COVID 19: Corporate social responsability and treatment of sensitive personal information during the quarantine and in preparation for the return to economic activities.

June 10, 2020

As a result from the decrees by which the Federal and State Governments are regulating the gradual return to various economic activities in Mexico, within the so-called stage “new normal”, there is the need for employers to collect personal information from their employees, with the aim of evaluating and warranting a safe return to activities in sanitary terms, for everybody within the company, and at the same time, fully complying with the applicable legal framework, thus avoiding omissions that may lead to sanctions which hinder the daily operation of the company, as well as the corporate social responsibility of the company.

This awakens the need to carefully evaluate and determine the personal information to be collected from each employee, in order to be able to comply with the principles of legality, consent, information, purpose, loyalty and proportionality, recognized by the Mexican Federal Law for the Protection of Personal Data Held by Private Entities, and its Regulations (the Law); otherwise, any employer may collect excessive personal information, which may lead the company to fall into non-compliance, which in turn may lead to serious economic sanctions.

Likewise, since much of the information to be collected from each employee at this stage of return to economic activities may constitute sensitive personal information, the need of obtaining the consent of each employee is a must, for the collection of said sensitive personal data, through their signature in writing, electronic signature, or any other authentication means recognized and approved for that purpose in the Law.

Considering that at this point in time sanitary restrictions may prevent employers from easily collecting a written signature through which employees consent on the collection of their sensitive personal information, the need to rely on proper legal advice also rises, prior to the implementation of procedures aimed at determining which sensitive personal information is to be collected and managed, as well as which technology is to be used for introducing the use of e-signatures within a company, or the use of alternate means of authentication that allows the data owner’s consent to be obtained safely and swiftly , all of which will allow employers to evaluate and organize a suitable and safe return to work activity at office’s premises as soon as sanitary restrictions allow so within each industry.

The lack of proper knowledge as to which personal information is lawful to collect, and the proper way of doing so, as well as the correct and lawful management of sensitive personal information, may cause any company or employer to fall in breach of compliance with the Law, thus becoming exposed to very severe fines that may be imposed by the National Institute of Access to Information (INAI), which is the Data Privacy Authority in Mexico.

At OLIVARES, we monitor on a continued basis all activities of INAI and are available for any questions or assistance you may require in the fields of Privacy and Data Protection Law.