Compliance with the Philippine Data Privacy Act 2023 - A Guide For Employers

Most organizations in the Philippines conduct pre-employment background checks to verify the candidate’s credentials and reduce the risk of bringing in bad hires. However, it’s not enough to simply complete the checks. The Philippines, after all, has a strict law that dictates the proper way to conduct them. Is your company compliant with the law? What are the consequences of processing personal information without the right order in place? Learn more about the Philippine Data Privacy Act (DPA) and how it affects background checks for employment here. 

Types Of Background Checks Businesses Commonly Run On Filipino Employees And Contractors

Before hiring someone, companies often conduct standard background checks, including the following:

• Criminal History. Employers usually ask candidates to present an NBI Clearance form, which shows that their criminal background check by the National Bureau of Investigation (NBI) came back clean. 
• Employment Verification. The HR Department usually gets in touch with the candidate’s previous employers to determine details like dates of employment, roles, and achievements. 
• Reference Checks by contacting the references provided by the applicant to gain insights into their credentials and work attitude. 
• Educational Background. Companies often call the candidate’s previous college or university to request information, like graduation dates, courses, and honors. 

Depending on the industry and position, organizations may also conduct additional background checks, like credit scores, health checks, and social media profiles. 

But, Are Background Checks Legal in The Philippines?

Conducting these background checks requires the processing of personal, and sometimes, sensitive information. For it to be legal, the whole process should be in accordance with the Data Privacy Act.  Processing refers to any operation performed upon personal information, including, but not limited to, collection, storage, and destruction of data. 

Generally, pre-employment background screening is legal so long as the stipulations of the law are met. As an employer, if you process personal information illegally, you may pay fines and even face imprisonment. 

Data Privacy Act in the Philippines and How It Affects Background Checks for Employment

The Data Privacy Act in the Philippines is not designed specifically for background screening. However, its stipulations dictate how an organization can process personal, and sometimes, sensitive information. Failure to comply with these conditions has legal consequences. In the following sections, we’ll discuss DPA in connection with background checks for employment. 

What’s Considered As Personal Information?

When you conduct background checks, you need to process personal information. Personal information refers to any information that can be used to identify the candidate or employee. It also includes information that, when combined with other data, can directly or certainly identify the individual. 

General Principles of the Data Privacy Act

The processing of personal information, which employers utilize for background checks, is allowed as long as it complies with the DPA and other applicable laws. The general principles of the Philippine Data Privacy Act center on the following:

• The information should only be processed in a way that’s compatible with a legitimate, declared, and specified purpose. Note that the purpose must not be contrary to morals, laws, or public policy. 
• Employers must process personal information that is only necessary, relevant, adequate, and not excessive for the declared legitimate purpose. 
• The information should be accurate and complete; inaccurate or incomplete data must be corrected, supplemented, or destroyed, or there should be restrictions in processing them further. 
• Companies must only keep personal information for only as long as necessary for the purpose for which it was collected. 
• The information must also be kept in a form that identifies the candidate or employee for no longer than necessary. 

What It Means For The Information To Be Processed and Retained Lawfully 

As an employer, you must know how to legally process and retain personal information. 

The processing of information is lawful when it follows the principles of DPA, is not prohibited by the law, and when at least one condition outlined in Section 12 of DPA exists. 

There are several conditions listed in Section 12. Among them, the most relevant for employers is obtaining the candidate or employee consent. They must be informed of the purpose, nature, and extent of the processing of their information. This involves the safeguards and risks involved and their rights. Note that the applicant has the right to refuse, withdraw consent or object. 

Another condition that makes the processing of information lawful is when the processing is necessary for the company to comply with a legal obligation they are subject to. 

On the other hand, the retention of personal information should only be for as long as necessary for the legitimate purpose declared. Aside from this, companies can also retain the information:

• For the establishment, exercise, and defense of legal claims 
• For a legitimate business purpose consistent with the standards followed by the industry or approved by the appropriate government agency 

After retaining the information per the law, it should be disposed of or discarded securely in such a way that prevents unauthorized access, further processing, or disclosure to another party or the public. 

Is Processing of Sensitive Personal Information Legal?

While conducting background checks, employers usually need to access some sensitive personal information. According to the DPA, sensitive personal information includes:

• Age
• Ethnic origin 
• Race
• Marital status
• Color 
• Philosophical, religious, and political affiliations
• Education 
• Genetics 
• Health
• Intimate relationships
• Proceeding for any offense committed or alleged to have been committed by an individual
• Government-issued IDs 
• Those established by an executive order or an act of Congress to be kept classified.

However, the processing of sensitive personal information is prohibited. Employers can only process sensitive personal information if they satisfy certain conditions under the Data Privacy Act. One such condition is when the candidate or employee has given their consent before the processing. 

