IN 2018, the National Privacy Commission (NPC) was asked if employers could conduct “secret surveillance” on their employees as they work in the office.

Can employers install monitoring software that records keystrokes and takes random snapshots of the computer screen, or is this prohibited by the Data Privacy Act of 2012 (DPA)?

The short answer is, it depends, but it’s generally frowned upon. Here’s the long answer:

“Monitoring employee activities when he or she is using an office-issued computer may be allowable under the DPA, provided the processing falls under any of the criteria for lawful processing of personal data under Sections 12 and/or 13 of the law,” the NPC said in Advisory Opinion No. 2018-084 (https://www.privacy.gov.ph/wp-content/files/attachments/advopn/2018/AONo_2018-084.pdf).

In other words, employers may monitor their employees but such processing of personal data must be based on the criteria for lawful processing, as detailed in Sections 12 and 13 of the Data Privacy Act.

Also, the processing must comply with the general data privacy principles of transparency, legitimate purpose, and proportionality.

Transparency means the employees must be told that they are being monitored. The NPC said that the employer must inform the data subjects – the individuals from whom the data is collected and, in this situation, the employees – “of the nature, purpose and extent of computer monitoring and processing when using office-issued computers.”

Moreover, the NPC said the employer must also explain the “actual method of monitoring, security measures to protect the personal data, as well as the procedure for redress in cases where the rights of the employee as a data subject are violated.”

The employer must also issue a policy or set of guidelines on the use of company-issued devices and equipment, the NPC added.

Can there be a legitimate purpose for spying on, errr, monitoring one’s own employees? Actually, yes.

“Some possible legitimate purposes of [computer] monitoring are as follows: management of workplace productivity, protection of employees, business assets, intellectual property or other proprietary rights, prevention of vicarious liability where the employer assumes legal responsibility for the actions and behavior of employees, and the like,” the NPC said.

However, it added that the employer must also “assess the proportionality of the information collected and the ways and means of processing.” That means the employer, as the Personal Information Controller (PIC), must make sure that only the information needed to fulfill the identified purpose are collected and processed.

“[P]ersonal data of the employees shall only be collected, used and stored by the employer, through computer monitoring, if the purpose sought to be achieved cannot be fulfilled by any other less privacy-intrusive means,” the NPC said.

Even then, the NPC pointed out that “secret surveillance…is frowned upon.”

“The use of a software that records the keystrokes of the user and/or takes random photos of the computer screen seems to be an excessive and disproportionate mechanism in monitoring employees. Unless the declared purpose of computer monitoring necessitates and justifies the use of such extreme measure, the same should not be carried out,” the NPC said.

If the purpose of monitoring is to ensure employee efficiency, for example, then the data collected should satisfy that purpose. Will taking random shots of the computer improve employee efficiency? Is there another, less intrusive way of making employees work harder?

“Every employer conducting computer monitoring or employee monitoring should ensure that the data collected directly satisfies the purpose of monitoring and that it clearly aligns with the need and objectives of the organization,” the NPC reminded.

“Employers should keep in mind that although employees are within office premises and using company-issued equipment within office hours, they are still entitled to their right to privacy at work,” the NPC pointed out.

Employees have as much right to their privacy as anyone else, and employers should respect these rights as much as they do the rights of the company’s customers, the NPC said. “In the same way that companies value the privacy rights of every customer, it should likewise respect the privacy of its own employees and enable them to exercise their rights. With the emergence of new technologies that provide employers with vast opportunities to monitor and track employees, unbridled checking can damage trust, disrupt professional relationships and disturb work peace and performance. An effective policy and communication strategy must be implemented to maintain the balance between the business or operational objectives and the right to privacy.”

This is, of course, only an advisory opinion, and based on particular set of circumstances. Still, the point is that while employers have the right to monitor their employees, that right is tempered by the data privacy principles of transparency, legitimate purpose, and proportionality. In other words, when employers monitor their employees the latter must be told that they are being monitored, and the reasons for the monitoring explained to them (which must not be contrary to law, morals, or public interest). Also, the personal data collected and processed must be limited to what is needed to achieve the reasons for the monitoring – which must be a legitimate purpose, as defined under the law.

***

(Dana Batnag heads the policy and risk management section in the data privacy office of a financial services institution. For inquiries, comments and clarifications, she may be contacted at yourdataprotectionofficer@protonmail.com)