Projet de recommandation – Enquêtes de mesure de la diversité au travail
Diversity is an important issue for employers and measuring it in the workforce is a useful tool for promoting equal opportunities. However, surveys to measure diversity, while legal, require special precautions to protect personal data and ensure respect for the privacy of employees and agents.
The monitoring of these surveys is not new. In 2012, the Défenseur des Droits and the CNIL published a guide entitled “Measurer pour progresser vers l’égalité des chances” to provide clear answers.
On 9 July 2024, the CNIL submitted a recommendation for public consultation. All stakeholders, employers and employees alike, can take part in the consultation, which will be open until 13 September 2024, to give their opinion on the draft guide.
As part of this consultation, the CNIL has published a draft recommendation to guide the implementation of surveys to measure diversity in the workplace.
This guide sets out the best practices to be applied during these surveys:
1. Limit the amount of data collected
The CNIL advises employers to limit the amount of data collected. Multiple-choice questions are preferable to open-ended questions in order to limit the amount of information collected and the risk of identification.
The collection of certain data is also prohibited. In its decision no. 2007-557 DC of 15 November 2007, the French Constitutional Council prohibited questions relating to the ethnic origin or race of respondents. Subjective questions about employees’ feelings may be asked, with all the necessary precautions.
2. Protection of the anonymity of the employees and agents interviewed
The CNIL points out that the results collected must be anonymous and that no data may be used to identify the employee (telephone number, date of birth, etc.). If the questionnaire is conducted online, it is therefore advisable to exclude the use of personal identifiers.
Similarly, the cross-referencing of questions should not make it possible to identify the respondent. The CNIL therefore recommends that questions are formulated in very broad terms. Asking for an age range is preferable to asking for a specific age.
If anonymity can be achieved, the data collected is no longer subject to data protection rules, as it is no longer of a personal nature.
In any case, it is not always possible to make the data anonymous, especially in the case of small structures. This does not make the survey illegal, but safeguards must be put in place (anonymisation of results before dissemination).
3. Ensuring the voluntary nature and consent of participants
In order to respect the rights and freedoms of workers, it is necessary to ensure that their participation is optional and voluntary. Voluntary participation must be unrestricted and free from coercion. It must take the form of a positive act, such as following a link. Refusal to participate may not be penalised.
The collection of sensitive data (Art. 9 RGPD) is generally prohibited. This applies in particular to
- trade union membership
- state of health
- political opinion
- etc.
If these surveys concern sensitive data, the prohibition on collecting them can be lifted by the explicit consent of the employee. Consent must be given by a clear positive act, such as ticking a box.
4. Guarantee of the legitimate purpose of the survey
The CNIL stipulates that a balance must be struck between the employer’s interests and the employee’s right to privacy. The purpose of the collection of personal data must be specific, explicit and legitimate. The sole purpose of the survey must be to improve equal opportunities in the workplace and to take collective action.
The collection of personal data leading to individual decisions about employees would constitute a misuse of the purpose.
5. Use of a trusted third party
There is no legal requirement to use a trusted third party to administer the survey. However, using a service provider will ensure the security and confidentiality of the data collected. The employer will then have access to the results of the survey and not to the data collected, thus guaranteeing the anonymity of the participating employees.
The draft Recommendation also proposes to
- Define the responsibilities for processing (data controller, data processor, joint controllers);
- Define retention periods;
- carrying out a data protection impact assessment.
This list of measures is not exhaustive. It has been extracted from the CNIL’s draft, which will lead to the publication of a final recommendation after a public consultation.