TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | D&I programs and processing of employees' personal data: Challenges and guidelines considering Brazil’s data protection legal framework Related reading: Data privacy and affirmative action: What is the applicable legal basis under LGPD?




Over the past years, many studies have shown when the inclusion cycle begins in employment relations, and it is more likely significant changes are made toward the recognition of rights and safeguards that break the chains of exclusion in our society. Unfortunately, it is also known that social equality is far from being a reality. The study "LGBT+ in the pandemic" found six out of 10 LGBTQ+ people in Brazil experienced a loss or decrease in income due to the COVID-19 pandemic. Also, according to recent indicators measured by the Brazilian Institute of Geography and Statistics, the unemployment rate among Black people is 19.1%, while the number of unemployed white people corresponds to 11.8% of the population.

Statistics is only one of the various methods that expose disparities of conditions faced by underrepresented groups every single day. Inequality in the job market also affects other vulnerable and historically oppressed groups, raising issues about race, gender, sexual orientation and disability that need to be addressed by all socially responsible companies.

How can organizations help change this scenario?

One of the ways to reduce the vulnerability of underrepresented groups is to implement diversity and inclusion programs within the workplace, promoting more inclusive recruitment processes and adopting internal support initiatives for employees.

In Brazil’s legal framework, even before the debate on privacy and data protection emerged, the Federal Constitution of 1988 safeguarded the worker’s right to be treated without discrimination (regarding sex, age, race, gender, marital status or disability). Likewise, Law n. 9.029/95 prohibits any discriminatory and restrictive practice for the access to work or its maintenance.

With the enactment of Brazil’s General Data Protection Law, specific guidance was provided concerning the use of personal data by relevant market players, including employment relations. In this scenario, the LGPD establishes the nondiscrimination principle, determining processing activities cannot be carried out for illicit, abusive or discriminatory purposes.

The handling of personal data is a critical component of D&I initiatives, as it allows employers — functioning as controllers in this situation —  to access, evaluate and store a significant amount of sensitive information about its workers that has the potential to harm those individuals.

Here are some practical tips for human resources departments and organizations that wish to conduct an assertive D&I program and still safeguard employee’s personal data.

1. Set clear goals

It is important to establish a specific purpose for the processing of personal data and to ensure data is not used for any other activities nor kept merely as “nice-to-have” information. This requires a case-by-case approach to each initiative carried out by the organization. For instance, when promoting an affinity group based on ethnicity and race, the registration form should not collect information about the respondent’s political view, sexual orientation or religious beliefs.

2. Define the lawful basis for data processing

With a clear and specific purpose in mind, the agent must find a valid lawful basis to justify the processing of personal data before it begins. This requires a detailed assessment not only of the purpose for processing but of aspects such as market sector and legal nature of the controller. Some examples of lawful basis applicable to D&I initiatives are:

Compliance with legal and/or regulatory obligation: The processing is necessary for the controller to comply with the law. For example, in Brazil, Law n. 8.213/1991 establishes that companies with 100 or more employees must guarantee a minimum rate of their job positions are granted to people with disabilities or in rehabilitation. This may justify the collection of specific information about the candidate or employee’s physical or intellectual condition for recruitment purposes.

Consent: Even though consent is not largely considered an appropriate basis for processing employee data, since the relationship between the subject and the controller is unbalanced, potentially leading to consent not given freely, there are a few scenarios in which it can be applicable. Because D&I programs mainly rely on information considered sensitive data by the LGPD, further attention should be given to the specific rules for processing special categories of personal data in Articles 5, XII and 11, I. To be valid, consent must be "freely given," "informed," "unambiguous," "specific," "prominent" and "for determined purposes." Thus, controllers should rely on consent as a lawful basis only if robust evidence demonstrates authorization was unquestionably given.

3. Minimization as the rule

It is also relevant to restrict the amount and type of data used in the initiative. The questions below can help organizations understand what data is really needed to achieve clearly defined goals:

  • Do I have to collect new categories of data or can I rely on information I already have?
  • Without this information, would it still be possible to reach the same purposes?
  • For how long will this data be useful to the achievement of this purpose?
  • Is it possible to use anonymized data instead?

Controllers should also make sure the anonymization process eventually carried out does not leave open the possibility of tracing back information about the data subjects, which is more likely to happen when dealing with reduced sample sizes for metrics and indicators.

4. Safety first, safety always

Ensuring security measures are being implemented is a key component for D&I activities within the workplace. As personal data processed in this dynamic has an increased discriminatory potential, it is recommended to place internal controls to restrict access to sensitive information and protect the sharing, transferring and storing of the data.

Keeping a clear record of measures implemented to protect personal data eventually used in the activity is also a good practice that gives prestige to the accountability principle.

5. Being transparent and empathetic is never enough

Providing clear information to employees and applicants, clarifying the purpose of the data collection and ensuring it will not be used for incompatible goals are all important actions to help organizations build trust with data subjects. Acceptance and empathy must lead the whole process. This can be achieved by:

  • Providing a distinct privacy notice for the specific D&I program or plan designed within the company.
  • Establishing a communication channel/mechanism to receive complaints or suggestions from employees who wish to provide feedback on activities.
  • When conducting voluntary campaigns, informing in a clear manner that participation is optional and reassuring collected data will not affect the individual’s performance or evaluation as an employee nor result in disciplinary measures.

In view of that, special attention must be paid to the data quality principle, which imposes data must be accurate, clear, relevant and up to date. Taking as reference the European Commission’s guidance on data collection in relation to LGBTQ+ people, the gathering of intimate and sensitive data about employees needs to accommodate as many perceptions and life experiences as possible. Therefore, the data subjects must feel comfortable providing the information and, most importantly, need to relate to the categorization used to infer elements about their lives. For example, when carrying out a survey about sexual orientation, the organization should ensure everyone feels adequately represented, providing as many categories as possible and, depending on the nature of the survey, adding “other” with a blank space and “I prefer not to say” as answer options.

In conclusion, it is very important to reconcile personal data processing, including special categories of personal data, for D&I programs with privacy regulations. In this way, it is possible to manage initiatives that increase diversity in work teams and truly ensure inclusion as an element of social change.

Photo by Timon Studler on Unsplash


Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.