By Amado (Jun) Malacaman
Is your company Data Privacy Compliant?
If yes, you will have to show convincing proof when your people go back to work.
If not, you should be, if you need people back to work in your business.
Regardless of being compliant or not, you will have to abide by the updated guidelines of the National Privacy Commission (NPC) when going back to work under the new-normal pandemic landscape.
The problem for the Data Protection Officer or DPO is how?
The DOH and the IATF require employers to conduct health checks to ensure a virus-free return to work for the employees. Employers are expected to implement the health checking of their respective employees.
From the Data Privacy perspective, however, NPC requires that employers implement the needed Organizational, Physical, and Technical (OPT) measures when collecting and processing personal health information of their employees. These OPT protection measures are needed to ensure that the collection, processing, storing, sharing, and disposing of the personal (health) information, adhere to the data privacy principles of transparency, legitimate purpose, and proportionality.
That means companies not providing the needed OPT protection measures in compliance with the data privacy law when collecting and processing personal (health) information during this return to work new-normal scenario, will still be accountable for any data breach or unwanted incident resulting from their collection and/or processing of the said personal information. Without the OPT measures spell non-compliance.
Although the updated NPC guidelines are directed at employers in general, these guidelines will have to be implemented by the company’s Data Protection Officer (DPO) still, as the guidelines pertain to the collection and processing of personal information of employees, as the data subjects. This is rightly the responsibility and accountability of the DPO.
Prior to the return to work, the DPO should undertake the required Privacy Impact Assessment (PIA) of the new-normal, health-check system implementation. This is to determine the possible level of risk and its probability index under the specific situation the company will find itself when implementing the health-check, back-to-work procedure. So, what are the possible organizational, physical, and technical protection measures that could be adopted by the DPO to ensure adherence to the data privacy principles of transparency, legitimate purpose, and proportionality? I would be happy to share that with you tomorrow… Check out your options in Part 2 of this series. For now, thanks for the time supporting this series on Data Privacy: Under the Veil of the Pandemic.