Dear Atty. Peachy,
I am writing to seek your advice regarding some concerns I have about data privacy in my workplace. I work for a company, where I am employed as an HR officer. Recently, our company implemented a new digital system that requires employees to input personal information, including their home addresses, contact numbers, and even sensitive data like medical history and emergency contacts. While I understand the necessity of maintaining updated records for employee management, I am worried about how this data is being handled, especially when it comes to privacy and security.
One incident that heightened my concern occurred when a colleague of mine mentioned that she saw a list containing personal details of several employees on a shared drive accessible to staff not directly involved in HR operations. Furthermore, I am not sure if proper consent was obtained when employees were asked to provide sensitive information.
Could you please clarify the following:
1. What are the obligations of employers under the Philippine Data Privacy Act (DPA) concerning employee data?
2. How can employees ensure their data is being handled appropriately and securely?
3. What recourse do employees have if they believe their data privacy rights have been violated?
I want to make sure that our company is compliant and that the personal information of employees is protected. Thank you very much for your assistance.
Rose
***
Dear Rose,
It is commendable that you are proactively seeking to understand your rights and responsibilities in light of the Philippine Data Privacy Act (DPA) of 2012 (Republic Act 10173). Protecting personal information in the workplace is crucial, and employers have specific legal obligations under this law.
Employers in the Philippines are required to adhere to several key obligations under the DPA, including:
1. Data Collection and Processing: Employers must gather and process employee data in a legitimate manner and only for specified, legitimate purposes. This means that the reason for collecting personal information should be clear and communicated to employees.
2. Consent: Prior to collecting and processing sensitive personal information, employers must secure explicit consent from employees. Consent should be informed, meaning employees are aware of what their data will be used for and how it will be handled.
3. Data Security: Employers are required to implement reasonable and appropriate organizational, physical, and technical measures to protect personal data against unauthorized access, use, modification, or disclosure.
4. Confidentiality: Personal data must be treated with confidentiality. Employees’ data should only be accessible to authorized personnel and for specific, legitimate tasks.
5. Data Retention Policies: Employers must establish clear policies regarding the retention of employee data. Data should not be kept longer than necessary for the purposes it was collected for.
6. Data Processing Agreements: If data handling is outsourced to third parties, employers must ensure that safeguards are in place and that these parties also comply with data privacy regulations.
As an HR officer, you can help ensure that data is handled appropriately by:
1. Reviewing Policies: Familiarizing yourself with your company’s data privacy policies and ensuring they are aligned with DPA requirements.
2. Training Staff: Conducting training sessions for all employees regarding data privacy principles, focusing on confidentiality and responsible data handling practices.
3. Reporting Incidents: Establishing clear channels for reporting any data breaches or unauthorized access to personal information.
4. Advocating for Security Measures: Proposing that your company implements strict access controls for sensitive data files and regular audits of data access logs to prevent unauthorized viewing.
If employees believe their data privacy rights under the DPA have been violated, they have several recourses:
1. Internal Reporting: Employees can initially report their concerns to their HR department or designated data protection officer within the company.
2. Filing Complaints: If the issue is not resolved internally or if the violation is severe, employees may file a complaint with the National Privacy Commission (NPC). The NPC has the authority to investigate complaints and impose penalties on entities that violate data privacy laws.
3. Legal Action: In cases of significant damages resulting from a data breach, affected employees may seek legal remedies through civil action in court, depending on the specifics of the case.
It is essential for both employers and employees to have a clear understanding of their rights and responsibilities regarding data privacy. Consulting a legal professional specializing in data privacy law can further clarify your specific needs and help ensure compliance within your organization.
Thank you for advocating for data privacy within your workplace; it is vital for creating a secure work environment. If you have any more questions, don’t hesitate to reach out.
Atty. Peachy Selda-Gregorio