AI, employee privacy and COVID-19
For more than a year now, the current COVID-19 pandemic has affected “how we do things” in all aspects of our lives. Apart from “shocking ” our health systems, this pandemic forced companies to adapt in order to survive, drastically changing working arrangements. Caught in a difficult exercise of balancing interests of protecting health and providing continuous employment, most companies implemented remote working or work-from-home (WFH) arrangements for their employees. Among others, companies implemented tools and processes to ensure that WFH employees remain productive and comply with the company rules and policies. The deployment of technological resources such as artificial intelligence (AI) to monitor WFH employees prove to be efficient, especially for those that deal significantly with confidential records and personal information of various clients and customers. Nonetheless, concerns have been raised whether the use of AI in WFH employee monitoring (such as use of webcams integrated in WFH PCs and devices) violate one’s right to privacy.
The National Privacy Commission’s (NPC) Advisory Opinion (AO) No. 2020-004 on “Guidelines on the Use of Closed-Circuit Television (CCTV) Systems” does not expressly prohibit the use of such work-monitoring AI tools since it applies to companies “engaged in the processing of personal data through the use of CCTV systems operating in public and semi-public areas.” A “semi-public” space refers to “a space that, even if privately owned, is accessible to the public during operating hours.” For an employee who is working remotely within the confines of one’s home and not in an “unsecure” public or semipublic area, this NPC AO does not squarely apply to the use of AI and other technological tools a company uses in connection with WFH computers or devices.
This notwithstanding, in an earlier opinion, i.e., Advisory Opinion No. 2018-084 on “Computer Monitoring,” the NPC stated that where the computer monitoring results in the collection of personal information of employees, employers are considered engaged in the “processing personal data” as defined under our privacy law, and thus, covered by the provisions of the Philippine Data Privacy Act of 2012 (DPA). As such, the monitoring of employee activities when the employee is using an office-issued computer (which clearly includes the use of A.I. software and other tools) is allowable under the DPA, provided that such “processing” falls under the criteria for lawful processing of personal data under Sections 12 (for non-sensitive personal information) and/or 13 (for sensitive personal information) of the DPA.
Under Section 12 of the DPA, the processing of non-sensitive personal information is permitted only if not otherwise prohibited by any law, and when at least one of any of the following conditions exists:
a.) Consent from data subject (in this case, the employee) is secured;
b.) Processing of personal information is necessary to the fulfillment of a contract with the data subject;
c.) Processing is necessary for compliance with a legal obligation;
d.) Processing is necessary to protect important interests of the data subject (such as life and health);
e.) Processing is necessary due to national emergency, or public order and safety; or,
f.) Processing is necessary to pursue the legitimate interests of the company.
Meanwhile, Section 13 of the DPA provides that processing of sensitive personal information shall be generally prohibited, except in any of the following cases:
a.) Consent from data subject (in this case, the employee) is secured;
b.) Processing is provided for by existing laws and regulations, and that the latter guarantees the protection of the sensitive personal information and expressly provides that consent of the data subjects is not required;
c.) Processing is necessary to protect the life and health of data subject who is legally or physically unable to express consent;
d.) Processing is necessary for lawful, noncommercial objectives of public organizations so long as it is only confined and related to their members and consent of the data subject was obtained;
e.) Processing is necessary for purposes of medical treatment; or,
f.) Processing is necessary for the protection of lawful rights and interests of persons in court proceedings, or when provided to government or public authority.
Considering that the use of AI technology as a WFH monitoring tool is within the scope of the DPA, companies employing such security measures must ensure that the “processing” complies with the privacy principles of transparency, legitimate purpose, and proportionality. The company must first inform the employee of the legitimate purpose/s of the processing of personal data and obtain the consent of the employee with respect to the use and implementation of the AI technology. Moreover, the method of data collection must also be proportional to the fulfillment of the purpose/s of the company and the use of computer monitoring is allowed only if it cannot be fulfilled by any other less privacy-intrusive means.
Further, the NPC recommends that employers conduct a Privacy Impact Assessment and prepare a policy or set of guidelines on the use of the company-issued devices and equipment containing at least the following information: 1.) purpose/s that computer monitoring seeks to fulfill; 2.) circumstances of monitoring, including the time and place it may be conducted; 3.) kinds of personal data that may be collected in the course of monitoring; 4.) criteria for accessing monitoring records; 5.) retention period of recordings or footages; 6.) security measures pertaining to storage, disclosure and disposal of recorded information; 7.) authorized personnel who have access and control over the system in place; and, 8.) procedure on how employees may lodge a complaint in case of violation of their rights, including the right to access their own personal data collected. All the foregoing information are prescribed by the DPA and its implementing rules and regulations.
n
The invaluable help of attorneys Maria Isabel M. Llave (mmllave@ accralaw.com) and Mary Erica D. Manuel (mdmanuel@accralaw. com) for the research involved for this article is acknowledged.
This article is for general informational and educational purposes only and not offered as, and does not constitute, legal advice or legal opinion.