Latin America - The Ethics of Gathering Employee Data
In Latin America, most countries now have data protection legislation which helps employers determine what new technologies should or shouldn't be implemented in the workplace, while employees have certain rights that can allow them to minimize the collection of their personal data and restrict how it is processed.
In Mexico, the right to data protection was established in the Constitution in 2009. In 2010, the Federal Law on Protection of Personal Data Held by Private Parties was enacted and in subsequent years, regulations of the law and several guidelines on the matter were also issued.
This comprehensive legislation applies at a federal level and not on a state-by-state basis. The country has an independent Data Protection Authority—the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI)—that oversees the enforcement of the data protection laws and promotes best practices across the country. Among the obligations the legislation establishes for data controllers is the requirement to provide a privacy notice to data subjects where data protection practices are clearly explained to employees. The notice must specify clearly why the data is being processed, such as for the payment of wages, and what could be considered voluntary data processing, such as data obtained from the implementation of new technologies, including wearable devices.
While processing data for conventional purposes does not require consent from employees, consent for processing data for additional purposes is required. Another obligation is to allow data subjects, in this case, employees, the exercise of their rights over personal data (i.e. access, rectification, cancellation, objection, etc.). These obligations are basic when looking at technology in the employment context; however, they are not the only ones. While there have been some disputes relating to the processing of employees' personal data in Mexico, they have concerned matters relating to the requirement for consent and privacy notices and none have involved the use of new technologies in the workplace so far. Indeed, lawyers are waiting to see how the right to data protection develops and is strengthened with resolutions by INAI and the local courts. For many, the use of new technologies and analysis of data in the labor context can be beneficial for both employees and employers, providing there is a clear understanding of what is legal and ethical.
Local laws in Colombia establish two fundamental personal data rights: the right to privacy and the right to data rectification. Similar to the EU's General Data Protection Regulation (GDPR), regulations in Colombia are based on the principle that the processing of private, semi-private and sensitive personal data requires the data subject's prior, express and informed consent.
Even if employees expect little privacy while on company premises or when using company equipment, there have been several decisions in Colombian courts recognizing minimum privacy, or tolerable personal use for employees using internal hardware or software tools. Since the gathering of employee data from these new tools has not been directly regulated by local employment law, but broadly regulated by constitutional and GPDR law, nowadays employers have the responsibility for setting specific limits that can solve the tension between productivity and the fundamental rights of employees, starting from the principle that the gathering of information must respond to legitimate and ethical interests.
Chilean legislation includes several rules on the protection of personal data applicable to an employment relationship, which help mitigate the ethical problems that may arise for the employer. The Political Constitution of the Chilean Republic, Law No. 19,628 regarding the protection of private life or personal information, and the Labor Code contain the most important provisions relating to gathering employee data in Chile.
Article 19 No. 4 of the Chilean Constitution provides the protection of personal data as a constitutional right. This rule guarantees the respect and protection of private life and the honor of the person and their family, and also, the protection of their personal data.
Law No. 19,628 states that personal data may only be processed when determined by law or when the owner of the data gives written consent, in this case, the employee. The law also provides that the employee must be informed about the purpose of the processing of their personal data and its possible communication to the public. However, there are exceptions to this provision. Authorization is not required when private entities process personal data for their own exclusive use or that of their agents and affiliates, and it is for their own benefit. This applies to companies when processing employee data for their own exclusive internal use.
According to the law, personal data relates to 'any information concerning individuals, identified or identifiable.' This includes basic human resources data, such as, but not limited to, the employee's name, date of birth or age, date of starting employment, remuneration and benefits, home address, marital status, number of dependent children, national registration number or identity card number, social insurance number, employee number, position in the organization, evaluations and complaints.
On the other hand, the processing of sensitive personal data is prohibited. Data considered to be sensitive may only be processed when determined by law, when the data owner gives written consent, or for obtaining health benefits, like those necessary for granting complementary health insurance to employees.
Sensitive personal data is defined in Chilean law as information regarding a person's physical or moral characteristics, and facts or circumstances of their private life and intimacy, such as personal habits, racial background, political opinions, religious beliefs, physical and mental health and sexuality.
Chilean labor legislation expressly states that it is the employer's responsibility to respect the guarantees of the constitution within the framework of labor relations in the company, ensuring the protection of employee data and especially the employee's rights to privacy. In this context, article 154-bis of the Labor Code sets forth the employer's confidentiality obligation to keep all information and private data related to its employees safe.