Loading in 2 Seconds...
Loading in 2 Seconds...
Recruitment practices versus privacy and anti-discrimination laws. Romain Robert Avocat ULYS email@example.com. Introduction. 1. General principles of privacy law 2. Anti-discrimination laws in Europe 3. Application to recruitment procedures 4. Whistleblowing and privacy.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Recruitment practices versus privacy and anti-discrimination laws Romain Robert Avocat ULYS firstname.lastname@example.org
Introduction 1. General principles of privacy law 2. Anti-discrimination laws in Europe 3. Application to recruitment procedures 4. Whistleblowing and privacy
General principles of privacy law European legal framework: • Directive 95/46/EC on the protection of individuals with regard to the processing of personnel data and on the free movement of such data • Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communication sector (Directive on privacy and electronic communications)
General principles of privacy law Obligation to notify the processing to the national privacy commission Where ? -if the Member State where the processor is established (can be one country or more) - if established outside EU: use of equipment in a Member State (except for transit purpose)
General principles of privacy law What is a « Personal data » ? « any information relating to an identified natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specifics to his physical, physiological, mental, economic, cultural or social identity » (ex: IP, cookie, rare know-how, name, email,..)
General principles of privacy law PERSONAL DATA MUST BE (cf. Directive): (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; (c) adequate, relevant and not excessive in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; (e) not be kept longer than is necessary for the purposes for which the data were processed.
General principles of privacy law CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE (a) the data subject has unambiguously given his consent (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection
1. General principles of privacy law SENSITIVE PERSONAL DATA • revealing racial or ethnic origin • political opinions • religious or philosophical beliefs • trade-union membership • physical or mental health • sexual life • data relating to offences or alleged offences, criminal convictions or security measures • Extra protection (in principle: no process allowed – some exceptions) • These data are very similar to the ones used as a basis for anti-discrimination laws
General principles of privacy law INFORMATION TO BE GIVEN TO THE DATA SUBJECT (a) identity of the controller (or his representative) (b) the purposes of the processing for which the data are intended (c) any further information such as - the recipients or categories of recipients of the data, - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, • the existence of the right of access to and the right to rectify the data concerning him
1. General principles of privacy law THE DATA SUBJECT'S RIGHT OF ACCESS TO DATA • Right of access • Right to prevent processing where there is justified objection • Right to prevent processing for the purpose of direct marketing • Right in relation to automated decision-taking • Right to take action to block, rectify, destroy or erase inaccurate data
1. General principles of privacy law SECURITY OF PROCESSING • appropriate technical and organizational measures to protect personal data against • accidental or unlawful destruction or access • accidental loss, destruction or damage • alteration, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. • level of protection depending on: • art and the cost of their implementation • risks represented by the processing • nature of the data to be protected.
1. General principles of privacy law TRANSFER TO THIRD COUNTRIES Interdiction of such transfer Main exceptions: • Countries providing an adequate level of protection • Consent of the data subject • Appropriate contractual clauses • Binding corporate rules (BCR)
2. Anti-discrimination laws European legal framework: • « Racial Equity Directive » (COUNCIL DIRECTIVE 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin ) • « Employment framework Directive » (COUNCIL DIRECTIVE 2000/78/ECof 27 November 2000 establishing a general framework for equal treatment in employment and occupation)
2. Anti-discrimination laws The Racial Equality Directive 2000/43/EC • equal treatment between people irrespective of racial or ethnic origin. • protection: • in employment and training, education, social protection (including social security and healthcare), social advantages, membership and involvement in organisations of workers and employers and • access to goods and services, including housing. • definitions of direct and indirect discrimination and harassment • prohibits the instruction to discriminate and victimisation • allows for positive action measures to be taken, in order to ensure full equality in practice.
2. Anti-discrimination laws • complaint through a judicial or administrative procedure, associated with appropriate penalties for those who discriminate. • limited exceptions to the principle of equal treatment (e.g. where a difference in treatment on the ground of race or ethnic origin constitutes a genuine occupational requirement) • Shares the burden of proof between the complainant : • an alleged victim establishes facts from which it may be presumed that there has been discrimination • it is for the respondent to prove that there has been no breach of the equal treatment principle. • Establishment in each Member State of an organisation to promote equal treatment and provide independent assistance to victims of racial discrimination.
