Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

ILO Code on employee data [1998] PLBIRp 21; (1998) 45 Privacy Laws and Business International Report 11

ILO Code wants stronger protection of employee data

MANY EMPLOYEES need improved protection for their personal data at the workplace. What can the non binding Code by the International Labour Office contribute?

Professor Dr Spiros Simitis, Director of the Institute of Labour Law and Research Centre for Data Protection Law, University of Frankfurt, addressed the question of protecting workers’ data at the Privacy Laws & Business 11th Annual Conference in July. Professor Simitis used his pre- sentation to make a powerful case for the need for specific data protection rules governing employee data, and to outline the approach taken on this issue by the International Labour Office (ILO) in its Code of Practice on the Protection of Workers’ Personal Data (PL&B Aug ’97 p.12). the necessity of adopting such rules. For Professor Simitis there is a paradox, for while at national level there is an absence of rules regulating employee data, at international level such rules have already been developed. At national level there are a few scattered provisions, such as the 1992 French law regarding job applicants, the co-determination rights enjoyed in Germany by works councils regarding workplace monitoring, and some regulation in the German Lä nder. However, there is no real sectoral employee data protection law to speak of. longer period of negotiation, which would inevitably lead to a watering down and distortion of the content. The ILO wanted a quick, high-level solution, and therefore opted for the code of practice route. But, of course, a code of practice is non-binding. In fact, it is simply an appeal which he hopes will influence real practice. Even countries with no existing data protection law might also be influenced by the ILO Code.

SCOPE COVERS PRIVATE AND PUBLIC SECTORS

The ILO Code makes no distinction

He began by referring to a recent case (from November 1997) in which between public and private sector employees, and importantly, given the

the German Federal Court ruled that a company’s internal data protection officer was not entitled to access and supervise data processing carried out by the company’s works council, on the grounds that the officer was not sufficiently independent from the company’s management. In taking this decision, the court commented that the time had come for legislation on the protection of employee data.

EU DIRECTIVE ON EMPLOYEE DATA POSSIBLE IN THE FUTURE This decision in Germany is part of a pattern. The German Parliament has five times requested such a legislative initiative, and, according to Professor Simitis, the European Commission has similarly said that there is proba- bly a need for a directive in this area. Meanwhile, Data Protection and Privacy Commissioners in Germany, France and Italy have all pointed to At international level, comprehensive rules for employee data do exist. In 1989, the Council of Europe adopted a recommendation on the subject, and in 1997, the ILO published its Code of Practice.

THE ILO CODE IS NOT BINDING The first question one might ask is why the ILO chose to develop a code of practice rather than a more binding instrument such as a convention. For Professor Simitis the reasoning was not because of any half-hearted com- mitment on behalf of the ILO, but resulted from the knowledge that a convention would require a much modern trend towards out- sourcing, also covers processing carried out by employment agencies. It makes sense that rules on assess- ment questionnaires used for recruitment purposes, for example, should be equally applicable to such agencies. The Code also resists any attempt to distinguish between manual and automated processing. The Code applies the basic “finality” principle (using data for the purposes for which it was collected) but also goes further by excluding entirely the possible use of data for certain secondary purposes. For example, the use of employee data for marketing purposes is outlawed entirely. Furthermore, it is stipulated that data collected for security reasons, such as the correct function- ing of the computer system, must be used solely for that purpose.

RULES FOR SENSITIVE DATA Professor Simitis criticised the notion of sensitive categories of data, and thus the approach of the EU Directive. For him there is no sensi- tive data, only certain contexts in which data processing is sensitive. The directive prohibits the processing of sensitive data, but then allows so many exemptions that the initial prohibition becomes somewhat mean- ingless. The ILO Code has a better approach whereby, for certain sensi- tive data, the employer needs a clear and specific justification in order to collect and process the data. This approach is sufficiently flexible to allow employers to continue to deduct union fees direct from employees’ salaries, provided the employee has consented, or to deal with problems of sexual harassment in the workplace. As for genetic data, the ILO Code requires that there are statutory provisions in place before genetic screening of employees is permitted.

INTERNAL USE OF DATA ALSO COVERED

The Code does not draw a distinction between internal and external com- munication of data. Thus within an organisation, access to data must be legitimate on the basis of the responsibilities of the person seeking access. Employers are equally req- uired to inform employees of internal communication of their data, in the same way as they would be required to inform them of external communications.

NO FEE FOR RIGHT OF ACCESS

Employees are free to exercise their access rights even during the hours of work. This provision was included to counter the spoiling tactics used by some employers of requiring that the right be exercised in non-work hours. There should be no fee for exercising the right of access. As far as con- fidential employee references are concerned, the employee would enjoy access to any that were internally gen- erated, but those coming from a third party would remain confidential.

Employees (and presumably prospec- tive employees) would, however, need to be informed before a third party was approached for a reference.

A crucial point regarding the ILO Code is that it sees data protection as a question of fundamental human rights. Such basic rights are not nego- tiable as part of a wider collective agreement. They could not, for example, be waived in exchange for longer holidays or better pay. For Professor Simitis it is difficult to see how rules regarding the use of collec- tive rights (such as works council powers) as a means of supporting individual rights, can be developed at international level, given the huge dif- ferences that exist in national practices on this point.

DOES THE ILO CODE PROVIDE ‘ADEQUATE PROTECTION’?

Professor Simitis concluded by reflecting on the question of the ‘ade- quacy’ of the protection provided by the ILO Code in the light of the EU Directive’s requirement for adequate protection for third country transfers. Clearly, given the Code’s voluntary status, it could in no way be seen as adequate standing in isolation. If the Code were included into some sort of framework of normative rules, as would be possible in Germany, Austria and Switzerland, for example, then it could come close to the ade- quacy standard, except for the fact that the Code did not require any sort of independent supervisory authority. Ultimately, the ILO Code should be considered as the penultimate step on this issue, the final step being an EU directive.

Professor Simitis’ speech was report- ed for Privacy Laws & Business by Nick Platten, consultant in interna- tional privacy and data protection law. He can be contacted by E-mail: nicholas.platten@bigfoot.com.

Professor Dr Spiros Simitis, who acted as a consultant to the ILO during the drafting of the code, can be contacted at the Institut fü r Arbeits, Wirtschafts und Zivilrecht, Postfach 11 19 32, Frankfurt am Main, 60054 Germany.

The ILO’s Code of Practice on Protection of Workers’ Personal Data is published in:

English (ISBN 92-2-110329-3) French (ISBN 92-2-210329-7) Spanish (ISBN 92-2-310329-0) Price: 15 Swiss Francs

ILO Publications, International

Labour Office, CH-1211,

Geneva 22, S, Switzerland