June 5, 2020 | 1:10 PM GMT+0800 Last Edit: June 22, 2020
We issue the following guidance and response to the updated FAQs raised by stakeholders’ concerns on returning-to-work and current work-from-home arrangements.
We expect employers, whether in the government or the private sector, to process personal data responsibly and with accountability in order to address existing health threats brought by COVID-19. We also expect employees to cooperate to reasonable and appropriate collection of their information to mitigate COVID-19 related risks and keep their co-workers and visitors safe. Overall, our guidelines are intended to produce best practices in the workplace that now extend to the homes of employees working remotely.
The National Privacy Commission (NPC) remains steadfast that in this extraordinary time, public health remains our primary concern and that the Data Privacy Act is not a hindrance to beating COVID-19. It is our view that the effective use of personal data is crucial in winning this battle and recovering in its aftermath. And we must remain vigilant in this fight by being mindful of our own health and the health and safety of others.
There is legitimate basis for employers to collect additional personal data that includes health information from employees during the pandemic. Employers may collect personal data that are necessary for a specified and legitimate purpose to help control the spread of the virus and keep their workers and visitors safe. Parallel guidelines have been issued by concerned government agencies in this regard: i.e. contact tracing rules of the Department of Health (DOH), guidelines on COVID-19 prevention in the workplace of the Department of Trade and Industry (DTI) and the Department of Labor (DOLE), or guidelines on alternative work arrangements of the Civil Service Commission (CSC), among others. Employers should refer to these guidelines in coming up with their COVID-19 related policies.
In collecting and processing data from the employees, which shall inevitably include health data, all employers are enjoined to adhere to data privacy principles of: transparency, legitimate purpose and proportionality. Keep collection to the minimum information necessary and use appropriate means to achieve the purpose. It is essential for employers to be transparent with their employees during this time.
Once collected, reasonable and appropriate safeguards should be in place to ensure the security of the physical or electronic forms used, i.e., health symptoms questionnaires or health status survey forms, under the custody of the employer.
Set a health information policy within the company considering the following, among others: determination of who is authorized to gather the information, who should know the results, how to secure the information, and how to disclose it to authorities when necessary.
Employers may retain the personal data from employees as necessary to fulfill the purpose for which these were collected, pursuant to the protocols of the relevant public authorities. After the fulfillment of such purpose/s, personal data shall be disposed in a secure manner that would prevent any unauthorized processing.
Yes. Employers may regularly check the temperature of employees returning to work.
According to the DOH Department Memorandum No. 2020-0220, employees physically reporting to their workplaces shall be screened for COVID-19 symptoms, including fever, cough, colds, and other respiratory symptoms. Daily temperature and symptom monitoring and recording of all staff who will report for work are part of prevention and control measures.
Hence, it is necessary to conduct temperature checks under existing issuances of the various public authorities. Employees should find it reasonable to be screened and must cooperate with their employers to ensure the safety of all returning employees. Employers are expected to use reasonable measures to ensure privacy when doing the collection, like instructing security guards or other personnel to refrain from publicly announcing a person’s temperature results and putting in place protocols to implement minimum health standards mindful of the rights and freedoms of data subjects.
Yes. Travel history is now included in usual medical assessments. Employers may collect such data in compliance with the DOH requirements.
Any disclosures of employee health data related to COVID-19 must be limited to the 1) DOH, 2) entities authorized by the DOH, and 3) entities authorized by law , following all existing protocols on the matter. Use of collected employee data shall solely be for the specified and declared purpose/s only.
Yes. Temperature checks, results of antibody testing, and/or COVID-19 diagnosis may be retained as necessary to fulfill the purpose for which these were collected, pursuant to the protocols of the relevant public authorities. Retention requires that appropriate security measures (i.e. organizational, physical, and technical) are implemented in order to prevent unlawful processing or unauthorized access by other employees or third parties.
Yes, employers in exercising their legitimate interest may monitor employees during WFH but should balance it with the rights and freedoms of their employees and adherence to the general data privacy principles. We reiterate the discussions in NPC Advisory Opinion No. 2018-084: monitoring employee activities when he or she is using an office-issued computer may be allowed under the DPA, provided the processing falls under any of the criteria for lawful processing under Sections 12 and/or 13 of the law.
Employers must be transparent to the employees and notify them that they are being monitored. There should be an assessment of the necessity and proportionality of the monitoring (i.e. the method of monitoring) vis-à-vis the objective of the same (i.e. ensuring productivity while under WFH). It is also recommended for the employers to conduct a privacy impact assessment (PIA) of the monitoring software to determine risks and how to mitigate them. Employers should likewise implement clear policies with regard to its monitoring procedures.
Further, less privacy intrusive means of monitoring should be considered rather than excessive and disproportionate mechanism in monitoring such as the use of tracking mouse movements, recording keystrokes, taking random photos of the computer screen, enabling webcams to take a picture of the employee, etc.,
No. The proportionality principle dictates that the processing of information shall be adequate, relevant, suitable, necessary, and not excessive. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means. Employers should avoid extreme privacy intrusive means of managing employees as there are other available means of ensuring that employees are doing their assigned tasks.
Employers can secure personal data processing systems being used during WFH by providing proper ICT equipment and support facilities and mechanisms to the employees. More importantly, data protection and privacy policies should be in place to guide the staff.
Specifically, for the government, the heads of agencies shall ensure that employees have access to or is provided with communication equipment or facilities (laptop, computer, internet, telephone, mobile phone, etc.) to carry out their functions.
You may refer to our previous bulletin on WFH: NPC PHE Bulletin No. 12 on Protecting Personal Data in a Work From Home Arrangement (https://www.privacy.gov.ph/2020/05/npc-phe-bulletin-no-12-protecting-personal-data-in-a-work-from-home-arrangement/).
# # #