Data Privacy

Updated Privacy Guidelines Affecting Employees Who Are Returning-To-Work or Under A Work-From-Home Arrangement

(As of 22 June 2020)

To address stakeholders’ concerns on returning to work and current work-from-home arrangements, the National Privacy Commission (NPC) issued the following guidelines intended to produce best practices in the workplace that now extend to the homes of employees working remotely:

On collection of health data of employees returning to work:

  • Employers may collect personal data that are necessary for specified and legitimate purpose to help control the spread of the virus and keep the workers and visitors safe.
  • In coming up with COVID-19 related policies, employers should refer to parallel guidelines issued by concerned government agencies, such as the DOH Contact Tracing Rules, DTI and DOH Guidelines on COVID-19 Prevention in the Workplace, or the CSC Guidelines on Alternative Work Arrangements, among others.
  • Employers should set a health information policy within the company considering the following, among others: determination of who is authorized to gather the information, who should know the results, how to secure the information, and how to disclose it to authorities when necessary.
  • Employers are enjoined to adhere to data privacy principles of transparency, legitimate purpose and proportionality in collecting and processing data from the employees.
  • Employers may regularly check the temperature of employees returning to work in line with DOH Department Memorandum No. 2020-0220. Employers are, however, expected to use reasonable measures to ensure privacy when doing the collection like instructing security guards or other personnel to refrain from publicly announcing a person’s temperature results.
  • Employers may continue to check travel history and data of employees in compliance with the DOH requirements.
  • Employers may retain the personal data from employees (including results of temperature checks, antibody testing and/or COVID-19 diagnosis) as necessary to fulfill the purpose for which these are collected, pursuant to the protocols of the relevant public authorities.
  • Retention however requires that appropriate security measures are implemented to prevent unlawful processing or unauthorized access by other employees or third parties.
  • Any disclosure of employee’s health data related to COVID-19 must be limited to the DOH, entities authorized by the DOH and entities authorized by law, following all existing protocols on the matter. Use of collected employee data shall solely be for the specified and declared purpose/s only.

On monitoring employees under work-from-home arrangement (WFH):

  • Employers, in exercising their legitimate interest, may monitor employees during WFH but should balance it with the rights and freedoms of their employees and adherence to the general data privacy principles. Monitoring employee activities when he or she is using an office-issued computer may be allowed under the Data Privacy Act, provided the processing falls under any of the criteria for lawful processing under Sections 12 and/or 13 of the Data Privacy Act. Employers must notify employees that they are being monitored.
  • Employers cannot require employees, as proof of work done during the day, to stay on video during business hours or even beyond as when they render overtime work. Employers should avoid extreme privacy intrusive means of managing employees as there are other available means of ensuring that employees are doing their assigned tasks.
  • Employers can secure personal data processing systems being used during WFH by providing proper ICT equipment and support facilities and mechanisms to the employees. Data protection and privacy policies should be in place to guide the staff.

Click here to read the entire text of NPC PHE Bulletin No. 14.

This updates the previous articles on “Data Privacy Rights Remain Despite COVID-19 Crisis” and “Data Collection and Disclosure Amid COVID-19 Public Health Emergency.”

Disclaimer: The information in this website is provided for general informational purposes only. No information contained in this post should be construed as legal advice from Platon Martinez or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances.