Employers and the Data Privacy Act

Businessworld - REPUBLIC Act No. 10173 (An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes), or the Data Privacy Act, was enacted into law last 15 August 2012.

It seeks to strike a balance between the protection of the fundamental human right to privacy of communication and the free flow of information to promote innovation and growth. The law, principally based on the European Union Directive 95/46 also known as the Data Protection Directive, brings the Philippines closer to international standards of privacy protection, and, by virtue thereof, aims to attract foreign investors in the booming information technology and business process outsourcing industry.

The law imposes a set of obligations upon any person or entity (referred to as the “personal information controller”) that controls the collection, holding, recording, storing, updating, disposal, processing or use of the personal information of an individual (referred to as the “data subject”). These obligations include, among others, informing data subjects that their personal information is being processed, providing them with reasonable access to personal information under the control of the personal information controller, immediately correcting personal information found to be inaccurate or erroneous, and indemnifying data subjects for any damages.

The legal definition of “personal information controller” under the law is broad enough to cover employers who, in the normal course of their human resources operations, must necessarily collect and process the personal information of their employees, and even of job applicants.

Hence, employers are required to observe the obligations set forth in the Data Privacy Act, in addition to existing labor laws.

Some of the pressing issues that employers may encounter in the implementation of the law are:

1) Employee access to company records

One of the rights afforded to employees as data subjects is reasonable access, upon demand, to the contents of their personal information under the control of their employer, the sources from and the manner by which information is obtained, and other data relating to how the employer has been processing their personal information. This obligation may be difficult and costly to implement especially for employers who do not normally maintain an organized employee information database. On the other hand, employers who maintain records in the form of 201 files may be hesitant to provide such information since this is not normally made available to employees. The 201 files may also include complaints against the subject employee, performance evaluations from their superiors, results of administrative investigations, and other confidential information not meant to be accessed by the subject employee.

2) Data privacy rights of the employee under investigation

A data subject cannot invoke his access right under the law when the personal information being processed is for the purpose of investigation in relation to any criminal, administrative or tax liabilities against him. The law is silent, however, whether employee disciplinary investigations may be classified as one of the exceptions that can fall under administrative liabilities. Nonetheless, in the absence of any express exception to the right, the same shall prevail.

3) Extraterritorial application of the law

The law provides an extraterritorial application in instances wherein the personal information involved belongs to a Philippine citizen or resident. This means that the data subject may enforce his rights even against entities based overseas. This may present challenges to some industries, such as the IT-BPO industry, wherein overseas companies require local BPO companies to provide personal information on their employees. In such cases, these overseas companies may technically be classified by the law as personal information controllers and are hence bound by the obligations set forth under the law.

4) Limitations in collecting information from job applicants

Sensitive personal information is a species of personal information clearly defined and enumerated under the law. It includes personal information relating to the race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations, health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person.

It also includes personal information issued by government agencies peculiar to individuals such as social security numbers.

The law imposes more stringent requirements in the collection, processing, and retention of such sensitive personal information. While it is conventional for potential employers to collect and process such sensitive personal information of the applicants, such as school records and NBI clearance, they are only permitted by the law to request and collect such information that are relevant and not excessive for the purpose of the job application. Furthermore, due to the stringent requirements for the processing of sensitive personal information, potential employers are required to first obtain the express consent of the applicant, which must be in written, electronic, or recorded form, prior to the collection and processing of the applicant’s sensitive personal information. The restrictions in obtaining sensitive personal information may present limitations in information-gathering that will allow potential employers to make an uninhibited and informed choice in the selection process of screening applicants.

5) Disposal/retention of employees’ personal information after their resignation

The law allows a data subject to demand the withdrawal, removal, or destruction of his personal information upon substantial proof that the information is no longer necessary for the purpose for which it is collected. Hence, employers may face demands from their former employees to remove their personal information from company records upon their resignation or termination from employment. This may present problems if sometime thereafter, such former employees decide to institute an action against their employer who, having earlier deleted the records of these complainants, is put at a legal disadvantage.

6) Penalties against corporations for violating the law

The law provides that when the offender is a corporation, partnership, or any juridical person, any of its rights under the law may be suspended or revoked. This penalty provision may need further clarification in the upcoming implementing rules of the law. Note that the Data Privacy Act was enacted to protect the privacy rights of the data subject, who is defined as “an individual whose personal information is processed.” As worded, the law does not extend the same rights to juridical entities. Thus, there is an issue on what particular rights of juridical entities under the law may be suspended or revoked when they have not been granted any privacy rights by the Data Privacy Act in the first place.

The foregoing are snippets of the potential issues brought about by the new law insofar as employer-employee relationship is concerned. It is important to note, however, that the implementing rules and regulations for the law have yet to be released. We should be expecting a clearer and broader picture of the law and its effects once the rules are released. In the meantime, however, employers should carefully study the law, detect potential issues in their own workplace, and pursue preliminary measures to comply with the same.

(The author is an associate of the Angara Abello Concepcion Regala & Cruz Law Offices [ACCRALAW]. He may be contacted at Tel. No. 830-8000 or email lrsze@accralaw.com).