Employer guidelines on data privacy

By Neptali B Salvanera, ACCRA Law Offices

Republic Act No. 10173, also known as the Data Privacy Act (DPA), was enacted on 15 August 2012. Subsequently, the National Privacy Commission (NPC) promulgated the Implementing Rules and Regulations (IRR) on 24 August 2016, and they took effect on 9 September 2017.

Neptali B SalvaneraPartnerACCRA Law Offices
Neptali B Salvanera
ACCRA Law Offices

Although the DPA is not a labour or social legislation per se, it has several provisions that pertain, or have an impact on, the employer-employee relationship. For one, it is necessary for an employer to collect, store, update and in some instances share personal information, especially sensitive personal information of its employees, in relation to human resources management.

From the application of prospective employees until their severance from employment, employers collect and update personal information to process employee benefits, payment of salaries, filing of tax returns, remittance of contributions to government agencies, etc. Such collection and updating of personal information is within the scope of “processing”, which, in simple terms, is defined by the IRR as any operation performed upon personal data.

An employer is considered as either a personal information controller or personal information processor vis-à-vis its employees, depending on whether the employer itself processes the employee data or outsources the same to third parties.

Accordingly, employers are mandated to comply with the applicable guidelines on the adoption of organizational, physical and technical security measures required under the IRR.

Employees enjoy the rights of data subject under the act and employers must respect this. Data subjects have the right to be informed, object, access, rectify, erase or block data, as well as the right to damages.

The IRR provides that the data subjects must have the right to object to the processing of their personal data, and to withhold consent to the processing. When a data subject objects or withholds consent, the personal information controller must no longer process the personal data, unless “the collection and processing are for obvious purposes, including, when it is necessary, for the performance of, or in relation to, a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject”.

Does this mean, then, that consent is no longer required in the processing of personal data of applicants and employees? The general rule is that consent is necessary, but could this be an exception? Is the employer required to get consent of the applicant or employee if the processing is necessary or desirable in the context of an employer-employee relationship? The key here is to understand the meaning and import of the phrase “necessary or desirable in the context of an employer-employee relationship”. However, this is vague and susceptible to interpretations. The author believes it is imperative that the NPC clarifies this.

Another provision in the act that has a relation to employment is the one on data sharing. The DPA and its IRR provide that further processing of personal data collected from a party other than the data subject must be allowed if, among other requirements, the data subject consents to data sharing. The DPA further provides that consent for data sharing must be required even when the data are to be shared with an affiliate or mother company, or similar relationships.

The act also requires that the data subject be provided with the following information before data are shared: (1) identity of the personal information controllers or personal information processors that will be given access to the personal data; (2) purpose of data sharing; (3) categories of personal data concerned; (4) intended recipients or categories of recipients of the personal data; (5) existence of the rights of data subjects, including the right to access and correction, and the right to object; and (6) other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing. Multinational companies with cross-border policies on processing and transfer of personal data of their employees should take note of these requirements.

Finally, the act and its IRR provide that provisions on the rights of data subjects do not apply “to the processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject”. So in an administrative investigation involving an employee who committed an infraction of company rules, he/she cannot, arguably, invoke his/her rights under the DPA.

It must be noted that any limitations on the rights of the employees as data subjects must only be to the minimum extent necessary to achieve the purpose of the undertaking or investigation. While consent may not be necessary, or employees may not invoke their rights in some instances, the employer is still required to implement safety measures to protect the personal data of its employees. The act goes beyond data privacy – much of it pertains to data protection.

Neptali B Salvanera is a partner in the Labour and Employment Department of ACCRA Law Offices


ACCRA Law Offices

Manila office: ACCRALAW Tower, 2nd Avenue corner
30th Street, Crescent Park West, Bonifacio Global City

1635, Taguig City, Metro Manila, Philippines

Contact details:

Tel: +63 2830 8000

Email: nbsalvanera@accralaw.com