Under the Brazilian General Data Protection Law (LGPD), the processing of employees’ personal data during ongoing employment shall be justified under employee’s consent, legal obligation compliance, contract performance or legitimate interests’ attendance.

Do I need consent to process employee data?

The LGPD establishes that data processing can be justified, among other cases, under employee’s consent.

Nonetheless, to perform an employment contract, the employer must comply certain legal obligations, as, for instance, payroll processing, employee’s data introduction in company systems and employee registration in the governmental system of Social Security and Guarantee Fund for Length of Service. In these cases, to execute the obligations within the employment contract, the employer does not need the employee’s consent.

Therefore, only if the employer intends using the employee’s data in situations that are not related to contract performance or legal obligations compliance, the employee’s consent shall be necessary.

What are the privacy and data protection issues inherent in alcohol/drug testing?

As a rule, the alcohol/drug testing is prohibited under the Brazilian law, as it violates the employee’s privacy and intimacy. However, there is legal provision authorizing professional drivers to undergo these tests.

Furthermore, the case law has already reinforced the understanding that these tests may be extended to other professions when they involve the performance of dangerous functions which rely on the worker’s perfect physical and psychological conditions to be safely developed (e.g. private security and employees who work with explosive or flammable cargo).

In any event, the alcohol/drug testing shall not submit the employee to embarrassing situations, reason why it must be performed without any constraint, humiliation or coercion by the company. For that reason, the company shall not use its prerogative in a discriminatory way, sticking to the preventive purpose of the adopted measure. Therefore, besides explaining in a reasonable and clear way the need of the test, the employer shall apply it indiscriminately to all employees, gathering the data in the less invasive way possible.

According to LGPD, the alcohol/drug tests data configures sensitive personal data related to health. In this way, although the employer does not need the employee’s consent to process it (as the need of processing originates from legal obligation), it is recommended that the company restrict its access only for the strictly necessary purposes, avoiding data sharing to cause any kind of constraint or stigma to the employee.

How can I legitimately monitor employees’ email, internet usage and social media?

To track and monitor employee’s email, internet usage and social media, the company shall include in its Internal Regulation the restrictions concerning personal email, internet and social network usage during working period on employer-provided equipment. The employer may prohibit, for instance, access to personal emails, to illegal or inappropriate sites and to texting or social applications. Furthermore, besides including these limits in the Internal Regulation, the employer shall inform the employees about its rules, giving them copies of the Regulation after updates and after hiring and on-boarding procedure.

Although the employee has the right to privacy in virtual environment, the companies have management power and they own the workstation, internet access, technological equipment and corporate email. In this way, they are entitled to monitor employee’s virtual activity, since the inappropriate usage of the employer-provided tools may compromise the employee’s performance as much as the company image and security.

Regarding emails monitoring, it shall be restricted to the employee’s corporate email. Therefore, the employee’s personal email shall not be monitored, with the company only being able to check its access in order to apply penalties in case of recurring use. Anyhow, the personal emails as well as the text messages content are inviolable, except when the data is stored on company equipment or when the breach of secrecy is judicially authorized.

In addition, in order to comply with the principles of Necessity, Adequacy and Non-Discrimination, the surveillance and monitoring shall be exercised in a moderately, generally and impersonally way, since any persecution in working environment is prohibited.

What are the limits of using artificial intelligence in employment?

The LGPD does not define specific limits for artificial intelligence usage in employment. Therefore, it is recommended to use artificial intelligence respecting the same limits imposed on data processing by people. So, the data processing by artificial intelligence shall be also justified under employment contract performance or legal obligation compliance. In this way, the employee’s data shall not be shared with the artificial intelligence for other purposes, as, for example, commercial use.

In addition, it is recommended to inform the employees in a clear and precise way that their data is being processed and operated by an artificial intelligence. Moreover, the company, besides preventing the technologies of creating an exclusionary and discriminatory pattern, shall guarantee that employees’ personal data will not be gathered in an indiscriminate and unreasonable way.

The LGPD also establishes that the data controller shall provide, whenever requested, information about criteria and procedures adopted in automated decisions. Thereby, if the employee suffers any penalty or loses any job opportunity due to artificial intelligence data processing, the company may be asked to review its decision through human agents and prove that there was no exclusionary or discriminatory decision by the artificial intelligence.

What are the data protection issues in whistleblowing?

As pointed above, the LGPD allows data processing when it comes to legal obligation compliance, employment contract performance or attendance to the controller or third parties’ legitimate interests. In this way, although the LGPD apparently restricts data processing during investigatory procedures only to governmental agencies, the employer has the legal duty of information and cooperation with the authorities when aware of any criminal practice. Therefore, the company is allowed to process the employee’s personal data in order to investigate whistleblowing, even because there is legitimate interest in preserving its image, property and internal data security.

Regarding the whistleblowing itself, it is recommended that the company includes in its Internal Regulation a compliance policy. Through this Regulation, the employer shall enable its employees to make anonymous reports and shall inform them that, in these cases, there will be secretive data processing during the initial stage of investigative procedure, since it is essential for fact checking and evidence gathering. Thereby, the investigated as well as the other parties shall only be notified about the procedure and data processing after the end of investigation initial phase. Otherwise, all the investigative procedure may be put at risk.

Anyway, during the investigatory initial stage, the investigators shall process the data in a secretive way, sharing the gathered information with the least people possible (mainly when it comes to the whistleblower data). Finally, after the end of investigation initial phase, the company shall provide the investigated and legal authorities with the records of the operations carried out during data processing, ensuring that there were no discriminatory or persecutory practices.

Summary

During ongoing employment, employers may (i) execute alcohol/drug testing, (ii) monitor employees’ internet usage, (iii) adopt artificial intelligence and (iv) investigate whistleblowing, as long as they comply with the legal limits imposed by the LGPD.