In today's world, data privacy has become an essential aspect for both individuals and organizations. The personal data of individuals have become a valuable asset for businesses, which they use for various purposes such as marketing, product development, and analytics. However, with the increasing use of technology, the risk of data breaches and cyberattacks has also increased. Hence, the Philippines has enacted several laws and regulations related to data privacy, including the Data Privacy Act of 2012 (DPA) and its implementing rules and regulations (IRR), which aim to protect the privacy of personal information collected, processed, and stored by both government and private entities.
In terms of data privacy in the workplace, employers in the Philippines are required to comply with the DPA and the IRR, which provide guidelines for the collection, use, storage, and disposal of personal information of employees and job applicants. Failure to comply with these laws and regulations may result in penalties such as fines, imprisonment, or both. In addition, affected employees or job applicants may file a complaint with the National Privacy Commission (NPC) or seek damages through civil action.
This blog will discuss the key points that employers in the Philippines need to consider for compliance with data privacy laws in the workplace.
The Data Privacy Act of 2012 and its Implementing Rules and Regulations
The Data Privacy Act of 2012 (DPA) is a law that aims to protect the privacy of personal information collected, processed, and stored by both government and private entities. The DPA defines personal information as any information that can be used to identify an individual, such as name, address, contact details, and other sensitive information.
The Implementing Rules and Regulations (IRR) of the DPA provide guidelines for the proper handling of personal information. The IRR covers topics such as data protection principles, the rights of data subjects, data privacy impact assessment, and other relevant matters.
Data Privacy Compliance in the Workplace
Employers in the Philippines are required to comply with the DPA and IRR when it comes to collecting, using, storing, and disposing of the personal information of their employees and job applicants. Employers who do not comply with the DPA and IRR may face penalties such as fines, imprisonment, or both. In addition, affected employees or job applicants may file a complaint with the National Privacy Commission (NPC) or seek damages through civil action.
Key Points for Employers to Consider for Compliance with the DPA and IRR
-
Obtaining Consent
Employers must obtain the consent of employees or job applicants before collecting their personal information, and inform them of the purpose and scope of the collection. The consent must be voluntary, specific, and informed, and should be obtained before the collection, processing, or storage of personal information. Employers should also inform employees and job applicants of their rights under the DPA and IRR.
-
Limiting Collection and Use of Personal Information
Employers must only collect and use personal information that is necessary and relevant for the purposes for which it was collected, and ensure that such information is kept confidential. Employers must not collect personal information that is not relevant to their operations or that is excessive in relation to the purpose of the collection.
-
Implementing Security Measures
Employers must implement reasonable and appropriate security measures to protect personal information against unauthorized access, disclosure, alteration, or destruction. These security measures may include physical, technical, and administrative safeguards such as access controls, encryption, and security awareness training.
It is also important to ensure that the personal information collected from employees and job applicants is kept confidential and only shared with authorized personnel who need access to the information for legitimate business purposes.
In addition, employers must implement reasonable and appropriate security measures to protect personal information against unauthorized access, disclosure, alteration, or destruction. This includes physical, technical, and organizational measures such as encryption, access controls, and employee training on data privacy and security.
Retention and Disposal of Personal Information
Employers must retain personal information only for as long as necessary for the fulfillment of the purposes for which it was collected, and dispose of it properly when no longer needed. This is to ensure that personal information is not retained longer than necessary, as this increases the risk of unauthorized access or use of the information.
Employers should have clear policies and procedures for the retention and disposal of personal information, and ensure that employees are trained on these policies and procedures. Disposal of personal information should be done securely, such as through shredding, to prevent unauthorized access or use.
Reporting Data Breaches
Employers must report any data breach that may pose a risk to the rights and freedoms of data subjects to the National Privacy Commission (NPC) within 72 hours of becoming aware of the breach. This is to ensure that affected individuals are notified of the breach and can take steps to protect themselves from potential harm.
Employers should have clear procedures in place for reporting data breaches, and ensure that employees are trained on these procedures. In addition, employers should regularly review and test their incident response plans to ensure that they are effective and up-to-date.
Penalties for Non-Compliance
Non-compliance with the DPA and the IRR may result in penalties such as fines, imprisonment, or both. In addition, affected employees or job applicants may file a complaint with the NPC or seek damages through civil action.
It is important for employers in the Philippines to ensure that they have proper policies and procedures in place to comply with the data privacy laws and regulations and to regularly review and update these policies and procedures as needed to stay current with any changes in the law or technology.
Conclusion
Data privacy in the workplace is an important issue that employers in the Philippines must take seriously. Compliance with the DPA and the IRR is crucial to protect the personal information of employees and job applicants and to avoid potential legal and reputational risks.
Employers should ensure that they obtain consent from individuals before collecting their personal information, limit the collection and use of personal information, implement security measures to protect personal information, and properly retain and dispose of personal information. Employers should also have clear procedures in place for reporting data breaches and regularly review and update their policies and procedures to stay current with any changes in the law or technology.
