Photo from Unsplash | Austin Distel
The following post does not create a lawyer-client relationship between Alburo Alburo and Associates Law Offices (or any of its lawyers) and the reader. It is still best for you to engage the services of a lawyer or you may directly contact and consult Alburo Alburo and Associates Law Offices to address your specific legal concerns, if there is any.
Also, the matters contained in the following were written in accordance with the law, rules, and jurisprudence prevailing at the time of writing and posting, and do not include any future developments on the subject matter under discussion.
AT A GLANCE:
Any record of employment or service record may contain personal information and sensitive personal information of the employee concerned. The disclosure of such records must have legal basis under the Data Privacy Act of 2012 and existing laws. (NPC Privacy Advisory No. 2022-008)
Employees must be aware of the nature, purpose, and extent of the processing of his or her personal data in the workplace. The processing of personal information of employees shall also be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. Lastly, the processing of such information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. (NPC Privacy Advisory No. 2018-090)
Article 26 of the Civil Code provides that “every person shall respect the dignity, personality, privacy, and peace of mind of his neighbors and other persons.” This means that meddling and prying into the privacy of others is an actionable tort punishable by law. With this in mind, what level of privacy can an employee expect in his workplace? What acts are considered violations of an employee’s right to privacy?
Reasonable Expectation of Privacy
In the case of Ople v. Torres (G.R. No. 127685, July 23, 1998), the Supreme Court recognized the zones of privacy in our laws. The reasonable expectation of privacy is a test to ascertain whether there is a violation of the right to privacy. This test determines whether a person has a reasonable or objective expectation of privacy and whether the expectation has been violated. The reasonableness of a persons’ expectation of privacy depends on a two-part test:
(1) Whether by his conduct, the individual has exhibited an expectation of privacy; and
(2) Whether this expectation is one that society recognizes as reasonable.
Moreover, the factual circumstances of the case determine the reasonableness of the expectation. Similarly, customs, community norms, and practices may, therefore, limit or extend an individual’s reasonable expectation of privacy. The reasonableness of a person’s expectation of privacy must then be determined on a case-to-case basis.
Employment vis-à-vis Reasonable Expectation of Privacy
In the case of Pollo v. David (G.R. No. 181881, October 18, 2011), the Supreme Court ruled that generally, employees have a decreased expectation of privacy with respect to work devices, email accounts, and internet surfing activities. The same may be said for the contents therein, since there is a presumption that its use will be limited to work-related purposes.
In the light of the enactment of Republic Act No. 10173 or the Data Privacy Act of 2012, there exists now a reasonable expectation of privacy on the part of an employee. This means that employees must know the nature, purpose, and extent of the processing of his or her personal data in the workplace.
The processing of personal information of employees shall also be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. Finally, the processing of such information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. (Section 11, Data Privacy Act of 2012)
May an employer use an employee’s personal account to pry and investigate on other employees?
In NPC Advisory Opinion No. 2018-090, the NPC ruled that the act of an HR employee in accessing an employee’s iCloud account, which is considered personal information, without his consent may constitute a violation of the employee’s right to privacy. Furthermore, the act of the employer in accessing an employee’s iCloud account without his consent and without authority under the law may constitute unauthorized processing of personal information under the Data Privacy Act of 2012.
May an employer validly obtain an employee’s records from government agencies to be used as the former’s defense in a labor case filed by the latter?
NPC Privacy Policy Advisory No. 2022-008 clarifies that any record of employment or service record may contain personal information and sensitive personal information of the employee concerned. The disclosure of such records must have legal basis under the Data Privacy Act of 2012 and existing laws.
The Data Privacy Act of 2012 provides:
SEC. 12. Criteria for Lawful Processing of Personal Information. The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
x x x
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
…
SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases: x x x
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority. (emphasis supplied)
Notwithstanding the existing justification for the disclosure of personal data, the Data Privacy Act of 2012 mandates that the principle of proportionality should still be adhered to.
The Rules and Regulations Implementing the Data Privacy Act of 2012 states that:
“Proportionality requires that the processing of information shall be adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose.” (Section 18, par. c)
Is it legal for an employer to publish the name of the employee and the fact of his severance from employment?
In the Privacy Policy Advisory issued by the National Privacy Commission (NPC Privacy Policy Advisory No. 2022-009), the NPC held that:
“While there may be a lawful basis for the publication of personal information such as employee names and the fact of severance from employment with the bank (i.e., “This person is no longer connected with the [employer].”), the DPA mandates that the principle of proportionality should still be adhered to. Hence, disclosing the name and the fact that the employee is no longer employed with the [employer] is sufficient to meet the stated purpose. Any other information beyond that may be considered disproportionate.”
The NPC Advisory added that the principle of proportionality under the Data Privacy Act of 2012 requires that the processing of personal data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. These qualifiers serve as measures by which a determination can be made on whether processing is proportional and justified in relation to the declared purpose. Further, this principle requires that personal data shall only be processed if the purpose of the processing could not be reasonably fulfilled by other means.
Is it a violation of the right to privacy if an employer discloses a former employee’s address to the government authorities such as the Office of the Prosecutor?
In NPC Privacy Policy Advisory No. 2021-021, the NPC opined that it is lawful to process personal information, such a former employee’s as last known address, if it is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
Thus, the NPC held that the disclosure by the employer of the address of a terminated employee to the Office of the Prosecutor in connection with the criminal case filed with the same may be allowed under the DPA based on the above considerations.
Does a former employee have the right to access employment records from his former employer?
NPC Privacy Policy Advisory No. 2018-042 provides that employees are generally allowed reasonable access to their files, especially those they have personally provided the employer during the recruitment and application process.
Upon cessation of employment, the employer may retain the records and files of the employee in accordance with the retention period as may be provided for by existing laws on the matter and/or as stated in its policies.
If the request falls within the retention period of employment records, the employer shall provide reasonable access to the requested information, subject to the same limitations discussed above and its own company policies.
The NPC, through the advisory, notes that as part of the organizational security measures of the employer, the employer, as the personal information controller of its employees’ data, are required to develop, implement and review policies and procedures for data subjects to exercise their rights under the Data Privacy Act of 2012. (NPC Advisory Opinion No. 2018-042)
Privacy of a Kasambahay in the Workplace
Domestic workers or kasambahays are likewise entitled to privacy. Republic Act No. 10361 or the Batas Kasambahay provides that:
“Respect for the privacy of a domestic worker shall be guaranteed at all times and shall extend to all forms of communication and personal effects. (Section 7, R.A. No. 10361)
This guarantee, according to the law, equally recognizes that a domestic worker or kasambahay has the responsibility to render satisfactory service at all times.
As with any other manner of processing personal information, an employer’s processing of its employee’s personal information must adhere to the general principles of data privacy, such as transparency, legitimate purpose and proportionality. (Section 11, Data Privacy Act of 2012)
Related Article/s:
When Data Privacy Does Not Apply
Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries regarding taxation and taxpayer’s remedies, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/0917-5772207.
All rights reserved.