Data privacy guide for employers
With the Data Privacy Act’s (R.A. No. 10173) implementation now in full swing, business establishments are now constrained to consider how the law can affect their hiring processes. This is especially true considering the fact that these personal information about their job applicants are necessary in making their decisions whether to hire or not. This also holds true with respect to their employees from whom they have already previously collected personal information, which are now being stored by the company as part of employment records.
Employers are considered as personal information controllers, which is defined by law as a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf [Sec. 3(h), Data Privacy Act]. Employers, therefore, are bound to observe the rights of their job applicants to privacy of information.
What is considered personal information?
Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual [Sec. 3(g)].
This includes sensitive personal information pertaining to an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations. It also extends to information about one’s health, education, genetic or sexual life, or to any proceeding to any offense committed or alleged to have been committed by such person. Information on one’s government issued social security numbers, licenses, and the like are also considered as sensitive personal information [Sec. 3(l)].
Collection and processing of personal information
Gathering of personal information, as well as its processing, now requires the consent of the employee, which is considered by law as a data subject (referring to the individual whose personal information is processed). Consent shall be evidenced by written, electronic or recorded means [Sec. 3(b) and (c)].
It has been the practice of companies to require their applicants to submit certain requirements such as their resumes containing personal information, various clearances issued by the NBI, Police, and the Barangay, certificates of birth and/or marriage, etc. This practice is still allowed under the law, but the extent of the information to be collected must only be what is adequate and not excessive, in relation to the purposes for which they are collected and processed [Sec. 11(d)].
Access to personal information
Though 201 Files are confidential, the law now allows employees to access, upon demand, the information contained in their own record. It is so because the employees, as data subjects, are now given the right to access his personal information that the company may have processed, the sources from which his personal information was obtained, and the manner by which the data had been processed [Sec. 16(c)]. As an exception, however, the employee shall have no right to access such data when his personal information is being processed for the purpose of investigations in relation to any criminal, administrative or tax liabilities of the employee [Sec. 19].
Retention of personal information
Under the law, personal information must be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law [Sec. 11(e)].
In relation to this, the employee is given by the law the right to suspend, withdraw or order the blocking, removal or destruction of his personal information from the employer’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected [Sec. 11(e)].
Penalties for violation
The law imposes imprisonment ranging from 1 year up to 7 years, or a fine ranging from Php 100,000.00 to as much as Php 5,000,000.00, depending on the violation committed [Secs. 25 to 33].
If the offender is a juridical person such as a corporation, the penalty shall be imposed upon the responsible officers who participated in, or by their gross negligence, allowed the commission of the violation. As for foreign employers, he or she shall be deported without further proceedings after serving the penalties prescribed [Sec. 34].
As one may notice, the Data Privacy Act’s implementation will definitely affect how employers handle the personal information that they collect from their current and would-be employees. Considering the mandatory nature of its provisions, the employers, as information controllers, are duty-bound to observe the rights of the individuals from whom they have gathered personal information. Though its implementation would modify certain established practices, compliance with the law is still the safest course to take.