Data Privacy, Information Security and Work-from-Home Arrangements
Since the COVID-19 alert level was raised to Code Red Sublevel 2 on 12 March 2020, the government has strongly encouraged flexible work arrangements in the private sector. Flexible work arrangements can take various forms, which, broadly speaking, include telecommuting.
How can this be adopted? An employer in the private sector may offer a telecommuting program to its employees on a voluntary basis, (or as a result of collective bargaining), and upon such terms and conditions as they may mutually agree upon provided that the same shall not be less than the minimum labor standards set by law.
What should the company do if it enters into a telecommuting agreement? The company should the notify the Department of Labor and Employment (DOLE) of the adoption of a telecommuting arrangement.
From a data privacy perspective, what are the obligations of the employer and the employee under a telecommuting agreement?
Thus, for future reference, companies are advised to document their compliance with their employer obligations under a telecommuting agreement, as part of their overall data privacy compliance program.
In light of the enhanced community quarantine in effect, work-from-home arrangements have now become the norm. As the adverse effects of COVID-19 could very well extend even after the declaration of community quarantine is lifted, companies are advised to take further steps by advising or reminding their employees working from home:
As added security, employees should be advised not to use public wi-fi when accessing for instance, confidential or proprietary company or personal information, and to use Virtual Private Network when possible.
What if the company already has an existing work from home arrangement? If there is an existing company policy or practice allowing work from home or similar arrangements providing substantially similar or higher benefits prior to effectivity of the telecommuting rules (in early 2019), then the same shall apply provided that (i) the DOLE is duly notified thereof and (ii) the same is compliant with the data privacy law, regulations, and the company’s data privacy policies.