Employees’ data protection in human resources management platforms

Employees’ data protection in human resources management platforms

The adoption of cloud platforms addressed to centralizing human resources data has become an efficient solution to multinational corporations. A unique and global registration database facilitates a better human resources management and standardizes procedures applied by all companies of the economic group. However, the use of cloud platforms for this purpose requires special care regarding the privacy and protection of personal data of employees and candidates.

Even within the context of an employment relationship, the Brazilian Constitution (Article 5, X) guarantees the inviolability of privacy, private life, honour and image, and the right to compensation for economic and moral damages resulting from such violation. A number of laws such as the Civil Code (Article 20), Consumer Defense Code (Article 43) and the Brazilian Civil Rights Framework for the Internet (Law 12,965/2014) can be applied to the processing of human resources data.

However, this current legislative framework does not provide an adequate level of protection of personal data, nor does it guarantee legal certainty for the use of cloud platforms for human resources management. The Bill of Law 5,276/2015 currently in progress at Congress aims to change this scenario in order to regulate the process of personal data of Brazilian citizens, including the data related to the employment relationship. This Bill of Law was inspired on the European Directive 95/46/EC and in the General Data Protection Regulation, the new regulation of the European Union for the protection of personal data, which will came into force in May 2018.

Although the approval of such Bill of Law is not foreseen, it is worth mentioning some principles that will govern the processing of personal data, which are set forth in article 6º of the current wording of the Bill of Law, and are widely adopted by the foreign legislation: (i) finality, (ii) necessity, (iii) transparency, (iv) security and (v) nondiscrimination. The compliance with such principles is essential to give legitimacy to the use of cloud platforms for human resources management as well as to avoid the use of this information by unauthorized third parties for purposes unrelated to the employment relationship.

Finality. The processing of personal information shall be carried out under legitimate, specific and informed purposes. In the context of an employment relationship, the employees’ information shall be used for the single purpose of managing human resources. This means that the use of information incompatible with these specific purposes can lead to a risk of labor lawsuits regarding compensation for moral damages.

Necessity. The personal information collection shall be limited to the minimum necessary to fulfill the above mentioned purposes, what means that it should be collected only data that is essential to the human resources management and related to the employment relationship – i.e. name, date of admission, function, nationality, professional email, registration number, workplace, hierarchical superior, working hours – as well as other information concerning the professional person and not the employment relationship itself – i.e. gender, home address, home telephone, individual taxpayer number, ID number, and parentage.

Although information about salary is inherent to the employment relationship, it should be process cautiously, with restricted access to certain persons thus preventing the disclosure of employees’ salaries to other co-workers.

On the other hand, excessive data, which can lead to any form of discrimination, should not be collected, nor can be the subject of a transfer to cloud platforms. It is the case of data concerning performance, productivity, or even information related to eventual criminal investigation lawsuit, financial situation (e.g. default situations, registration in credit protection institutions, and loans), as well as data related to medical records (health condition and diseases).

Transparency. The employee must be properly informed about the purposes of his/her data processing; which data will be processed; how it will be used; who is responsible for the processing; and the most important: the employee must be aware of his/her rights to access, rectification, and suppression of incorrect data. If there is a need to disclose personal information to a third party, such as another company of the same economic group or the controller of the cloud platform, the prior express consent of the employee shall be obtained through clear and precise documentation.

Security. The personal information must be stored in a safe environment and their access must be restricted to authorized personnel. In the context of an employment relationship, the access should preferably be restricted to the human resources department. Besides that, technical and administrative measures must be adopted to provide protection against unauthorized access, accidental or unlawful situations of destruction, loss, alteration and disclosure to third parties without consent. The Bill of Law 5,276/2016 seeks to create a regulatory body to monitor the protection of personal data, which will be in charge to define technical safety standards, as well as measures that should be taken in the events of incidents, such as notification to the data subject and the regulator; disclosure to the press; and implementation of measures to reverse or mitigate the effects of these incidents.

It is also worth mentioning that Decree 8,771/2016, which regulates the Brazilian Civil Rights Framework for the Internet, brought guidelines on safety standards to be adopted for the protection, storage and process of personal data and private communications, that are: (i) strict control over access to data; (ii) authentication mechanisms for access; (iii) creation of a detailed inventory of accesses to data records, encompassing the time, duration, and identity of the employee or person in charge to access; and (iv) use of technical solutions to ensure the inviolability of data, such as cryptography or similar protection measures.

Nondiscrimination. The processing of personal data cannot take place for discriminatory purposes. In the context of an employment relationship, this principle means that all the information collected from employees shall not be used for purposes which have the effect of nullifying or impairing equality of opportunity or treatment in employment or occupation. But it is not uncommon for candidates and employees to be treated differently with basis on gender, skin color, age, sexual orientation, political and religious views. For that reason, the concerns about discrimination in the workplace were subject to the Convention No. 111 of the International Labor Organization that obligates the signatory’s countries to develop and implement a national policy aimed at promoting the equality of opportunity and treatment in respect of employment and occupation, with a view to eliminating any discrimination by using appropriate methods to national circumstances.

Therefore, it is worth pointing out that information about performance and/or productivity of the employee, as well as sensitive data – i.e. racial or ethnic origin, religious, philosophic and political views, union memberships, and data related to health, genetic and biometric – shall not be collected and processed, on the grounds that the process of such data may result in a negative valuation database with access to third parties, creating a risk of labor lawsuits regarding compensation for moral damages.

In addition, the creation of databases with this kind of information has been subject to investigation by the Labour Prosecution Office, which through anonymous denunciations has taken administrative inquiries, as well as judicial lawsuits preventing the continuity of the database, and pleaded the employers’ condemnation for collective moral damages.