The National Privacy Commission (NPC) issued on Friday, June 5, an updated guideline as a response to the concerns raised by stakeholders on returning-to-work and current work-from-home arrangements.
“We expect employers, whether in the government or the private sector, to process personal data responsibly and with accountability in order to address existing health threats brought by Covid-19,” NPC chair Raymund Liboro said in a statement.
“We also expect employees to cooperate to reasonable and appropriate collection of their information to mitigate Covid-19 related risks and keep their co-workers and visitors safe. Overall, our guidelines are intended to produce best practices in the workplace that now extend to the homes of employees working remotely.”
The NPC reiterated that the Data Privacy Act is not a hindrance to beating Covid-19 and an effective use of personal data is crucial in winning the battle and recovering in its aftermath.
1. What type/s of personal data can employers collect from employees? Can employers collect health information? How can this be done with the best consideration for privacy?
There is legitimate basis for employers to collect additional personal data that includes health information from employees during the pandemic. Employers may collect personal data that are necessary for a specified and legitimate purpose to help control the spread of the virus and keep their workers and visitors safe. Parallel guidelines have been issued by concerned government agencies in this regard: i.e. contact tracing rules of the Department of Health (DOH), guidelines on Covid-19 prevention in the workplace of the Department of Trade and Industry (DTI) and the Department of Labor (DOLE), or guidelines on alternative work arrangements of the Civil Service Commission (CSC), among others. Employers should refer to these guidelines in coming up with their Covid-19 related policies.
In collecting and processing data from the employees, which shall inevitably include health data, all employers are enjoined to adhere to data privacy principles of: transparency, legitimate purpose and proportionality. Keep collection to the minimum information necessary and use appropriate means to achieve the purpose. It is essential for employers to be transparent with their employees during this time.
Once collected, reasonable and appropriate safeguards should be in place to ensure the security of the physical or electronic forms used, i.e., health symptoms questionnaires or health status survey forms, under the custody of the employer.
Set a health information policy within the company considering the following, among others: determination of who is authorized to gather the information, who should know the results, how to secure the information, and how to disclose it to authorities when necessary.
2. How long can employers retain the personal data that they have collected?
Employers may retain the personal data from employees as necessary to fulfill the purpose for which these were collected, pursuant to the protocols of the relevant public authorities. After the fulfillment of such purpose/s, personal data shall be disposed in a secure manner that would prevent any unauthorized processing.
3. In keeping with implementing the minimum health standards, can employers regularly check the temperature of employees returning to work? Can employees refuse to have such temperature checks?
Yes. Employers may regularly check the temperature of employees returning to work.
According to the DOH Department Memorandum No. 2020-0220, employees physically reporting to their workplaces shall be screened for Covid-19 symptoms, including fever, cough, colds, and other respiratory symptoms. Daily temperature and symptom monitoring and recording of all staff who will report for work are part of prevention and control measures.
Hence, it is necessary to conduct temperature checks under existing issuances of the various public authorities. Employees should find it reasonable to be screened and must cooperate with their employers to ensure the safety of all returning employees. Employers are expected to use reasonable measures to ensure privacy when doing the collection, like instructing security guards or other personnel to refrain from publicly announcing a person’s temperature results and putting in place protocols to implement minimum health standards mindful of the rights and freedoms of data subjects.
4. Can employers continue checking for travel history and data?
Yes. Travel history is now included in usual medical assessments. Employers may collect such data in compliance with the DOH requirements.
5. Can employers disclose to other parties the health information collected from employees? Can it be used for other purposes? Can they reveal these data to health authorities?
Any disclosures of employee health data related to Covid-19 must be limited to the 1) DOH, 2) entities authorized by the DOH, and 3) entities authorized by law , following all existing protocols on the matter. Use of collected employee data shall solely be for the specified and declared purpose/s only.
6. Can employers retain information collected about employees’ temperature checks, results of antibody testing, and/or Covid-19 diagnosis? How long can they retain such information?
Yes. Temperature checks, results of antibody testing, and/or Covid-19 diagnosis may be retained as necessary to fulfill the purpose for which these were collected, pursuant to the protocols of the relevant public authorities. Retention requires that appropriate security measures (i.e. organizational, physical, and technical) are implemented in order to prevent unlawful processing or unauthorized access by other employees or third parties.
On work from home (WFH):
7. Can employers monitor employees during WFH through the installation of monitoring software in company-issued devices?
Yes, employers in exercising their legitimate interest may monitor employees during WFH but should balance it with the rights and freedoms of their employees and adherence to the general data privacy principles. We reiterate the discussions in NPC Advisory Opinion No. 2018-048: monitoring employee activities when he or she is using an office-issued computer may be allowed under the DPA, provided the processing falls under any of the criteria for lawful processing under Sections 12 and/or 13 of the law.
Employers must be transparent to the employees and notify them that they are being monitored. There should be an assessment of the necessity and proportionality of the monitoring (i.e. the method of monitoring) vis-à-vis the objective of the same (i.e. ensuring productivity while under WFH). It is also recommended for the employers to conduct a privacy impact assessment (PIA) of the monitoring software to determine risks and how to mitigate them. Employers should likewise implement clear policies with regard to its monitoring procedures.
Further, less privacy intrusive means of monitoring should be considered rather than excessive and disproportionate mechanism in monitoring such as the use of tracking mouse movements, recording keystrokes, taking random photos of the computer screen, enabling webcams to take a picture of the employee, etc.,
8. Can employers require employees to stay on video during business hours or even beyond as when they render overtime work, as proof of work done during the day?
No. The proportionality principle dictates that the processing of information shall be adequate, relevant, suitable, necessary, and not excessive. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means. Employers should avoid extreme privacy intrusive means of managing employees as there are other available means of ensuring that employees are doing their assigned tasks.
9. How can employers ensure that personal data processing systems being used during WFH are secured?
Employers can secure personal data processing systems being used during WFH by providing proper ICT equipment and support facilities and mechanisms to the employees. More importantly, data protection and privacy policies should be in place to guide the staff.
Specifically, for the government, the heads of agencies shall ensure that employees have access to or is provided with communication equipment or facilities (laptop, computer, internet, telephone, mobile phone, etc.) to carry out their functions.