Q: We are reviewing our Human Resource Information System in the USA and want to add some fields to cover sensitive personal information for employees at various locations around the world. We want to do this so we can monitor our equal opportunities policy. How do we go about undertaking such an exercise?

A: It is true that if you do not know the composition of these characteristics in the workforce then how can you measure career advancement, recruitment activity etc from an EO standpoint? The only problem is that the law is not your friend in wanting to do the right thing.

Your first barrier – particularly in Europe – is data protection law. This is not insurmountable, except for international data transfers. The problem is that the GDPR puts many restrictions on processing sensitive personal data and special safeguards for “adequacy” of certain geographical locations. This is like the previous regime – but with a lot of unknowns about interpretation. Although the GDPR was supposed to establish a common legal framework across the EU it was implemented as a minimum provision and some countries added their own provisions – often about sensitive data. It means nothing to Data Protection guardian’s what your motives are for processing sensitive data. They generally ignore other laws such as discrimination legislation and rights to undertake “positive action”. You should be particularly careful about French and Japanese authorities in this respect as they seem to like catching employers out. Please also note that after March 29th the UK will not be an “adequate” country for data transfers under the GDPR.

Even outside Europe (such as Japan) there are data protection laws in place that apply similar restrictions. The US has around 20 privacy-related federal laws that include “health data” which could apply to disability. Also 50 individual states have in place their own comprehensive data protection laws. These are particularly strong in respect to breach notifications (which could be relevant to certain types of data where damages – torts – could be established if the data were known. As the US is a common law jurisdiction such civil damages can become established quite quickly).  That said, on the surface, the US looks like one of the safest data protection regimes for such an approach to be applied.

But the biggest barrier by far is anti-discrimination legislation. The only country where “ethnic monitoring” is totally legal (if you conduct it properly) is the UK. This has been allowed for many years. Disability monitoring is ok in a very minimal way where quotas exist or accommodation of premises must take place (minimal data). We still advise not keeping this data on an HRIS and shredding accommodation details once used – except for fact that an exercise was undertaken.

It is true that sexual orientation is not strictly protected in the USA for instance – but Title VII of the Human Rights Act 1963 has been tested by federal courts and found to cover LGBT employees. 

Religion might be justified in some countries if your intention was also to allow people time off, for instance, for their religious festivals. But religion is not the same type of sensitive data as the rest – as people can change their religion overnight very easily. This is, of course, the same with gender as in Argentina and Portugal an employee may declare themselves to be of any gender they like without medical confirmation.  

Some lawyers may advise nevertheless that all is ok as long as the company first partitions the sensitive data, applies special security controls and ensures it is subject to strict, prior employee consent. We cannot agree. Consent, for instance, is always challengeable because if a favourite old judicial “nut” that the power difference between the employer and employee is such that free consent can never be guaranteed. Lawyers love this one as the subject can be debated for days.

It is a strange phenomenon that legislators frequently complain that employers discriminate against certain groups, but never give the right to employers to measure how biased their practices are. The history of discrimination, moreover, is littered by state infractions of discrimination protection rights rather than individual employers. But this is also the case with privacy rights where it has always been the state that is most guilty of intrusion into individual’s personal privacy.