Data Privacy, Information Security and Work-from-Home Arrangements

Since the COVID-19 alert level was raised to Code Red Sublevel 2 on 12 March 2020, the government has strongly encouraged flexible work arrangements in the private sector. Flexible work arrangements can take various forms, which, broadly speaking, include telecommuting.

What is telecommuting? It is a work arrangement[1] wherein the employee works from an alternative workplace with the use of telecommunications and/or computer technologies.[2]

How can this be adopted? An employer in the private sector may offer a telecommuting program to its employees on a voluntary basis, (or as a result of collective bargaining), and upon such terms and conditions as they may mutually agree upon provided that the same shall not be less than the minimum labor standards set by law.[3]

What is a telecommuting agreement? It is the agreement between the employer and the employee in the implementation of a telecommuting work arrangement based on the telecommuting program of the company, CBA, and/or company rules and regulations.[4] The agreement should include the duration thereof, and the rights, duties, and responsibilities of the employee.[5] It should also include provisions on observance of data privacy policy[6]

What should the company do if it enters into a telecommuting agreement? The company should the notify the Department of Labor and Employment (DOLE) of the adoption of a telecommuting arrangement.

From a data privacy perspective, what are the obligations of the employer and the employee under a telecommuting agreement?

  • The employer must (i) take appropriate measures to ensure the protection of data used and processed by the telecommuting employee for professional purposes; (ii) inform the telecommuting employee of all relevant laws and company rules concerning data protection.
  • The employee must: (i) commit to the company’s data privacy policy; (ii) ensure that confidential and proprietary information are protected at all times; (iii) ensure that confidential and proprietary information are only utilized in accordance with the requirements of the employer.[7]

 Thus, for future reference, companies are advised to document their compliance with their employer obligations under a telecommuting agreement, as part of their overall data privacy compliance program.

In light of the enhanced community quarantine in effect, work-from-home arrangements have now become the norm. As the adverse effects of COVID-19 could very well extend even after the declaration of community quarantine is lifted, companies are advised to take further steps by advising or reminding their employees working from home:   

  • to be wary of unverified and/or unproven COVID-19 websites or applications that require them to give their personal data, as these websites or application might contain cyber threat intrusions that may compromise (i) the data privacy not just of the employee but also of other individuals (including the company’s customers/clients) and (ii) the security of the company’s confidential/proprietary information
  • not to open messages or attachments from unknown sources, and to take time to review the authenticity of the email or message.
  • to be wary of fake news by reviewing and confirming the information/sources.[8]
  • to follow the protocols that the employer has implemented considering that the “home is now an extension of [the employer’s] office.”[9] For instance, employees should use their company-supplied laptops and/or mobile devices (which often come with security features) when working and not their personal devices.[10] However, if the company allows its employees to use their own devices to work remotely, then the employees should strictly comply with the company’s bring-your-own-device (BYOD) policy.[11]

As added security, employees should be advised not to use public wi-fi when accessing for instance, confidential or proprietary company or personal information, and to use Virtual Private Network when possible.

As the enhanced community quarantine forces employees to spend more time online, this also exposes them to various sites that may contain suspicious links, pop-ups and downloadable files, resulting in a ransomware infection that locks them out of their devices, thereby defeating the purpose of telecommuting. Hence, the above measures, among others, should serve to complement the company’s existing data privacy policy.

On videoconferencing:

While videoconferencing platforms have now become commonplace, the company should review the Privacy Policy of these platforms before using them and take time to understand its basic features, in coordination with the company’s IT department, to ensure that these features are set consistent with the company’s data privacy policy and IT security policy.

What if the company already has an existing work from home arrangement? If there is an existing company policy or practice allowing work from home or similar arrangements providing substantially similar or higher benefits prior to effectivity of the telecommuting rules (in early 2019), then the same shall apply provided that (i) the DOLE is duly notified thereof[12] and (ii) the same is compliant with the data privacy law, regulations, and the company’s data privacy policies.