jeopardize the ability of the company to effectively investigate or gather the necessary evidence

SOLUTIONSOLUTION

The information of the incriminated individual may be delayed as long as such risk exists


Right of access, rectification and erasure

Here again, these rights may be restricted in order to ensure the protection of the people involved in the scheme on a case-by-case basis

Under non circumstances can the person accused Under non circumstances can the person accused obtain information about the whistleblower on the obtain information about the whistleblower on the basis of his right of access, except in case of false basis of his right of access, except in case of false statement !!statement !!


All reasonable technical and organizational measures to preserve the security o the

data

Confidentiality of reports must be guaranteed

Use of dedicated means in order to prevent any diversion from is original purpose


a)a) Specific internal organizationSpecific internal organization

• dedication of a group or department to handling whistleblowing and leading investigation

• the system should be strictly separated from other departments

• information only transmitted to other people specifically responsible


b) Possibility of using external providersb) Possibility of using external providers

• Possible use of external providers (specialised companies, call centers, law firms)

• Companies still remain responsible for the processing of the data

• Obligation of a contract containgin specific clauses for compliance with the principles of the Directive


c) Principle of investigation in the EU companies and exceptions

• Proportionality principle: take the nature and seriousness of the alleged offense to determine at what level, and in what country assessment of the report should take place

• As a rule, art 29 WP believes that groups should deal with reports locally

• Some exceptions however: data received through a whistleblowing system may be communicated within the group

– if such communication is necessary for the investigation, – depending on the nature or the seriousness of the reported misconduct or results

from how the group is set up


Transfer to third countriesTransfer to third countries

Transfer are likely to occur for EU affiliates of third country companies

General principle:General principle: transfer only allowed to a country with

adequate level of protection


What if the third country does not ensure an adequate level of protection ?What if the third country does not ensure an adequate level of protection ?

data may be transferred on the following grounds:

[1] where the recipient of personal data is an entity established in the US that has subscribed to the Safe Harbor Scheme;

[2] where the recipient has entered into a transfer contract with the EU company transferring the data by which the latter adduces adequate safeguards, for example based on the standard contract clauses issued by the European Commission in its Decisions of 15 June 2001 or 27 December 2004;

[3] where the recipient has a set of binding corporate rules in place which have been duly approved by the competent data protection authorities.

[4] binding corporate rules

CONCLUSION

Assessment of privacy laws vs. whistleblowing laws on a case by case basis

Different approach in each country towards combinations of privacy and recruitment rules

Orientation papers: CNIL, WP 29, BCR efforts to harmonize and to give guidance for business

Unexpected effect: SOX makes companies respect privacy laws because they have to pay attention to data protection laws

Thank you

Questions

Comments

Recruitment practices versus privacy and anti-discrimination laws

Documents

Transcript of Recruitment practices versus privacy and anti-discrimination laws