Just as the year is ending, it is also common for businesses to part ways with some of their employees.
When an employee who usually deals with clients on a regular basis resigns, is separated or is terminated, companies sometimes find it necessary to give notice to their clients that such employee is no longer connected with the business. This notice is usually made through an announcement in a newspaper, the company’s website or various social media platforms.
Some of these announcements contain the names and positions of the separated employees as well as the fact of separation. Others will provide more details by including a picture and address of the employee as well as other personal information together with a statement or warning by the company that people should not deal with this person or that this person committed some violation or infraction. A sample of an announcement is shown below.
The kind of information contained in such an announcement by the company is material and relevant because how companies handle and use the information of its employees may cause it to run afoul of the Data Privacy Act of 2012 (Republic Act No. 10173). This law mandates and provides limitations and sanctions for violation of the “processing” of personal information and sensitive personal information by those persons or entities having control or use of the information.
The National Privacy Commission, which was created by the Data Privacy Act, has been tasked to administer and implement the provisions of the law and to monitor and ensure compliance by the country with international standards set for data protection.
Our personal information is protected by the Data Privacy Act which brings to the fore the data privacy rights of all persons and the right of every person to decide when, how, and to what extent their personal information is
shared to others. It also provides for duties and responsibilities upon those who control or process personal information.
Personal information is any information whether recorded in a material form or not, from which the identity of an individual is clear or can be reasonably ascertained or when put together with other information would enable identification of the individual.
There are also personal information that are classed as sensitive personal information and these refer to:
(1) An individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) An individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Information issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Information specifically established by an executive order or an act of Congress to be kept classified.
The question on how to make an announcement and what it may contain was addressed by the National Privacy Commission in its Advisory Opinion 2022-009 issued last March 2, 2022. The advisory opinion was made in response to a query by a bank which narrated that it had experienced cases wherein former employees had misrepresented to existing clients (e.g., branch clients) that they were still authorized to transact on the bank’s behalf.
The bank said there were some instances where former employees would solicit deposits from these clients, sell bank products to extort money or do fraudulent acts such as asking clients to transfer money to their accounts which they would misappropriate for themselves.
The bank wanted to know whether it would be allowable for it to have published in newspapers, the bank website, the bank’s social media account and notices within the banking premises, an announcement that the employee is no longer connected with the bank.
The National Privacy Commission stated that under the Data Privacy Act, the names of the employees and the fact that they are no longer employed are classified as personal information, the processing of which must comply with the law.
Section 12 of the law provides that processing of personal information is permitted when:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
Specifically in this instance, Section 12 (f) of the Data Privacy Act provides that the processing of personal information is allowed if the same is necessary for the purpose of the legitimate interests pursued by the personal information controller, which in this case is the bank.
To justify the existence of legitimate interest, the disclosure of personal information must pass three tests. The first is that there must be a clear and present legitimate interest which is identifiable. The second is that the disclosure is necessary to achieve the legitimate interest. Lastly, the disclosure must balance the fundamental rights and freedom of the subject, in this case that of the employee, which should not be overridden by the legitimate interest of the party making the disclosure.
The National Privacy Commission found that the objective to prevent potential fraud and misrepresentation by a separated employee is sufficient legitimate interest and that the announcement in a public forum is necessary to achieve this interest. It advised the bank to ensure that only personal information which are necessary and proportionate to the declared legitimate interest may be processed, considering the rights and freedoms of the data subjects.
In its advisory, the National Privacy Commission stated that an announcement by a company that an employee is no longer connected with it should only contain:
(1) The name of the employee, and
(2) The fact that the employee is no longer employed with the company.
Any other information beyond that may be considered disproportional.
(The author, Atty. John Philip C. Siao, is a practicing lawyer and founding Partner of Tiongco Siao Bello & Associates Law Offices, a Professor at the MLQU School of Law, and an Arbitrator of the Construction Industry Arbitration Commission of the Philippines. He may be contacted at jcs@tiongcosiaobellolaw.com. The views expressed in this article belong to the author alone.)