The National Privacy Commission (NPC) is reminding employers of their responsibility under the Data Privacy Act to implement policies and processes that ensure the security and privacy of their customers and employees as telecommuting or work-from-home arrangements become widespread.
Leandro Angelo Y. Aguirre, deputy privacy commissioner of the National Privacy Commission (NPC), said a major impact of the COVID-19 crisis is how it forced companies to transition rapidly to a telecommuting scheme “without really anticipating all the different challenges” particularly in terms of data breaches.
Aguirre noted that the most frequent data breach causes reported to the NPC are malicious attack (44%) and human error (43%).
More important than investing in security systems is “having proper policies and processes that can be adopted in a work from home or telecommuting arrangement,” Aguirre said in an online presentation for an UPPAF-RESPOND e-forum.
He stressed that it is the employer’s responsibility to “identify the risks inherent in a telecommuting or work from home arrangement and come up with the proper policies and processes for these arrangements and ensure that there are mechanisms to monitor that they are being implemented properly.”
Moreover, employers are obliged to ensure that such policies and processes consider the general data privacy principles of transparency, legitimate purpose, and proportionality as enshrined in the Data Privacy Act or DPA.
Under transparency, for instance, employers must inform employees working from home that they are being monitored, and how and why they are being monitored “so that they can also adapt their behavior accordingly.”
Under legitimate purpose, Aguirre said that in case of employee monitoring, the company’s reason for doing so should be compatible with the declared and specified purpose and not be contrary to law, morals, or public policy.
To ensure proportionality, meanwhile, the company must only use the right level of information processing in order to allow it to achieve its declared and specified purpose.
Aguirre also talked about the data privacy risks employers face in adopting a telecommuting arrangement.
Due to the COVID situation, many companies were forced to quickly transition to a work from home scheme unprepared, with some of the workers’ home environment unsuitable for this kind of arrangement.
In the rush, said Aguirre, the focus was less on data privacy or security and more on adaptation and ease of use.
“We may have ended up using systems that may not be as secure as the ones we have at the office. We may not have the same level of firewall… and access controls” at home that are available in the office, he said.
He thus urged companies to “take that into consideration and come up with the necessary policies and processes to address those risks so that they will still be able to provide the same level of security ideally that they would have been able to in an office situation.”
He also underscored that companies should secure not just the privacy and security of their customers but their employees as well.
Aguirre added that as companies settle down after the rush to transition, they should now “take a step back and start an assessment of the risks that are inherent in the arrangement that they implemented.”
He continued: “Hopefully when they do a privacy impact risk analysis they will be better able to identify the risks that are there and take the necessary steps to mitigate those risks before something actually happens.”
He also warned against the use of free Wi-Fi especially when handling sensitive transactions because it is not secure.
At the same time, Aguirre pointed out that the three data privacy principles should apply to each stage of the data life cycle create, store, use, share, archive, and destroy even in a telecommuting scheme.
“For each stage there are corresponding obligations for both the employer and their employees,” he said.
Employers must therefore also “educate their employees of the nature of these obligations.”
Republic Act No. 10173, otherwise known as the Data Privacy Act, is a law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.