Top Ten Data Protection and Labor Compliance Topics for Processing Personal Information from Candidates and Employees in Mexico

By Javier Villanueva Walbey and Daniel Ramirez Herrera Lasso, from Cuesta Campos y Asociados S.C.

Mexican regulation on Data Protection and Labor matters has a very important impact on the operations of companies. Being employees one of the most important assets in any corporation, Human Resources departments need to make sure they are hiring and managing the best talent for each position, from operational levels to managers, and with this comes the responsibility of using personal data during the recruitment process, the duration of the employment relationship and after its termination.

The Mexican Data Protection Office (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) has been actively trying to stimulate the compliance of Data Protection regulations. The following list provides key aspects to consider for the prevention of risks associated with the processing of personal information from candidates and employees.

1. Identification of processes in which personal data is used Companies often operate without consciously knowing which departments of their organization use personal data, the processes that involve this information and the purposes for the data being collected. This may lead to risks associated to the fact that the company will not have proper policies, security measures and documents to comply with Data Protection regulations; such risks can sometimes lead to economic and reputational damages. Every company should ask the following questions: What kind of personal data do I require from candidates or employees? How do I process personal data? Which departments handle such information? And, for what purposes the data collected is being used? Human Resources departments play an important role on this subject, as they obtain personal data from different candidates at a first stage. Once a candidate is selected and hired, said department administrates the personal data required to comply with the employer-employee relationship. Companies, and Human Resources departments in particular, should implement a proper policy that regulates these processes, allowing them to respond to different situations in which personal data of an individual is required. This should include the response to more complex situations (e.g. conducting background checks of candidates, internal compliance investigations of certain employee, etc.).

2. Implementing a Privacy Notice The Privacy Notice is the physical or electronic document generated by the company, which is provided to candidates or employees prior to processing their personal data. Companies must have a Privacy Notice for each specific type of individual or audience. Consequently, there should be a Privacy Notice to regulate the processing of data from candidates and a Privacy Notice to regulate the processing of data from employees; this considering that the purposes and the data required are different in each case. The main purpose to use personal data from candidates is to begin the recruitment process for a potential hire. The Privacy Notice for this specific case should be provided through the different channels from which data is obtained; for example, companies that have implemented an employment referral service, should post the notice on their website, requesting the candidates consent to process their data in order to submit an employment application. The main purpose for using personal data from employees is the maintenance and compliance of the labor relationship obligations, the notice should be provided to the employee and signed upon the execution of the individual labor agreement and kept on the internal file.

3. Conducting background checks Companies can conduct background checks and request criminal information in recruitment processes considering that the candidate has been duly informed, through the Privacy Notice, of the specific information to be requested and its purpose. Employers can use such data to evaluate the candidate, always taking into consideration the specific characteristics of the job position (e.g. a position that involves handling sensitive data or transactions that require upmost qualifications from the employer). Most of the data obtained through background and criminal checks is considered sensitive; therefore, companies should take special measures to protect the confidentiality and its proper use. Examples of these security measures include: limiting access to the data, implementing IT security software, informing employees of the rules of use of passwords and usernames provided by the company, among others.

4. Preventing discrimination practices The data requested by a company on a job application or during an interview could lead to illegal discrimination practices. Requesting data such as, racial, religious or sexual orientation of a candidate is not generally allowed by law. It is important that the data requested on a job application is dully justified by the needs of the job position. For example, requesting health information from a candidate and denying the job to a person with certain medical condition, which does not allow him or her to conduct hard physical work, is not illegal and discriminatory, if such position requires that type of work. A proper policy ruling the recruitment process could prevent claims from candidates and lower the risk of facing proceedings for discrimination practices.

5. Internal investigations and monitoring Given the fact that companies are exposed to internal robbery, frauds and corruption, it is sometimes necessary to conduct investigations of employees, supervise the use of computers and review communications. In order to be able to conduct this kind of practices without violating the privacy of their employees companies should: As preventive measures:

(i) Inform employees that the company is allowed to monitor the use of work tools.

6. Video-surveillance The companies may chose to install cameras in certain places of the work center in order to protect their assets, confidential information, prevention of robbery and guarantying the security of employees. These measures should be applied trying to avoid invasion of the privacy of their employees as much as possible, and should not be used to measure their efficiency at work. A short notice should be posted informing that certain work areas are under video-surveillance for security purposes. In exceptional situations, companies may use cameras without informing employees, with the purpose of identifying illegal conducts committed within the work center, this should be always used for a limited period of time. Furthermore, certain positions and industries will require the employee to be constantly monitored to avoid illegal conducts (banks, casinos, etc.), in which case, the employee should be notified through the Privacy Notice.

7. ARCO Rights Pursuant to the domestic regulations, data owners have the right to Access, Rectify, Cancel and Oppose (ARCO) to the processing of their data. At any time candidates or employees may exercise any of such rights, therefore companies must implement an internal process to attend any request to exercise any of said rights, responding to their petitions within the terms established by the relevant law. The lack of compliance of a petition may lead to a claim filed before the Data Protection Office and start a sanctioning proceeding. In order to avoid this, companies must issue a response to the petition of the data owners, in which he or she is informed of the result of the request.

8. File keeping One of the most important practices companies must implement in order to be protected from individual labor and data protection contingencies is having proper and correct employees' files. The documents that the employer should have in the records are the following:

(i) Individual employment agreement.

(ii) Any payment receipt duly signed by the employees (payroll, vacation premium, Christmas bonus, overtime, etc.).

(iii) Privacy notice duly executed.

(iv) Company's policies duly signed as receipt by the employee.

(v) Attendance and absenteeism list.

(vi) Vacation records.

Employees' files should be kept for at least 5 years in order to comply with authorities requirements. Nevertheless, upon the termination of an employment relationship the company should stop the processing of the personal data contained on the employees record, for example, the company should not give any references of the former employee unless it has been duly authorized to do so.

9. Enforceability of policies Companies should make sure that employees comply with internal work regulations and policies, so that in case of breach, the employment relationship may be terminated without responsibility of the employer. In order to be able to enforce Data Protection Policies and the Privacy Notice, companies should conduct the following steps:

(i) Data Protection Policies must be referred in the individual employment agreements.

(ii) Data Protection Policies must be referred in the internal work regulations of the company.

(iii) The Company must provide the employees a copy of the Data Protection policy and should keep a signed receipt.

10. Internal trainings and communication It is important that companies conduct trainings directed to promote the internal compliance of Privacy and Labor regulations, and that these are constantly communicated through different means (emails, posters, through the intranet, etc.). This will create awareness within the organization of all the obligations needed to comply, avoiding infringement to laws by conducts of employees. Having proper trainings will be taken into account by authorities when conducting investigations of possible infringements to Privacy or Labor regulations.

Conclusion Being compliant in Data Protection and Labor matters will prevent the company from facing risks that may harm its reputation or goodwill. Furthermore, facing legal proceedings or investigations by authorities in Data Protection and Labor matters can be pricey. In this regard it will always be better to seek preventive compliance measures than facing risks for not being compliant.