Philippines: Employee Monitoring and the Right to Privacy: Key Considerations under the Data Privacy Act of 2012

Authors: Rashel Ann C. Pomoy, Lawrence Ivan Manalo, and Lennor Marie T. Nicolas

 

A common concern among employers in remote work arrangements is ensuring employee productivity. Employers have since resorted to the use of platform-based activity tracking features to monitor employee performance. While employee monitoring falls within the management prerogative of employers,[1] the use of such digital tools raises the question of the extent to which an employer may undertake digital monitoring while remaining compliant with pertinent data privacy laws.

The Supreme Court has traditionally used the reasonable expectation of privacy test to determine whether there has been a violation of an individual’s right to privacy. The test hinges on two considerations: (1) whether, by his conduct, the individual has exhibited an expectation of privacy; and (2) whether this expectation is one that society recognizes as reasonable.[2] While the reasonable expectation of privacy test remains the baseline in resolving questions around an individual’s right to privacy, the National Privacy Commission (“NPC”) has advanced the view that the test must be interpreted in the context of the Data Privacy Act of 2012 (“DPA”) with respect to the personal data of an individual. The NPC notes in its Advisory Opinion No. 2018-090 that  an individual’s reasonable expectation of privacy with respect to personal information is already established in the law with the passage of the DPA.[3]

Since platform-based activity tracking involves the collection and use of employee personal information, including the collection and use of an employee’s personal data, an employer’s methods of monitoring are subject to the DPA. Under the Implementing Rules and Regulations of the DPA, for the processing of information to be lawful, it must comply with the general principles of transparency, legitimate purpose, and proportionality.

As to transparency, the employee must be informed of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of the personal information controller, his or her rights as a data subject, and how these can be exercised.[4]

As to legitimate purpose, the processing of information must be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy.[5]

As to proportionality, the processing of information must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.[6]

The NPC has consistently applied these principles to assess the validity of various activity tracking methods used in the workplace. The following advisory opinions illustrate how those principles operate in practice. For instance, in its Advisory Opinion No. 2018-084, the NPC struck down as excessive and disproportionate the proposed surveillance mechanism of installing software in office-issued computers to record keystrokes and take random screen captures of an employee’s computer. Noting that the proposed surveillance was not disclosed to the employees, the NPC recommended that the employer draft a policy which gives notice to the employees of the proposed monitoring method, including the purpose and circumstances of monitoring, the personal data that may be collected in the course of monitoring, the retention period of the recordings, and other pertinent information to satisfy the principles under the DPA and its Implementing Rules and Regulations.

More recently, in NPC Advisory Opinion No. 2024-003, the NPC provided clarity on the issuance of a  company policy which requires the installation of a monitoring software on the employee’s company-issued device or personal device used for work, and which records short-interval videos and audio of the employees and their immediate surroundings to ensure that there is no mishandling or unnecessary disclosure of confidential data to unauthorized third parties.

The NPC opined that such data collection pursuant to company policy may be permissible under Section 12(b) or Section 12(f) of the DPA. Section 12(b) can be used as a basis for the monitoring scheme as long as the employment contract contains specific stipulations which provide for the installation of monitoring software for the furtherance of employment. Further, under Section 12(f) of the DPA, the processing is lawful if it is done in pursuance of a legitimate interest. In this regard, the NPC declared that employers generally have legitimate business interests to justify the monitoring of their employees. The NPC emphasized, however, that the method of monitoring must be directly related to the legitimate interest being pursued by the employer.

The NPC in its Advisory Opinion No. 2024-005 also had occasion to answer a query on the use of an Artificial Intelligence program to analyze call recordings and email exchanges between the employer’s call center employees and customers to autoscore employees as part of their evaluation. The NPC opined that the autoscoring of employees for their evaluation to enhance company performance can be considered a legitimate interest which would justify the use of the AI system as a monitoring mechanism, as it directly contributes to the improvement of the company’s services. Further, the NPC reiterated the need for compliance with the principles of proportionality, transparency, and legitimate purpose under the DPA. Thus, the NPC further advised the employer that the processing of personal information must be limited only to the extent necessary to the stated purpose, and that the employees must be apprised of the use of the AI system as stated in a privacy policy.

Evidently, compliance by employers with the three (3) general principles of transparency, legitimate purpose, and proportionality is required for digital monitoring that may include the processing of employee data. Operationally, employers may implement digital monitoring tools so long as:

1. The employees are sufficiently informed of the monitoring tools deployed and the scope of information to be processed. Provided that no sensitive personal information shall be processed, it is sufficient that employers provide such notice to the employees without the need for their consent so long as employers are able to justify a legitimate necessity for such processing, which includes ensuring productivity, safeguarding confidential information, monitoring compliance requirements, or evaluating employee performance;
2. The scope of the monitoring should be limited to such information as would be necessary for the declared purposes, including performance assessment, security, or compliance objectives;
3. The means of monitoring must be similarly proportionate to the intended objective, whether that is ensuring productivity, protecting confidential data, or meeting applicable compliance requirements;
4. The employer adopts or updates a privacy notice, employee handbook provision, or platform-use policy that discloses the specific tracking features enabled, the data collected, the purposes of collection, the retention period, and employees’ rights as data subjects under the DPA.

Lawful employee monitoring requires the balance of management prerogative and the employee’s fundamental rights. While employers have a legitimate interest in ensuring that their employees perform well and remain productive within their working hours, the methods used to pursue this interest must be consistent with the employee’s right to privacy. By configuring and deploying platform-based tracking features in a manner that is transparent, proportionate to their intended purpose, and grounded in a declared legitimate interest, pursuing a legitimate purpose, employers can lawfully exercise their management prerogative while respecting their employees’ right to privacy under the DPA. Critically, the platform’s tracking features should be enabled only to the extent necessary, clearly disclosed to employees, and calibrated to serve specific and proportionate business objectives.

[1] St. Lukes Medical Center vs. Sanchez, G.R. No. 212054 (2015).

[2] Ople v. Torres, G.R. No. 127685 (1998).

[3] National Privacy Commission (“NPC”) Advisory Opinion No. 2018-090, November 28, 2018 [please verify].

[4] Section 18, Implementing Rules and Regulations of Republic Act No. 10173 (The Data Privacy Act of 2012).

[5] Id.

[6] Id.