Background checks under Mexican labour law
Last year the first fine under the 2010 Mexican Data Privacy Regulation was imposed on a major bank; since that time the privacy authorities have become more vigilant in seeking out privacy offenders. As a result labour inspectors have begun to include privacy related issues on their checklists- ensuring that employers are following the proper procedures, especially in regards to employee background checks and medical examinations.
The Mexican Federal Labour Law (“FLL”), gives employers the sole discretion to set-forth the necessary requirements for employment, such as requesting that candidates fill-out a job application which may include general background information, employment history, skills and qualifications, education certificates or diplomas and reference letters from former employers.
The FLL also allows employers to request applicants to undergo medical examinations in order to verify if they suffer from any injury or even a mental disease that would prevent them from carrying out their activities or that would put work colleagues, employer representatives, customers, clients or suppliers in danger.
The obligation to undergo medical examinations does not only apply to applicants, but it is also extended to current employees. This is expressly provided for in the FLL and operates as a matter of law and not as a matter of agreement, which means that an employer can exercise this right without necessarily including it in the Employment Agreement.
However, employee background checks and medical examinations are considered as sensitive and highly confidential making them fall within the scope of the Mexican Data Protection Law; any violation of the Privacy Law can lead to an employer’s civil and/or even criminal liability.
Under some recently enacted data privacy obligations, employers are required to issue a privacy notice to applicants before requesting any sensitive or confidential information/documentation. Current employees also need to be notified in a document that is separate from the Employment Agreement.
The Privacy notice must include:
- The identity of the data controller (the employer);
- The purpose of the data collection;
- The means for exercising rights of access, rectification, cancellation or objection;
- Any transfers of data that will occur, and
- When applicable, the privacy notice must expressly state that sensitive data is being processed
As a general rule, all processing of personal data requires the consent of the data subject (the employee); however, as an exception, consent is not necessary when the data is being collected in order to fulfil obligations under a legal relationship between the data subject and controller.
In conclusion, even though the FLL expressly allows employers to request background information and/or medical examinations from applicants and employees, the appropriate privacy measures must be put in place especially within their Human Resources departments in which sensitive personal data is being processed in order to avoid civil or criminal liability.