- HEADLINES
- NEWS
- PAGE THREE
- COMMENTARY
- BUSINESS
- LIFE
- ACTION
- GLOBAL GOALS
- SNAPS
- DYARYO TIRADA
- MORE
Dear Atty. Angela,
Our human resources manager informed us that the company's internal auditor will conduct an audit and will need to gain access to our 201 files and payroll information. All our personal and salary details are there and I am afraid that this could be a cause of exposure to us employees. I would like to know if this is legal and would this act of the company be violative of our Data Privacy rights?
Maggie
***
Dear Maggie,
The National Privacy Commission has released a legal memo in its Advisory Opinion 2019-010 where it clarified the privacy status of employee 201 Files with respect to access of an internal company auditor. It opined that the Audit Committee is responsible, among its functions, for overseeing the senior management in establishing and maintaining an adequate, effective and efficient internal control framework.
As such, the NPC declared that internal auditors are legally allowed to access 201 files so long as they follow the conditions set forth in Sections 12 and 13 of the Data Privacy Act. It was expressly stated that:
"To the extent that these reports are required under law or regulation and are necessary for compliance with the company's legal obligation, such processing of personal information of the employees related to the accomplishment of such reports are allowed under the pertinent provisions under Sections 12 and 13 of the DPA. Furthermore, reasonable processing of personal information may be allowed to further the company's legitimate interests, which may include the development of a strong corporate governance culture."
"In the situation at hand, internal auditors may be allowed access to the 201 files of employees which may contain personal information, only in so far as may be necessary for their functions, which may include the inspection and examination of employee requirements, payroll, and benefits."
However, the NPC was mindful in reiterating that a personal information controller must be appointed to protect the personal information of employees where access controls are established, particularly granting only limited authority to access:
"Because employees' 201 files may contain sensitive personal information, and thus, access to which must be regulated by institutionalized policies on authority to access. Under Section 20 of the DPA, a personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing."
Atty. Angela Antonio
