Data Privacy is about protecting personal data or information from being misused, abused, or compromised. But how does a company protect personal data in its care?
Data Privacy Compliance is about determining and providing the necessary protection measures or means to ensure that personal information under a company’s care is safe from unauthorized access and misuse by its employees and other outside influences.
The data privacy law, otherwise known as the Data Privacy Act of 2012 (DPA2012), categorizes these data protection measures into Organizational, Physical, and Technical (OPT) security measures. Data Protection Officers (DPOs) are responsible for ensuring that OPT measures adopted by the organization adhere to the data privacy principles of transparency, legitimate purpose, and proportionality.
With companies going back to work, “new-normal” procedures have to be adopted under the veil of the COVID-19 pandemic. One of the most pressing new procedures employers need to implement is the process of conducting health-checks, daily, to make sure that employees coming back to work do not have symptoms of the coronavirus. As this novel procedure, checking body temperature of employees, requires the collection and processing of personal information, the DPO needs to get involved and take charge in making sure that enough OPT measures are evolved not only to prevent the possible spread of the virus in the workplace but also that the data privacy rights of its employees or visitors seeking entry into the office are not violated or put at risk.
In addition to the health-checks procedures, employers are also required to re-design or re-arrange the work environment so their employees are able to practice social distancing and other safety and preventive measures like hand-washing and availability of alcohol or hand-sanitizers at convenient locations in the office.
In consideration of possible data breach under this new procedure involving personal data, the National Privacy Commission (NPC) has directed employers, that while these health-checks and collection of sensitive personal information are allowed under the current health emergency situation, appropriate OPT measures are still required to ensure compliance with the country’s data privacy law.
While health-check systems are required to protect the health and safety of employees, the need to provide the necessary protection to personal data collected and processed by companies remains in force. Implementing appropriate Organizational, Physical, and Technical (OPT) data protection and security measures, eliminates possible violation of the data privacy law.
What are these OPT measures and how should your DPO or privacy team determine the applicability of these measures in your organization? Remember, it is the Data Protection Officer or DPO that should take the lead in ensuring the protection of personal data in the organization, under any circumstance.
Any new system in the company or organization, that collects and/or processes personal information, under DPA2012, shall be subjected to a review process or assessment of risk. This process is referred to as a “Privacy Impact Assessment” or PIA. The PIA should also be resorted to, if and when a system is significantly changed or revised. The assumption, unless proven otherwise by a PIA, is that any change in a system may provide a new threat or vulnerability to the integrity, confidentiality, and availability of the personal data in that system. As such, any new vulnerability must be met with a corresponding security measure to address or eliminate the threat or unwanted incident arising from the vulnerability.
The PIA is the recommended process that reviews the new or changed process, determines risk if any, and comes up with needed OPT measures and recommendations.
The DPO, as well, is responsible for making sure that the PIAs are conducted, when needed or required by the situation. In the case of the return-to-work, under this new-normal challenge, a PIA is needed.
The DPO, in public or private institutions covered by the Data Privacy Law, should initiate a PIA on the health-check processing system that the company is or will be adopting. From the PIA, the risks are assessed and the necessary organizational, physical, and technical (OPT) measures are recommended by the privacy team and DPO to management for approval and implementation.
I will discuss how to conduct the PIA for the health-check system in the next installment of this series of posts on Data Privacy: under the veil of the Pandemic.
For this 2nd installment, let me just list some of the possible OPT protection measures, companies may choose to consider during and after conducting their PIA on the health-check system and other risk assessment processes.
The OPT Protection Measures
Below are examples of OPT areas of concern that the DPO may look into in getting the company, back-to-work under the new-normal workplace environment:
Staff training and orientation – are all employees accordingly informed of their data privacy rights including the protection measures the company is taking when collecting and processing the health-check information of employees/guests allowed entry into the workplace?
New roles and responsibility assignments – are the staff (or the guard?), assigned or given the responsibility for collecting, and recording the health-check information, trained in the proper data privacy protection procedures adhering to the privacy principles of transparency, legitimate purpose, and proportionality?
DPO responsibility and accountability – is the Data Protection Officer (DPO) actively involved and consulted in the implementation of the health-check system, the PIA, and in recommending appropriate OPT data protection measures?
Third-party providers – are third-party service providers equally and sufficiently trained to implement the same level of security and data privacy protection on personal data shared or forwarded to them, by the company?
Secure and centralized health-check location – are the areas where the health-check information is collected and process secured, so possible leakage or loss of personal information collected or processed are eliminated?
Secured and protected storage and transfers – are the collected and processed personal information securely protected in storage and in transit, so unauthorized access are prevented or eliminated?
Design or redesign of office space and work stations – does the new-normal office layout provide the protection to persons and to personal data during the entirety of the collection, processing, sharing and disposal of the health-check personal information carried out daily over the duration of the pandemic?
IT Security – where applicable, are the proper IT security provisions applied to the collected personal health-check data to ensure confidentiality, integrity, and availability of stored or processed data.
Data sharing provisions – are technical security measures on shared personal data, implemented according to agreed data privacy provisions of the law?
Back-up and restore procedures – are restore and back-up procedures in place in the event of a physical or technical incident.
Security policy – is a security policy and online access control in place, as applicable, to implement the appropriate security measures for protecting health-check personal data?
Incident response – is a quick response system in place in the event of a data breach or security incident?
Note that when taken to heart, there is more an organization that needs to implement with respect to the collection, processing, sharing, and disposing of personal data under a new-normal situation, and in implementing its health-check system.
There may be more OPT measures that could arise, as needed when a Privacy Impact Assessment is conducted by the company, depending on the size of the organization, the number of employees involved, the office circumstances, and the flow of people and personal information during a typical workday or worknight. The situation will require the presence and patience of an astute Data Protection Officer, aided by his privacy team and advisers if compliance with the data privacy requirements is to be preserved during this pandemic.
In the next installment of this report, we will share with you the Privacy Impact Assessment (PIA) process that the organization needs to conduct so it can derive the OTP protection measures it needs to implement, to safeguard and protect personal information collected and processed within its health-check system as recommended by the DOH and IATF.