- Telecommuting Employees and Consent to the Recording of Virtual Meetings.
Date Issued: 02 April 2024
The National Privacy Commission (“NPC”) in NPC Advisory Opinion No. 2024-03 took the opportunity to clarify the legality of employing surveillance measures to aid in the monitoring of employees working remotely, specifically, the use of web cameras with built-in microphones that will be turned on at random intervals to record short videos, including image and audio of the subject employee and his/her immediate surroundings, in addition to the mandatory recording of all work-related meetings.
In line with NPC Advisory Opinion 2018-090, the NPC reiterated that employees have a decreased expectation of privacy with respect to work devices, email accounts, and internet surfing activities. Thus, the NPC held that the employment of the mentioned surveillance measures can be sanctioned on the basis of either fulfillment of contract with the data subject, with employers able to utilize this basis as long as the employment contract provides specific provisions allowing the installation of equipment/software for furtherance of employment, or on the basis of legitimate interest, mindful of the three-part tests of purpose, necessity and balancing.
- NPC Advisory Opinion No. 2024-04: Re: Access to Individual User Accounts by Service Provider
Date Issued: 16 May 2024
In NPC Advisory Opinion No. 2024-004, the NPC evaluated whether the Data Privacy Act (“DPA”) permits an arrangement wherein a service provider can access individual user accounts from government or financial sites through a separate digital platform. Specifically, the service provider aimed to process personal information and sensitive personal information to provide employment and income data to banks, fintech companies, recruitment agencies, and other service providers.
The NPC clarified that service providers can process personal data based on the informed consent of the data subjects (“Applicants”), emphasizing that consent must be freely given, specific, and informed. Moreover, service providers must ensure that the consent process is transparent, with clear communication about the nature, purpose, and extent of the data processing. Additionally, the Applicants must actively agree to the service provider’s Terms and Conditions and Privacy Policy during the account creation process.
Service providers must also provide a straightforward method for Applicants to withdraw their consent at any time. This was implemented through the incorporation of a “Disconnect Access” button on the service provider’s platform, with personal data being deleted within ten minutes of consent withdrawal.
The NPC also emphasized that service providers, as a personal information processor (“PIP”), must comply with DPA requirements, including the appointment of a data protection officer (“DPO”), the registration of data processing systems and the conduct of regular privacy impact assessments (“PIAs”) to identify and mitigate potential privacy risks.
Furthermore, service providers must be sure to inform Applicants of their rights under the DPA, with the NPC highlighting the right to access, data portability, and to object to data processing. The NPC also stressed the importance of implementing robust security measures to protect personal data and ensure compliance with data protection laws.
- NPC Advisory Opinion No. 2024-05: Re: Use of Artificial Intelligence (“AI”) In Call Analysis and Monitoring of Call Center Employees
Date Issued: 21 May 2024
In NPC Advisory Opinion No. 2024-005, the NPC discussed the legality of using A.I. to analyze and monitor call center employees’ interactions with customers. This A.I. program, administered by a third-party provider, analyzes call recordings and email exchanges to autoscore employees and identify opportunities for coaching and development. The NPC addressed several key points.
Firstly, the NPC acknowledged that the company could rely on legitimate interest as a lawful basis for processing personal data, provided that the processing of the same is necessary and does not override the fundamental rights and freedoms of the employees. This includes ensuring that the processing activity is specific, transparent, and not contrary to laws, morals, or public policy. The use of A.I. to autoscore employee performance and identify trends can be considered as legitimate interest, if the processing is limited to the declared purposes, such as enhancing service quality and providing targeted training.
Additionally, employees have the right to object to the processing of their personal data. The NPC noted that if an employee objects, the company must cease processing their data unless there are other lawful bases to continue, such as necessity for the performance of contract or in the case of an employer-employee relationship.
TRENDS AND OTHER UPDATES
- The NPC Conducts Large Scale Compliance Sweeps
In recent months, the NPC has significantly ramped up monitoring efforts, particularly targeting retail establishments in malls. This increased activity is part of the NPC’s broader initiative to ensure that businesses adhere to data protection laws. In May this year, the NPC conducted several compliance sweeps, issuing show-cause orders to sixty five (65) stores within a Parañaque mall for either having data privacy violations or failing to register their data processing systems. Businesses failing to comply may face penalties, with fines reaching P5 million. Additionally, the NPC has called on businesses to register their data processing systems promptly, highlighting the importance of compliance to avoid imposition of sanctions. The NPC has also announced its intent to conduct additional privacy sweeps in the future.
- Renewal of National Privacy Commission Registration System (“NPCRS”) Registration
NPC officials have issued reminders to Personal Information Controllers (“PICs”) and Personal Information Processors (“PIPs”) whose NPCRS registrations are expiring in June 2024 to undergo timely renewal. We note that PICs and PIPs who registered last year in 2023, are now due for renewal. A PIC or PIP may only renew its registration thirty (30) days before the expiration of the one-year validity period of its Certificate of Registration. Failure to comply may result in regulatory action and the imposition of fines as outlined in the NPC Guidelines on Administrative Fines.
Should you require our assistance in this regard, please reach out to us at any time.