There is much talk about data privacy both in social media & barbershops. It has reached unprecedented proportion & interests that they say it will make or break our future as a nation.
Sans the socio-political noise, I’d like to corelate data privacy to what I know best….HR procedures, to Human Resource departments in companies and practitioners like me.
The Data Privacy Act of 2012 (RA 10173) makes data protection a core HR function. It has reshaped HR practice in the Philippines because it now requires HR teams to adopt lawful processing, transparency, security measures, and accountability integrated in company processes.
Now, personal information that is collected, used, stored, shared, and disposed of by employers, usually through HR, is being regulated. Procedures & strict rules on how employers should collect, store, use, and share employee data is protected. It holds those in custody or have access to such data are held accountable.
It also requires transparency. Not only employees must know what data is being collected and but also for what legitimate purpose it will be used. Aside from this, there should also be proportionality of data disclosed as an example on employment contracts &/or legal obligations. It simply means that HR must only collect what is truly necessary because previous instances, there might have been an over collection necessary data. You do not actually need so many valid IDS to establish identity or residence or unrelated medical records for a certain job.
And because the amount of employee data being handled by HR is quite large, that are personal and sensitive personal information that is a prerequisite from application to employment, submissions like government IDs (TIN, SSS, PhilHealth, Pag-IBIG), employee addresses, contact details and family information, without the consent (written preferably), HR is always at a risk of violating RA 10173. There is always a risk among HR members in immediately disclosing records or information upon request partly because of familiarity, transactional trust or lack of awareness of such changes in protocols.
The Data Privacy Act (DPA) has consequently expanded employee rights wherein upon demand, they have the right to access their data, correct inaccurate information, withdraw consent or refuse disclosure when applicable, within the bounds of the law & be informed if there are breaches to their data. This is why clear procedures for responding to data requests must be a priority.
Now, company related personal data like payroll & benefits data, performance appraisal records, disciplinary records, workplace complaints and/or investigation records, health & medical certificates, biometrics & CCTV footage are among the many sources of data is also considered private & protected under the DPA law.
Though these many changes impact us HR practitioners & the department in general, it is the sourcing, recruitment & onboarding process that is immediately affected. There is an urgent need to look at redesigning forms, onboarding activities and recruitment procedures but all other facets of HR because whenever any HR process has custody of such sensitive data, the DPA imposes higher security and accountability requirements
Case in point is how to go about background investigations of applicants for certain positions since even performance appraisals, disciplinary actions & investigations, medical records, scholastic records may be considered as part of private data. As a matter of practice, In many instances based on what we do, HR may resort to checking with character references or send background investigation forms to be filled up. How to be compliant?
We need to ensure that a job applicant signs privacy notices while explaining purpose & use of data to be collected. Employees must also be informed about monitoring systems (CCTV, biometrics, email logs etc). It is why in most companies, there are signages announcing that CCTV coverage is ongoing which is a form of disclosure.
Medical and disciplinary data must be collected only when necessary. A second look at mandated pre-employment & annual medical exams against company requirements needs alignment.
HR breaches often occur through mishandled 201 files, leaked salary information, improper disposal of documents, unsecured email communications & unauthorized sharing of complaints or medical data or even unwittingly sharing information such as contact information or residence
The importance of close coordination between HR, IT and Admin is now more that pronounced because it helps ensure compliance. By implementing needed organizational, physical, and technical safeguards, such as role-based access to 201 files be they hard copies or soft copies through restrictions.
Companies must also ensure that stronger data security measures. Hard copies should be secured, locked filing cabinets and secure areas of storage through access controls.
With HR becoming a key compliance partner, not just an administrative function, HR must now put into place and maintain mandatory documentation & accountability such as a Data Privacy Manual, records of processing activities, data sharing agreements with suppliers & service providers like HMO, payroll vendors, third party outsourcing etc.
As mentioned above, based on my decades of experience, there is indeed a high risk of breach in vendor & third party engagements like HMOs, third party background check providers, payroll processors, training vendors, security & manpower agencies because the company will remain accountable for data unnecessarily shared with these vendors or third parties.
To address this, HR must ensure contracts with vendors that include data protection clauses. Breach response protocols must proactively to anticipate such scenarios.
Weak implementation of protocols expose companies on Data Privacy non-compliance, violations & penalties may result to fines, criminal liability, civil damages & reputational harm.
Knowing the risks & the stakes, the immediate action that HR must undertake is update recruitment and onboarding forms with privacy notices, review 201 file access controls, train HR staff on confidentiality and DPA compliance & ensure that an audit of third-party data sharing (HMO, payroll, background checks).
Train HR staff on confidentiality and proper case management because with the DPA, HR now faces a higher risk in mishandling complaints & investigations specially in sensitive cases like harassment, fraud, medical issues etc. Since a consistent confidentiality handling, access limitation & proper documentation including electronic documentation which must be upheld even in ongoing labor disputes or case investigations.
For soft copies, access & encryption of digital records strong HR Information System (HRIS) must prioritized Passwords, strong & unpredictable, for sensitive & covered data should be a matter of practice. Not only should viewing, editing & copying be based on authorization but also be based on nature of job. Additionally, there should also be secured disposal of hard copiers & role based saving restrictions for sensitive files (shredding, digital wiping, access control)
In the medium term, the direction should focus on the upgrade of its HR Information System (HRIS) that has additional security features. This should be part of a Data Privacy Manual that will establish a documented breach reporting procedures, while conducting periodic privacy impact assessments.
The end goal should be building a privacy culture by integrating privacy into all HR processes from hiring to offboarding, with related company policies & procedures regularly being updated based on Data Privacy Act.
Data Privacy indeed matter for HR Leaders & practitioners because it elevates HR from a purely administrative role to a strategic compliance and risk management function.
It will be tedious & demanding to put into place all safety nets but the proper privacy procedure implementation builds employee trust, protects company reputation, ensures legal compliance and perpetuate operational integrity. This benefits both the employee & the employer and that is a big win for both.
GOOD MORNING HARDWORKING PEOPLE!
For comments & suggestions, you may email author [email protected] & follow in Facebook Herrie Raymond Rivera.