All questions

Data protection

i Requirements for registration

The collection and processing of personal information, including employee data, is governed by the Data Privacy Act of 2012. Data privacy regulations are implemented by the National Privacy Commission (NPC).

An employer is a personal information controller under the Data Privacy Act when it is involved in controlling the collection, holding, processing and use of the information of its employees. It is required to implement 'reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data'. Employers must register with the NPC if any of the following conditions are met: it employs at least 250 employees; the processing includes sensitive personal information (as defined in subsection iii, below) of at least 1,000 individuals; the processing is likely to pose a risk to the rights and freedoms of data subjects; or the processing is not occasional.

As a general rule, a current or prospective employee's consent must be secured prior to the collection of any personal information. However, provided that sensitive personal information is not involved, an employee's personal data may be processed even without their consent when it is necessary or desirable in the context of an employer-employee relationship. An employee must be informed of the following prior to the processing of his or her personal information:

  1. the description of the personal data to be entered into the system;
  2. the purposes for which they are being or will be processed;
  3. the basis of processing, when processing is not based on the consent of the data subject;
  4. the scope and method of the personal data processing;
  5. the recipients or classes of recipients to whom the personal data are or may be disclosed;
  6. the methods utilised for automated access, if allowed by the data subject, and the extent to which such access is authorised;
  7. the identity and contact details of the personal data controller or its representative;
  8. the period for which the information will be stored; and
  9. the existence of the employee's rights as data subjects, including the right to access, correct and object to the processing, as well as the right to lodge a complaint before the NPC.

ii Cross-border data transfers

Cross-border data transfers are allowed under Philippine law. A cross-border data transfer is considered data sharing under the Data Privacy Act. The employee's consent is required even when the data is to be shared with an affiliate or mother company, or similar relationships. In addition, the employer should execute a data sharing agreement that establishes adequate safeguards for data privacy and security, and upholds the data privacy rights of the employees. The data sharing agreement is subject to review by the NPC on its own initiative or upon the complaint of an employee.

There is no specific requirement to register a cross-border data transfer with the NPC subject to the registration requirements discussed in subsection i.

iii Sensitive data

The implementing rules and regulations of the Data Privacy Act define sensitive personal information as personal information:

  1. about an individual's race, ethnic origin, marital status, age, colour, and religious, philosophical or political affiliations;
  2. about an individual's health, education, genetics or sexual life, or to any proceeding for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in such proceedings;
  3. issued by government agencies peculiar to an individual, which includes, but is not limited to, social security numbers, previous or current health records, licences or their denials, suspension or revocation, and tax returns; and
  4. that is specifically established by an executive order or an act of Congress to be kept classified.

Generally, the processing of sensitive personal information is prohibited unless the employee has given prior consent to the processing for a declared, specified and legitimate purpose, or under the specific circumstances provided by the Implementing Rules and Regulations of the Data Privacy Act. Higher criminal penalties are also imposed for the unlawful processing of or data breaches relating to sensitive personal information.

iv Background checks

Background checks are legally permissible in the Philippines and may be required by an employer prior to hiring an employee as a valid exercise of its management prerogative. Employers commonly conduct background checks to determine a potential employee's prior criminal records and credit history. The processing of information gathered through background checks may be considered as necessary or desirable in the context of an employer-employee relationship. However, processing the employee's information may require the employee's express prior consent if it involves the processing of sensitive personal information.

However, if an employee who has attained the status of a regular employee fails a background check, he or she may be disciplined by the employer only upon complete compliance with the employee's rights to substantive and procedural due process.

Originally published at Lexology by the International Law Office (18 March 2019).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.