Data Privacy, Information Security and Work-from-Home Arrangements
Since the COVID-19 alert level was raised to Code Red Sublevel 2 on 12 March 2020, the government has strongly encouraged flexible work arrangements in the private sector. Flexible work arrangements can take various forms, which, broadly speaking, include telecommuting.
What is telecommuting? It is a work arrangement[1] wherein the employee works from an alternative workplace with the use of telecommunications and/or computer technologies.[2]
How can this be adopted? An employer in the private sector may offer a telecommuting program to its employees on a voluntary basis, (or as a result of collective bargaining), and upon such terms and conditions as they may mutually agree upon provided that the same shall not be less than the minimum labor standards set by law.[3]
What is a telecommuting agreement? It is the agreement between the employer and the employee in the implementation of a telecommuting work arrangement based on the telecommuting program of the company, CBA, and/or company rules and regulations.[4] The agreement should include the duration thereof, and the rights, duties, and responsibilities of the employee.[5] It should also include provisions on observance of data privacy policy[6]
What should the company do if it enters into a telecommuting agreement? The company should the notify the Department of Labor and Employment (DOLE) of the adoption of a telecommuting arrangement.
From a data privacy perspective, what are the obligations of the employer and the employee under a telecommuting agreement?
Thus, for future reference, companies are advised to document their compliance with their employer obligations under a telecommuting agreement, as part of their overall data privacy compliance program.
In light of the enhanced community quarantine in effect, work-from-home arrangements have now become the norm. As the adverse effects of COVID-19 could very well extend even after the declaration of community quarantine is lifted, companies are advised to take further steps by advising or reminding their employees working from home:
As added security, employees should be advised not to use public wi-fi when accessing for instance, confidential or proprietary company or personal information, and to use Virtual Private Network when possible.
As the enhanced community quarantine forces employees to spend more time online, this also exposes them to various sites that may contain suspicious links, pop-ups and downloadable files, resulting in a ransomware infection that locks them out of their devices, thereby defeating the purpose of telecommuting. Hence, the above measures, among others, should serve to complement the company’s existing data privacy policy.
On videoconferencing:
While videoconferencing platforms have now become commonplace, the company should review the Privacy Policy of these platforms before using them and take time to understand its basic features, in coordination with the company’s IT department, to ensure that these features are set consistent with the company’s data privacy policy and IT security policy.
What if the company already has an existing work from home arrangement? If there is an existing company policy or practice allowing work from home or similar arrangements providing substantially similar or higher benefits prior to effectivity of the telecommuting rules (in early 2019), then the same shall apply provided that (i) the DOLE is duly notified thereof[12] and (ii) the same is compliant with the data privacy law, regulations, and the company’s data privacy policies.
SOURCES:
[1] Section 1, D.O. No. 202 (Series of 2019), IRR of RA 11165.
[2] Section 3, RA No. 11165.
[3] Section 4, RA No. 11165.
[4] Section 2(c), D.O. No. 202 (Series of 2019), IRR of RA 11165.
[5] Section 3 par. 1, D.O. No. 202 (Series of 2019), IRR of RA 11165.
[6] Section 3 par. 2, D.O. No. 202 (Series of 2019), IRR of RA 11165.
[7] Section 5, D.O. No. 202 (Series of 2019), IRR of RA 11165.
[8] https://dict.gov.ph/cybersafety-during-the-covid-19-situation/https://www.privacy.gov.ph/2020/03/npc-phebulletin-no-4-protecting-personal-data-in-thetime-of-covid-19/
[9] https://www.consumer.ftc.gov/blog/2020/03/online-security-tips-working-home
[10] https://us.norton.com/internetsecurity-emerging-threats-working-from-home-due-to-coronavirus.html
[11] See https://www.ncsc.gov.uk/guidance/home-working
[12]Section 9, D.O. No. 202 (Series of 2019), IRR of RA 11165.