In the Philippines, the simple answer is YES.
Due to the COVID-19 pandemic, organizations are in uncharted territory on how to keep employees safe and still be able to follow the data privacy/protection law. Most organizations are in a quandary on whether personal information about the health of employees can be shared with the government or a public agency, “particularly without the consent of the relevant individual”. The secret to unlocking that quandary lies in understanding the principles that underpin data privacy / protection law and applying them in any particular set of circumstances. See ‘What Can Organizations Do?’ below for a checklist to help organizations get started.
Due to the COVID-19 pandemic, many new terminologies have become bywords in the corporate world - person under monitoring (PUM), person under investigation (PUI), social distancing, self-isolation, home quarantine, etc. Government use words such as enhanced community quarantine (ECQ) or circuit breaker. The general public still say “lockdown”.
Who would have imagined that aside from surrendering an ID to enter an office or building, visitors now also need to submit to temperature checks. Companies are monitoring the health status of their employees in unprecedented ways due to the contagiousness of the coronavirus. They are collecting personal information such as employees’ contact exposures, travel history, client meetings and maybe even the health status of employees’ family members.
In most ASEAN countries, there are laws and regulations that require infectious diseases to be reported to the government. In the Philippines, there is the Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act (RA11332). In Singapore, there is the Infectious Diseases Act (Chapter 137), while in Malaysia there is the Prevention and Control of Infectious Diseases Act 1998. These laws require not only medical institutions and medical professionals, but also private institutions and workplaces to accurately and immediately report notifiable diseases and health events of public interest to the relevant government agency. In some cases, the national government, together with local authorities, sets up disease surveillance units.
There are also various laws that require employers to provide a safe working environment. Employers generally do so: installing guards on dangerous machinery, controlling noxious chemicals, fumes and dangerous liquids, properly ventilating factories and offices, guarding against various other physical hazards, providing first aid facilities, reporting workplace incidents and accidents, etc. Taking at least reasonable steps to shield employees from diseases, including infectious diseases is always on the list too. But generally this does not appear high up on an employer’s ‘to do’ list. Employees might catch a cold or even a seasonal ‘flu, but beyond perhaps keeping them away from the workplace for a few days and causing some loss in productivity, such infectious diseases are little more than minor irritants. COVID-19 and its potential health consequences is very clearly different. There is debate around the extent to which employers may need to protect their employees from COVID-19 infection in the workplace, but little or no argument about employers having some such obligation.
So, in this time of the COVID-19 pandemic, companies need to comply with laws about notifying infectious diseases, etc., while also securing the safety and well being of their employees and complying with data privacy / protection obligations. It is reasonable to assume that even after the imposed lockdown is lifted or modified in some ways by governments, and perhaps for quite a long time afterwards, a new norm in employee monitoring will need to be adopted by organizations.
Risks to be aware of
Review your processes
Best practices for Staff
Companies need to put in place the proper mechanism or standard operating procedures to carry out its accountability and compliance with the relevant laws. It has an obligation to provide the necessary protection to a data subject’s personal information. And be mindful of balancing the legal requirement vis-a-vis data subject rights.
Contributed by Edwin Conception FIP, CIPM, CIPT, CIPP/E
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The novel coronavirus, or COVID-19, has been receiving global attention, and co…
On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID…
Here are some general tips that your organisation can follow at each stage of i…