Dear Atty. Kathy,
Our Company found out that a former employee, X, has been misrepresenting himself as still connected and an employee of the Company. X continued to sell the Company’s products after his separation last year, and would ask the Company’s customers to deposit payments to his personal bank accounts instead of the Company’s official bank accounts. Such fraudulent scheme resulted in substantial monetary losses to the Company and reputational damage. As a preventive measure, the Company would like to post notices in newspapers, its official website and social media accounts, as well as, within the Company’s premises, to officially announce that X is no longer an employee of the Company since last year. Will this not violate the Data Privacy Act of 2012?
Bailey
***
Dear Bailey,
National Privacy Commission Privacy Policy Office Advisory Opinion 2022-009 is applicable to your case.
Under the Data Privacy Act of 2012, the name of X and the fact that he is no longer employed with the Company are classified as personal information, the processing of which, may be based on any of the lawful bases under Section 12 of the DPA. Section 12(f) of the DPA provides that the processing of personal information is allowed if the same is necessary for the purpose of the legitimate interests pursued by the personal information controller (PIC) or by a third party.
The DPA does not particularly identify matters to be considered in the PIC’s determination of its legitimate interests. Based however on the said Advisory Opinion cited, the processing of personal information strictly necessary for fraud prevention purposes constitutes a legitimate interest.
The PIC, therefore, in your case, must establish that the disclosure of personal information will strictly be for the resolution of previously committed frauds and prevention of potential frauds. Further, the PIC must ensure that only personal information which are necessary and proportionate to the declared legitimate interest may be processed, considering the rights and freedoms of X, being the data subject.
In sum, based solely on the information you provided, disclosing the name and the fact that X is no longer employed with the Company is sufficient to meet the stated purpose, and is not violative of the DPA. However, any other information provided that is beyond the name and status of X as a non-employee may be considered as a violation of the DPA.
Atty. Kathy Larios