/ How do you handle your employees’ data?

September 5, 2019

There’s no need to wait for a bill. It has been more than a year since Chile’s Constitution included data protection as a guarantee in Article 19. It is urgent that employers review their treatment of employee data as from the selection process.

In 2014 the English supermarket chain Morrisons was affected by a data leak. In contrast to what we usually read, in this case more than 100,000 Morrisons employees were affected. Andrew Skelton, the company’s internal IT auditor, posted online the names, bank information, remunerations, contributions, among other employee data. As a result of these facts, the first class action lawsuit was filed for data leakage in the UK. Morrisons was first convicted under its responsibility for Skelton’s criminal acts.

We are witnessing a lawsuit for a leak of employees’ personal data against their employer and, in addition, for acts committed by another employee, i.e. recognizing the latter’s responsibility for an act carried out by a third party.

Let us think that the case occurs in Chile. With the 2018 amendment of Article 19 No. 4 of the Constitution, which incorporates the protection of personal data as a constitutional guarantee, the affected employees could have sued the employer for labor protection, with consequent damages compensation. In Morrison’s class action lawsuit, the employees claim to be affected and distressed (“Upset and distress”), alluding to the moral damages suffered.

How do companies treat their employees’ data? We know there is a pending privacy bill. However, in labor matters there is no time to wait. The cause for protection has been present for more than a year, so it is extremely urgent that employers review their treatment of their employees. Being diligent they should consider from the moment the data is born, that is to say, from the selection process.

Avoid fines, be ahead of time. Carry out an evaluation of all human resources processes. Review the nature of the data processed, supplier contracts, benefits granted by the employer and provided by third parties, access to these data, inclusion law, among other aspects. At the end of this path you will obtain a compliance degree and a work plan designed to protect the personal (and sensitive) data of your employees.

Macarena Gatica
Senior Associate Alessandri