top of page

Data Privacy: Under the Veil of the Pandemic. Part 2. OPT PROTECTION MEASURES

Data Privacy is about protecting personal data or information from being misused, abused, or compromised. But how does a company protect personal data in its care?

Data Privacy Compliance is about determining and providing the necessary protection measures or means to ensure that personal information under a company’s care is safe from unauthorized access and misuse by its employees and other outside influences.

The data privacy law, otherwise known as the Data Privacy Act of 2012 (DPA2012), categorizes these data protection measures into Organizational, Physical, and Technical (OPT) security measures. Data Protection Officers (DPOs) are responsible for ensuring that OPT measures adopted by the organization adhere to the data privacy principles of transparency, legitimate purpose, and proportionality.

With companies going back to work, “new-normal” procedures have to be adopted under the veil of the COVID-19 pandemic. One of the most pressing new procedures employers need to implement is the process of conducting health-checks, daily, to make sure that employees coming back to work do not have symptoms of the coronavirus. As this novel procedure, checking body temperature of employees, requires the collection and processing of personal information, the DPO needs to get involved and take charge in making sure that enough OPT measures are evolved not only to prevent the possible spread of the virus in the workplace but also that the data privacy rights of its employees or visitors seeking entry into the office are not violated or put at risk.

In addition to the health-checks procedures, employers are also required to re-design or re-arrange the work environment so their employees are able to practice social distancing and other safety and preventive measures like hand-washing and availability of alcohol or hand-sanitizers at convenient locations in the office.

In consideration of possible data breach under this new procedure involving personal data, the National Privacy Commission (NPC) has directed employers, that while these health-checks and collection of sensitive personal information are allowed under the current health emergency situation, appropriate OPT measures are still required to ensure compliance with the country’s data privacy law.

While health-check systems are required to protect the health and safety of employees, the need to provide the necessary protection to personal data collected and processed by companies remains in force. Implementing appropriate Organizational, Physical, and Technical (OPT) data protection and security measures, eliminates possible violation of the data privacy law.

What are these OPT measures and how should your DPO or privacy team determine the applicability of these measures in your organization? Remember, it is the Data Protection Officer or DPO that should take the lead in ensuring the protection of personal data in the organization, under any circumstance.

Any new system in the company or organization, that collects and/or processes personal information, under DPA2012, shall be subjected to a review process or assessment of risk. This process is referred to as a “Privacy Impact Assessment” or PIA. The PIA should also be resorted to, if and when a system is significantly changed or revised. The assumption, unless proven otherwise by a PIA, is that any change in a system may provide a new threat or vulnerability to the integrity, confidentiality, and availability of the personal data in that system. As such, any new vulnerability must be met with a corresponding security measure to address or eliminate the threat or unwanted incident arising from the vulnerability.

The PIA is the recommended process that reviews the new or changed process, determines risk if any, and comes up with needed OPT measures and recommendations.

The DPO, as well, is responsible for making sure that the PIAs are conducted, when needed or required by the situation. In the case of the return-to-work, under this new-normal challenge, a PIA is needed.

The DPO, in public or private institutions covered by the Data Privacy Law, should initiate a PIA on the health-check processing system that the company is or will be adopting. From the PIA, the risks are assessed and the necessary organizational, physical, and technical (OPT) measures are recommended by the privacy team and DPO to management for approval and implementation.

I will discuss how to conduct the PIA for the health-check system in the next installment of this series of posts on Data Privacy: under the veil of the Pandemic.