It is a common work set-up that employees, either in private establishment or government, are issued employer-owned computers or mobile devices in the conduct of their work. A work-specific e-mail address created by the employer is usually also provided. With this set-up, questions on whether an employee has a reasonable expectation of privacy, such that an employer may look into the employee’s employer-owned computer or mobile device that is left open, logged in, and/or visible to passers-by in the office premises.
A similar issue was answered by the National Privacy Commission (“NPC”) through its Advisory Opinion No. 2018-090 dated 28 November 2018 (“Opinion”). The query was regarding the use of office-issued mobile devices, in particular, whether the access of the employer to the employee’s personal iCloud account using an office-issued mobile device would be in violation of the employee’s rights to data privacy or constitute any of the offenses punishable under the Data Privacy Act of 2012 (“DPA”).
The NPC discussed the “reasonable expectation of privacy” test in determining whether there was a violation of the right to privacy, citing the 1998 Supreme Court case Ople v. Torres which ruled that reasonableness of a person’s expectation of privacy depends on a two-part test:
- Whether by his conduct, the individual has exhibited an expectation of privacy; and
- Whether this expectation is one that society recognizes as reasonable.
The “reasonable expectation of privacy” test was also used in the 2011 Supreme Court case of Pollo v. Chairperson Constantino-David which involves a search of office computer assigned to a government employee who was administratively charged. The Supreme Court cited several US jurisprudence as bases considering that our present Constitutional provision on the guarantee against unreasonable search and seizure had its origin in the US’ 1935 Charter. To resolve the issue in Pollo, the Supreme Court considered the following circumstances:
- the employee’s relationship to the item seized;
- whether the item was in the immediate control of the employee when it was seized; and
- whether the employee took actions to maintain his privacy in the item.
Thus, where the employee used a password on his computer, did not share his office with co-workers and kept the same locked, he had a legitimate expectation of privacy and any search of that space and items located therein must comply with the Constitutional guarantee to privacy.
In its Opinion, however, the NPC noted that the “reasonable expectation of privacy” test was used at a time when there were no laws on data protection and informational privacy and that such test should be revisited and interpreted in the context of the DPA.
It is the opinion of the NPC that through the DPA, the assumption now is that individuals have an expectation of privacy which is more than reasonable as it is now enshrined in the DPA. The “reasonable expectation of privacy” test should then take into consideration the standards provided under the DPA. This means that employees must be aware of the nature, purpose, and extent of the processing of his or her personal data in the workplace. The processing of personal information of employees shall also be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. Lastly, the processing of such information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
The NPC further opined that the fact that an employer has the ownership of the electronic means does not rule out the right of employees to privacy of their communications, related location data and correspondence. As such, employees have an expectation of privacy in their own personal iCloud accounts even if they are logged in using their office-issued mobile devices.
The NPC likewise advised that companies should revisit policies on the use of electronic communication devices, taking into consideration the DPA, especially data privacy principles and data subjects’ rights. This translates to clear and well-defined policies and practices as to the extent of monitoring, degree of intrusion, consequence to employees, and procedural guarantees against arbitrariness.
In sum, based on the NPC Opinion, even if the employer-issued computer or device can readily be seen or accessed, e.g. the same is not password protected or if protected, the password was saved in the device; or the device was shared with co-workers, the employee still has an expectation of privacy considering that the NPC requires the express consent of the data subject before personal data may be processed and shared in accordance with a declared and specified purpose which should be made known to the data subject.
While the application and interpretation of the provisions under the DPA have not yet reached the Supreme Court, it must be noted that interpretations of an administrative government agency (e.g. opinions/rulings) tasked to implement a statute are accorded great respect and ordinarily controls the statutory construction of the courts.
For further information, please contact:
Erika Joy B. Murcia, Partner, Angara Abello Concepcion Regala & Cruz (ACCRALAW)
ebmurcia@accralaw.com