Data privacy and employment
In an investigation involving an erring employee, he cannot invoke his rights under the data privacy law.
Republic Act No. 10173, also known as the Data Privacy Act (DPA), was enacted on Aug. 15, 2012. Subsequently, the National Privacy Commission (NPC) promulgated the Implementing Rules and Regulations (IRR) on Aug. 24, 2016. The IRR took effect on Sept. 9.
Although the DPA is not a labor or social legislation per se, it has several provisions that pertain or have an impact on employer-employee relationship.
For one, it is necessary for an employer to collect, store, update, and, in some instances share, personal information, especially sensitive personal information, of its employees in relation to human resources management.
From the application of prospective employees until their severance from employment, employers collect and update personal information to process employee benefits, payment of salaries, the filing of tax returns, the remittance of contributions to government agencies, etc. Such collection and updating of personal information is within the scope of “processing,” which, in simple terms, is defined by the IRR as any operation performed upon personal data. An employer is considered as either a personal information controller or personal information processor vis-à-vis its employees, depending on whether the employer itself processes the employee data or outsources the same to third parties.
Accordingly, employers are mandated to comply with the applicable guidelines on the adoption of organizational, physical, and technical security measures as required under the IRR. Furthermore, employees enjoy the rights of data subject under the Act and employers must respect the same. Data subjects have the right to: be informed, object, access, rectification, erasure or blocking, and damages.
In this regard, the IRR provides that the data subject shall have the right to object to the processing of his personal data, and to withhold consent to the processing.
When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless “the collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject.”
What does this mean? Does it mean then that consent is no longer required in the processing of personal data of applicants and employees?
The general rule is that, consent is necessary. Could this be one of the exceptions then? Is the employer required to get the consent of the applicant or employee if the processing is necessary or desirable in the context of an employeremployee relationship? The key here is to understand the meaning and import of the phrase “necessary or desirable in the context of an employer-employee relationship.” However, this is vague and susceptible to varying interpretations. Thus, I believe it is imperative that the NPC should clarify this.
Another provision in the Act that has a relation to employment is the one on data sharing.
The DPA and its IRR provide that further processing of personal data collected from a party other than the data subject shall be allowed if, among other requirements, the data subject consents to data sharing.
The DPA further provides that consent for data sharing shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships. The Act also requires that the data subject be provided with the following information before data is shared: (a) identity of the personal information controllers or personal information processors that will be given access to the personal data; ( b) purpose of data sharing; (c) categories of personal data concerned; (d) intended recipients or categories of recipients of the personal data; (e) existence of the rights of data subjects, including the right to access and correction, and the right to object; and (f) other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing. Multinational companies with cross border policies on processing and transfer of personal data of their employees should take note of the foregoing requirements.
Finally, the Act and its IRR provide that the provisions on the rights of data subjects do not apply “to the processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.”
Thus, in an administrative investigation involving an employee who committed an infraction of company rules, he cannot, arguably, invoke his rights under the DPA. This interpretation is in consonance with the well-settled doctrine in labor law that technical rules do not strictly apply to administrative investigations. Only the minimum requirements of due process in administrative investigations — twin notice and administrative hearing — are required to be complied with, at least procedurally.
The foregoing discussions notwithstanding, it must be noted that any limitations on the rights of the employees as data subjects shall only be to the minimum extent necessary to achieve the purpose of the undertaking or investigation.
While consent may not be necessary or that the employees may not invoke their rights in some instances, the employer is still required to implement safety measures to protect the personal data of its employees. For, notwithstanding the title, the Act goes beyond data privacy — much of it pertains to data protection.
The views and opinions expressed in this article are those of the author. This article is for general informational and educational purposes only and not offered as and does not constitute legal advice or legal opinion.