On 9 July 2024, the French data protection authority (CNIL) issued a draft recommendation on conducting workplace diversity measurement surveys, seeking public comments until 13 September 2024. This recommendation aims to guide organizations in measuring diversity, such as disability, age, gender, and social, geographical, or cultural origins, while ensuring compliance with privacy laws and regulations.
Organizations use various tools to measure diversity, including surveys that collect personal data on aspects like disability, age, gender, and social, geographical, or cultural origins. The CNIL underscores the need to adhere to data protection regulations and constitutional principles, notably the 2007 Constitutional Council decision that prohibits the collection of real or perceived ethnic-racial data.
Key Recommendations:
Anonymity and Data Protection
- The recommendation underscores the importance of anonymity in collecting diversity data. According to Constitutional Council Decision No. 2007-557, collecting real or supposed ethno-racial affiliation is prohibited.
- Surveys must exclude personal identifiers such as names, addresses, phone numbers, and birth dates.
- If anonymity at data collection isn’t feasible, anonymity must be ensured during data processing.
Cross-referencing Information
- Organizations must prevent identification through cross-referencing survey data with other files, especially in small organizations where cross-referencing is easier.
- For online surveys, CNIL recommends using dedicated web pages, excluding personal identifiers, and separating survey responses from technical information.
Legal Basis and Voluntary Participation
- Surveys should be based on legitimate interest, ensuring participation is voluntary and responses optional.
- Results should not directly identify respondents.
- Involving a trusted third party to administer the survey and collect sensitive data can enhance compliance.
- Employee consent must be free, explicit, and informed to lift prohibitions under Article 9 of GDPR.
Purpose and Data Minimization
- Data collection should serve a specific, explicit, and legitimate purpose, such as improving equal opportunities at work.
- Organizations should minimize collected information, using suitable questions to avoid excessive data collection.
- Employees must be informed about the data controller’s identity, DPO contact details, survey objectives, data recipients, retention duration, data subject rights, and the complaint submission process to CNIL.
Data Protection Impact Assessment (DPIA)
- Given the high risk to individuals’ rights and freedoms, a DPIA should be conducted before implementing or updating a survey.
Public Participation
Public comments on the draft recommendation can be submitted until 13 September 2024. After this period, CNIL will finalize and publish the recommendation, aiming to balance diversity measurement with stringent privacy protection.
The press release is available here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
