RELEVANT ASPECTS OF PERSONAL DATA PROTECTION IN HOME OFFICE UNDER THE RECENT AMENDMENT TO THE FEDERAL LABOR LAW

Mexico City, February, 2021

On January 11th 2021, a chapter related to working through the home office was added to the Federal Labor Law (FLL). Firstly, it regulates the workers’ data protection and secondly, it refers to the obligation of businesses to protect the information pertaining to the organization.

  1. Background

Although previously adopted by some organizations, working through telework or home office was not regulated under the FLL or any other law or regulation.

As a result of the State of Emergency caused by the SARS-COV-2 pandemic (COVID-19) in 2020, new work strategies had to be implemented in Mexico and various countries for organizations whose activities were not considered essential. One such strategy was to allow employees to work from home in order to contain the spread of the virus.

Due to the uncertainty caused by the pandemic and the restrictions established by the State, it became highly necessary to regulate the work performed through the home office.

Therefore, mid-year 2020 an amendment to the FLL was designed to regulate labor relations for work through the home office, which resulted in publishing a Decree amending such Law in the Federal Official Gazette.

  1. Considerations of the Personal Data Protection Decree

Concepts such as Home Office, Information and Communication Technologies, Infrastructure, Networks, Software, Applications and Devices, Information Management, Technological components to create, modify, store and protect information are all included under article 330-A of the FLL.

In this regard, the amendment details the definition of home office and establishes information and communication technologies (ICT) as working tools. In this context, the amendment defines ICTs as the infrastructure, service, networks, applications and devices necessary to perform work, as well as the tools that modify, store and protect information contained in devices.

The amendment also provides obligations for employers that use the home office. One such obligation refers to the implementation of security measures and data used by those working through home office. In addition, there is an obligation to provide training to staff on new technologies to ensure they adapt to them.

On the other hand, employees working through home office will have the obligation among others, to comply with and observe data protection policies or guidelines in the performance of their work, as well as the prohibition on the use and storage of such data.

Additionally, one of the obligations to take into account is the use of operational technological tools to supervise work, since these must be used only in line with their purpose and guarantee the right to privacy, in compliance with the personal data protection regulations. It is also noted that video and microphones to monitor activities should be used only when necessary and in extraordinary circumstances.

The amendment to the FLL implies that organizations have to change issues relating to privacy, data protection and information security. Organizations need to analyze whether the tools used to monitor productivity could result in an intrusion into the worker’s privacy, a situation that could possibly be addressed in the second transitory article of the amendment, which stipulates the Official Mexican Standard that the Ministry of Labor and Social Security must issue. Moreover, since work will be performed outside the employer’s facilities, when personal data is handled, it will be necessary to modify privacy policies and define whether security measures (physical, technical and administrative) are sufficient for the home office or if such must be updated, since data protection obligations do not end with this reform, but rather change the original conditions.

Due to the current situation, certain tools have been developed for measuring employees productivity obtaining certain information, such as the use of applications (Email, Word, Excel or Teams) alongside the devices used to access such applications, among others; It is important that such information is regulated by organizations for the appropriate purposes and it’s considered as personal data.

With regard to the security measures, it is necessary to analyze whether their deployment in the organization can work for the home office system. If they are not sufficient, the measures in question must be changed in order to avoid any intrusion by an unauthorized third party. For a better understanding, if an employee working through the home office connects to his home network, the connection should be via VPN (Virtual Private Network). This means that the home internet connection must be made considering the functionality, security and management of a private network such as that of organizations, which is used to avoid intrusions from unauthorized third parties and shield the organization’s information.

If you require additional information on any particular topic discussed in this article, please feel free to contact us.

*This article was written by Israel Ledesma and Gustavo Miranda, attorneys at law, and may contain personal opinions independent from the law firm for which they work. If you intend to apply any of the above provisions or interpretations, we recommend that you consult Jáuregui y Del Valle, S.C. or another qualified advisor prior to doing so.

© 2020, Jáuregui y Del Valle, S.C. All Rights Reserved. This information pertains to JDV and its external distribution must be authorized. Printing and distribution hereof are permitted.