2. Anti-discrimination laws Employment framework Directive 2000/78/EC • equal treatment in employment and training irrespective of • religion or belief, • disability • age • sexual orientation • Protection in employment, training and membership and involvement in organisations of workers and employers (narrower scope than racial Equality Directive)
2. Anti-discrimination laws • Identical provisions to the Racial Equality Directive on definitions of discrimination and harassment, the prohibition of instruction to discriminate and victimisation, on positive action, rights of legal redress and the sharing of the burden of proof. • Requires employers to make reasonable accommodation to enable a person with a disability who is qualified to do the job in question to participate in training or paid labour. • limited exceptions to the principle of equal treatment (e.g. where the ethos of a religious organisation needs to be preserved, or where an employer legitimately requires an employee to be from a certain age group to be recruited)
2. Anti-discrimination laws FRANCE Legal framework : • Criminal Code: discrimination is set out as a criminal offense • Loi n°2001-1066 of 16/11/2001 (for work relationships) • Loi n°2004-1486 of 30/12/2004 (broader scope e.g. housing)
2. Anti-discrimination laws Criterias upon which discrimination is assessed: Age, sex, origin, marital status, sexual orientation, sex life, moral standards, genetic characteristics, effective or supposed ethnic origin, nation, or race, physical appearance, handicap, health condition, patronymic name, political or religious beliefs, membership to a work a union close to sensitive data as defined under Data Protection Directive
2. Anti-discrimination laws National body for anti-discrimination: HALDE (Haute Autorité de Lutte contre les Discriminations et pour l’Egalité)
2. Anti-discrimination laws BELGIUM Legal framework: • Loi du 25 février 2003 tendant à lutter contre la discrimination • Convention Collective n°38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleurs • Loi du 30 juillet 1981 tendant à réprimer certains actes inspirés par le racisme ou la xénophobie • Interdiction de fixer une limite d’âge lors du recrutement et de la sélection (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi) • Regional decrees
2. Anti-discrimination laws Convention Collective n°38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleurs: • Information regarding the proposed job: • Nature and function • Requirements • Location • Intention to create a recruitment database (for the future) • The solicitation mode • Obligation to respect privacy rights (including the interdiction to ask questions not relevant with the function) • Obligation of confidentiality
2. Anti-discrimination laws Interdiction to impose a limitation of age for the recruitment (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi) Some exceptions : - legal basis - Royal Decrees
3. Application to recruitment procedures Recruitment and selection Privacy law principles Anti-discrimination policy
A. Recruitment and selection See Employment Practice Code (Information Commissionner’s Office - UK) • Advertising • Information of the individuals who will provide the information • of the name of the organisation in the recruitment advertisements • how the information will be used (unless it is self-evident) • Recruitment agencies should identify themselves and mention how the information will be disclosed and to whom • When receiving the information about a individual, ensure that the applicants are aware of the name or the organisation holding their information
A. Recruitment and selection 2. Applications • Application forms: state to whom the information will be provided and how it will be used • Only seek personal information that is relevant to the recruitment decision to be made
A. Recruitment and selection CNIL deliberation 21 March 2002 on the collection of personal data in a recruitment procedure: • Elaboration with Syndicat du Conseil en recrutement Syntec: standard questionnaire (model for recruitment sector professionals) • The Commission established a list of personal data that should not be considered as adequate and proportionate (according to Privacy law) :
A. Recruitment and selection • date of arrival in France • date of naturalization • how the nationality was acquired • prior nationality • social security number • military status • prior address • familial surrounding • health condition, weight, view, height • housing details (landlord, occupant) • involvement in an association • automatic bank orders • loans
A. Recruitment and selection • Explain the sources from which information may be obtained about the applicant in addition to the information directly supplied • When collecting sensitive data: • Ensure the purpose satisfies one of the sensitive data conditions • Assess whether the information is relevant or not • Assess whether the information is necessary at this stage of the recruitment process • According to CNIL: event the consent is not enough if the data are not necessary • Provide a secure method for sending applications • E.g.: limit the number of people able to receive the information
A. Recruitment and selection 3. Information of the applicant (cf. CNIL) • indicate whether replies are mandatory or voluntary and the consequence of the failure to reply • period of conservation of the data • whether the information will to communicated to a third party and the name of this party (e.g. anonymous employer) • Information and consent of the applicant is mandatory in this case • what are the recruitment methods used. The results must be kept confidential.
