To address stakeholders’ concerns on returning to work and current work-from-home arrangements, the National Privacy Commission (NPC) issued the following guidelines intended to produce best practices in the workplace that now extend to the homes of employees working remotely:
On collection of health data of employees returning to work: | - Employers may collect personal data that are necessary for specified and legitimate purpose to help control the spread of the virus and keep the workers and visitors safe.
- In coming up with COVID-19 related policies, employers should refer to parallel guidelines issued by concerned government agencies, such as the DOH Contact Tracing Rules, DTI and DOH Guidelines on COVID-19 Prevention in the Workplace, or the CSC Guidelines on Alternative Work Arrangements, among others.
- Employers should set a health information policy within the company considering the following, among others: determination of who is authorized to gather the information, who should know the results, how to secure the information, and how to disclose it to authorities when necessary.
- Employers are enjoined to adhere to data privacy principles of transparency, legitimate purpose and proportionality in collecting and processing data from the employees.
- Employers may regularly check the temperature of employees returning to work in line with DOH Department Memorandum No. 2020-0220. Employers are, however, expected to use reasonable measures to ensure privacy when doing the collection like instructing security guards or other personnel to refrain from publicly announcing a person’s temperature results.
- Employers may continue to check travel history and data of employees in compliance with the DOH requirements.
- Employers may retain the personal data from employees (including results of temperature checks, antibody testing and/or COVID-19 diagnosis) as necessary to fulfill the purpose for which these are collected, pursuant to the protocols of the relevant public authorities.
- Retention however requires that appropriate security measures are implemented to prevent unlawful processing or unauthorized access by other employees or third parties.
- Any disclosure of employee’s health data related to COVID-19 must be limited to the DOH, entities authorized by the DOH and entities authorized by law, following all existing protocols on the matter. Use of collected employee data shall solely be for the specified and declared purpose/s only.
|
On monitoring employees under work-from-home arrangement (WFH): | - Employers, in exercising their legitimate interest, may monitor employees during WFH but should balance it with the rights and freedoms of their employees and adherence to the general data privacy principles. Monitoring employee activities when he or she is using an office-issued computer may be allowed under the Data Privacy Act, provided the processing falls under any of the criteria for lawful processing under Sections 12 and/or 13 of the Data Privacy Act. Employers must notify employees that they are being monitored.
- Employers cannot require employees, as proof of work done during the day, to stay on video during business hours or even beyond as when they render overtime work. Employers should avoid extreme privacy intrusive means of managing employees as there are other available means of ensuring that employees are doing their assigned tasks.
- Employers can secure personal data processing systems being used during WFH by providing proper ICT equipment and support facilities and mechanisms to the employees. Data protection and privacy policies should be in place to guide the staff.
|