Other cases where the processing of sensitive personal information is legal is when it is:

• Necessary to achieve the lawful and noncommercial objectives of public organizations and their associations, provided that the information stays within the bona fide members of the concerned organization or associations, is not transferred to third parties, and provided that the individual has given their consent before the processing. 
• Provided for by existing laws and regulations, provided that the said laws and regulations do not require the individual’s consent and guarantee the protection of personal data. 
• Necessary to protect the health and life of the individual or another person, and the concerned cannot physically or legally provide their consent before the processing.  
• Necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority.
• It is necessary for medical treatment, provided that it is carried out by a medical practitioner or institution and that measures were taken to protect the information. 

The Rights of Candidates According to the Data Privacy Act

Before the processing of their personal information, an applicant or employee must be informed that their personal information will be processed. As employers, you must inform them of the following before entering their personal data into your system:

• The description of the personal information to be entered into the system
• The reason why they are being or will be processed
• The scope and method of the personal information processing
• The recipients or classes of recipients to whom the information is or may be disclosed
• The methods used for automated access, if allowed by the candidate or employee, and the extent to which such access is permitted
• The identity and contact details of the ones processing the information
• The existence of the employee's or candidate’s rights

The individual also has the right to demand reasonable access to their information, including the content and sources from which the data was obtained. 

Likewise, the candidate or employee has the right to dispute incomplete or inaccurate information and ask the company to correct it. The third parties who have received the previous information must also be informed of its inaccuracies and rectifications upon the request of the applicant or employee. 

If there is proof that the personal information is inaccurate, outdated, incomplete, illegally obtained, used for unauthorized purposes, or are no longer necessary for the purposes for which they were collected, the individual has the right to order the blocking, removal, or destruction of the information from the company’s system. 

Finally, should there be damages due to inaccurate, outdated, incomplete, illegally obtained and used information, the individual has the right to be protected from legal consequences. 

Penalties For Failing To Comply

The Philippine Data Privacy Act has a long list of penalties should the data process controller, which in this case, is the company, fails to comply with the stipulations. Below is a table showing the type of violation and and their corresponding penalties: 

Proposed Changes to the Data Privacy Act

In 2022, two House Bills - 892 and 898 - were filed, seeking to make some amendments to the current Data Privacy Act. Should amendments from House Bill 892 be approved, employers can expect the following changes:

• Increased penalties both for fines and period of imprisonment for violating DPA
• Perpetual and absolute disqualification for a public official or employee who violates DPA

Meanwhile, some of the amendments House Bill 898 seeks include:

• Defining biometric and genetic data
• Including biometric and genetic data, and labor affiliation, under sensitive information
• Including the performance of a contract as a new criterion of the lawful basis for processing sensitive personal information.

Background Check Mistakes to Avoid in the Philippines

Considering the stipulations under the Data Privacy Act, below are some of the common mistakes employers make when conducting background checks:

• Not having a strong policy in place to process, store, and discard personal information securely. This opens your company to errors that may have legal consequences. 
• Not obtaining formal written consent. Many private companies in the Philippines simply ask candidates to provide documents, such as Annual Physical Exam results and Transcripts of Records from their colleges and universities. However, they usually do not obtain formal written consent specifically explaining how they are going to process and store these documents. Education and health information are sensitive personal information and processing them without consent is illegal. 
• Collecting more information than necessary. Some companies feel that it’s better to collect more information in case they need it later. However, having more information also means the company is more vulnerable to legal violations. 
• Electing to ignore the law altogether thinking that mistakes made by small companies go undetected. 

‍

Many startups or small businesses also make the huge mistake of skipping background checks. Background checks verify if the credentials a candidate presents are authentic, helping you choose the talent that has the knowledge and skills to take on the role. Furthermore, some background checks, like criminal history checks, help promote workplace safety, preventing you from hiring someone who might be a threat to the company and the public. Hence, it’s a huge mistake to not conduct background checks at all. 

How Veremark Can Help

While most companies are aware that the country has a Data Privacy Act, many may not have adequate knowledge of how its principles affect their business. It’s also possible that they understand its conditions but don’t have the resources and experience to ensure compliance. As a result, they may unintentionally process candidate and employee data illegally while conducting background checks. 

Veremark has the processes, technology, and compliance framework to safeguard personal information. Trusted by the world’s best workplaces, including countless Filipino business in the Tech, IT, Outsourcing and Staffing and Professional Services sectors, Veremark conducts background checks in accordance with the Data Privacy Act and other relevant laws, significantly reducing the risk of legal consequences. We guarantee an accurate and straightforward presentation of screening results so you can make informed hiring decisions and ensure total compliance throughout.

Conclusion

It’s a best practice to conduct background checks on candidates to verify their credentials and gain insights into their personality. However, it’s not enough to simply complete the necessary checks. If your company processes personal information and sensitive data without the right order in place, you risk paying at least hundreds of thousands of pesos and facing several years in prison. It is for this reason that many organizations choose to partner with expert third parties like Veremark, a background screening provider capable of conducting multiple checks while staying compliant with the Data Privacy Act and other applicable rules and regulations.