A. Recruitment and selection 4. Verification of the information • Explain the nature of the verification of the information and the methods used to carry it out • E.g. indicate what external sources could be used (current employer) • Restrict the use of a disclosure from Criminal record • Only if necessary to protect business, customers, clients or others • Only at a advanced stage when the applicant is about to be appointed • Ensure to have the applicant’s consent to obtain documents from external sources • Give the applicant the opportunity to explain about the eventual inconsistencies that are discovered • According to CNIL: obtaining information from current employers can be carried out if the applicant is informed
A. Recruitment and selection 5. Short-listing • Be consistent with the applicable rules with regard to selection and recruitment (see above) • If an automated short-listing system is used: • inform the applicant • give him the right to represent
A. Recruitment and selection 6. Interviews • Inform the applicant that they can have access to their interview notes • Destroy notes after reasonable time • Inform the applicant on how the information and notes will be stored
A. Recruitment and selection 7. Vetting ( privacyintrusion) • Only if significant risk involved • vetting must be justified • no justified for any job: selection case-by-case • only at a late stage • Inform the applicant • of the vetting procedure • make clear to which extent information about the applicant will be released
A. Recruitment and selection 8. Retention of recruitment records • Establish a retention period for recruitment records based on a clear business need • Regularly destroy information obtained from a recruitment process if not needed • Inform the applicant that the collected information can be retained for future vacancies (if appropriate) and ask for the applicant’s consent • Ensure that the information is securely stored or are destroyed
B. Privacy law principles (See CNIL recommendation) Access right: the applicant has the right to ask to access the information collected about him Right to rectify the data: if the data are not correct or have changed, the applicant has the right to ask for the rectification
B. Privacy law principles Prohibition to use the data for other purposes than recruitment e.g.: no commercial purposes without applicant’s consent no emailing without opt-in no transfer to third parties
B. Privacy law principles Notify the processing to the national authority No decision based solely on automated processing of data human intervention + inform the applicant of the reasoning
B. Privacy law principles Interdiction of transfer to third countries Main exceptions: • Countries providing an adequate level of protection • Consent of the data subject • Appropriate contractual clauses • Binding corporate rules (BCR)
B. Privacy law principles Binding Corporate Rules (BCR) 2 WP 29 documents were adopted on 14 April 2005 “Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules”
B. Privacy law principles “Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules” • Recognizes BCR as a appropriate mean for protection of personal data • Authorization has to be filed with one national authority • Several criterias to determine the most appropriate authority • Mains criteria: establishment of the operational headquarter • Several information has to be supplied • Contact detail • Justification of the choice of the data protection authority • Binding corporate rules
B. Privacy law principles • Evidence that the measures are legally binding • Within the organisation (codes, corporate or contract rules, statutory codes, employment contract,…) • Externally for the benefit of individuals • Effective judicial remedy in one Member State • Effective financial resources if breach of the BCR
B. Privacy law principles • What the BCR should contain and provide • Nature of the data • Purpose of the process • Extent of the transfer • Identify any member of the group from which and to which data can be transferred • Transparency and fairness to data subjects • Purpose limitation • Data quality • Security • Right of access, rectification and objection
C. Anti-discrimination policy See CNIL 9/7/2005 Internal anti-discrimination policy may be a legitimate purpose e.g.: statistical tools/surveys regarding diversity in a company
C. Anti-discrimination policy What data may be collected for this purpose ? • Name and surname • Nationality • Prior nationality • Place of birth • Nationality of the parents • Address • NOT ethnic or racial information
C. Anti-discrimination policy Internal policy to be discussed applying relevant legislation defining criterias
C. Anti-discrimination policy Conditions: • Sole purpose: anti-discrimination policy • Prohibition to search and find out the ethnic-racial origin !!! • Information of the employees about the purposes, the means, their rights • Processing by a limited number of people and with a secured computer environment • Statistical and anonymous data • Destruction after obtaining statistical results
C. Anti-discrimination policy Anonymous CV French act on Equal opportunity (loi n° 2006-396 du 31 mars 2006) • Imposes the use of anonymous CV for company of more than 5O employees • Data such as name, surname, email, pictures, sex, age, address • The data will be processed and the first contact will be made via a third party (independent agency of internal entity)
4. Whistleblowing and privacy Whistleblowing schemes are imposed by several laws with respect to accounting, auditing matters, fight against bribery, banking and financial crime Present in several European national laws (fight against fraud) but main act : Sarbanes-Oxley Act
4. Whistleblowing and privacy SOX: • “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuers of concerns regarding questionable accounting or auditing matters” • protection of the employees of publicity traded companies who provide evidence of fraud from retaliating measures taken against them Applicable to All US companies and EU-based affiliates Provisions mirrored in the NASDAQ and NYSE rules.