Environmental, social and governance (ESG) factors are playing an increasingly important role in corporations and are high on the agenda of boardrooms. ESG activity reduces reputational risk but also helps to attract young talent who are more focussed on the environment, diversity and inclusion and are looking for a sustainable work environment.
The question of how diverse and inclusive a workforce is (in terms of age, gender, sexual orientation, and background) needs to be clear from the outset when starting a recruitment cycle.
What data may companies collect as part of a diversity policy that can also to be used for recruitment purposes?
More employers are asking their employees to voluntarily disclose personal information via their global HR systems. This" diversity monitoring" often involves surveys with questions about race, ethnicity, health, religion, sexual orientation, gender, gender identity or social origin. The purpose is to monitor equal opportunities in general, to identify barriers to workforce equality and diversity and sometimes to plan specific positive actions to correct for any disadvantage or under representation of a specific category of people.
The European and Belgian legal framework
According to Article 9 of the General Data Protection Regulation (GDPR), both of the following are prohibited: the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
There are some exceptions to this principle, for example, when:
- the data subject has given explicit consent to the processing of the personal data for one or more specified purposes; and
- the processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the employer or of the employee in the field of employment, social security and social protection law in so far as the employer is authorised by EU or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Belgium has several laws that protect against racism, discrimination and gender discrimination (laws of 30 July 1981 and 10 May 2007). A recent Royal Decree (11 February 2019) now also allows employers to take positive actions to make up for disadvantages linked to certain demographic markers. Employers can set up an action plan following a specific procedure involving the Ministry of Work.
A Decree of the Brussels' region of 7 May 2009 allows employers vested in the region to identify workers, for example, by their origin or handicap, and set up a diversity plan at the company level and obtain a diversity label.
Does Belgian law permit the collection of employee diversity data?
Belgian law does not permit the collection of diversity data. The Belgian Data Protection Authority (DPA) has published specific guidelines on the processing of sensitive data in the context of recruitment, in particular regarding data relating to ethnicity.
However, the DPA is of the opinion that the Royal Decree of 11 February 2019 is not a sufficient legal basis to collect such data, as other means are available to demonstrate a disadvantage or unequal treatment. Only companies in the Brussels' region could potentially invoke the decree of 7 May 2009 to collect certain data.
Could the consent of the employee be a valid alternative? The consent of the employee could be challenged as a valid legal basis, taking into account the relationship of subordination between the employer and the employees. However, based on the guidelines of the European Data Protection Board and the DPA, the consent of the employee could be a valid legal basis provided that the following conditions are met:
- the employee does not feel any pressure to give their consent;
- the employee does not experience any negative consequences when they refuse to give their consent nor should they fear any negative consequences;
- the employer does not benefit from the processing of the data;
- the employee has been adequately informed in advance of the specific purpose of the data processing and their right to withdraw the consent.
Processing data on an anonymous basis is probably the safest way to monitor diversity, and it is important that the data cannot be attributed to any specific person and that anonymity prevails from the start.
How does this work in other countries such as the UK or the Netherlands?
In the UK, the collection of employee diversity data is legally permissible. The data protection legislation in the UK includes a limited provision that specifically allows diversity data to be processed for the purpose of monitoring equality of opportunity or treatment between different groups.
Employees cannot be compelled to provide their diversity data and there must be no repercussions if they do not wish to do so.
The Dutch implementation of the GDPR also provides an exception to the processing prohibition in the context of a positive action policy. The prohibition of processing of data revealing racial or ethnic origin does not apply when the processing is carried out with the purpose of giving persons from a particular ethnic or cultural minority group a privileged position in order to remove or mitigate actual disadvantages relating to racial or ethnic origin. Further, for applicability of this exception it is required that the processing is necessary for this purpose; the data involves place of birth of the data subject, his or her (grand)parents or other statutorily established criteria to objectively determine whether an individual belongs to a certain ethnic or cultural minority group; and the data subject has not objected to the processing in writing.
Even with the GDPR, Europe remains fragmented as regards to the collection of employee diversity data. Employers should remain cautious and be aware of the local laws and guidelines of the national data protection authorities before implementing a diversity-monitoring programme.