Most Philippine business owners assume that because the work computer, the office, and the email account all belong to the company, employee monitoring is automatically legal. That assumption is wrong — and it leads to real Data Privacy Act violations.
Workplace surveillance is governed by the same Data Privacy Act that governs customer data. Employees are data subjects too. They have rights. And those rights override the convenience of unrestricted monitoring.
This guide walks through what Philippine employers can and cannot legally do in 2026 — and the consent requirements that make the difference.
The Basic Principle
Under RA 10173 and NPC Advisory Opinion 2018-021, employee monitoring is permitted only when:
- There is a legitimate business interest, AND
- The monitoring is necessary and proportionate to that interest, AND
- The employee has been informed in writing, AND
- The monitoring is the least intrusive method available
All four conditions must be met. Missing any one makes the monitoring unlawful.
What You Can Legally Monitor (With Proper Setup)
CCTV in Common Areas
Permitted in: entrances, hallways, customer-facing areas, warehouses, parking, cash register areas, areas with valuable equipment.
Required:
- Visible signage informing all entrants (employees, customers, visitors)
- Written employee consent at hiring (and re-consent if policies change)
- Specific purpose stated (security, theft prevention, safety)
- Retention period (typically 7-30 days, then deleted)
- DPO oversight of access to recordings
Work Email and Work Devices
Permitted with constraints. You can monitor:
- Volume and timing of email traffic
- Attached files for security/malware
- Use of restricted websites or apps
- General productivity metrics (aggregate)
But you cannot:
- Read employee personal emails sent from work accounts
- Access password-protected personal cloud accounts on work devices
- Read content of communications that are personal in nature even if on work systems
The line: monitoring traffic patterns is generally OK. Reading specific personal messages without legal grounds is not.
Internet Usage on Company Networks
You can monitor and restrict:
- Sites visited (URL logs)
- Bandwidth usage
- Specific blocked categories (gambling, adult, social during work hours)
You cannot:
- Decrypt HTTPS traffic to read encrypted messaging content (banking, personal messages)
- Track usage during legally protected break times in ways that violate the Labor Code
What You CANNOT Legally Do
CCTV in Private Areas
Strictly prohibited:
- Restrooms (any)
- Changing rooms
- Lactation rooms
- Inside individual private offices without consent
- Areas used for legitimate privacy expectations
This is a hard line. Cameras in any of these areas are an automatic violation regardless of any other consent.
Reading Personal Emails on Personal Accounts
Even on work devices, employees retain privacy in their personal accounts. You cannot:
- Force access to personal Gmail credentials
- Read personal Facebook messages on work browsers
- Access personal phone contents without specific consent
The fact that the device belongs to the company does not grant access to personal data on it.
Continuous Keystroke Logging or Screen Recording
Generally not permitted as routine monitoring. Considered disproportionate under NPC guidance. Permitted only for narrow security investigations with documented justification and time-limited scope.
Tracking Employees Outside Work
GPS tracking on personal phones, monitoring social media on personal time, requiring location sharing during off-hours — all generally prohibited absent specific legitimate need (e.g., field service routing during work hours only).
Required Documentation
For lawful employee monitoring, you must maintain:
- Privacy Notice for Employees (separate from the customer Privacy Notice). Tells them what is monitored, why, who has access, retention periods.
- Written employee consent at hiring with re-consent when policies change.
- DPO designation with clear oversight of monitoring activities.
- Access logs showing who accessed monitoring data and when.
- Retention schedule showing when monitoring data is deleted.
- Incident response plan for breaches of monitoring data.
Most Philippine SMEs have none of these. That is the compliance gap.
The 5 Most Common Workplace Privacy Violations
From NPC complaint records and our audit findings:
- CCTV in restrooms or changing rooms — instant violation, can result in criminal charges in addition to administrative penalties
- Reading personal Messenger chats on work computers — common, illegal absent specific grounds
- Demanding social media passwords as a condition of hiring — explicitly prohibited
- Tracking employee locations 24/7 via company phones — disproportionate, not lawful
- Sharing CCTV footage on company Facebook Page for "shaming" — multiple violations (consent, retention, purpose limitation)
What to Do If You Currently Monitor Employees Without Proper Setup
If you have been monitoring without the required consent and documentation, fix it forward — do not panic-delete the monitoring entirely (it has legitimate uses). Steps:
- Pause any monitoring you cannot legally justify
- Draft an Employee Privacy Notice
- Obtain written consent from all current employees with a reasonable explanation
- Update your DPO process to oversee monitoring data access
- Document retention schedules for each type of data
- Train HR and supervisors on what they can and cannot access
This brings you into compliance going forward. Past data accessed without proper basis cannot be retroactively cured, but ongoing exposure is reduced.
Frequently Asked Questions
Do I need to inform employees if I have CCTV?
Yes — visibly and in writing. Cameras hidden from employee view violate the Data Privacy Act regardless of who placed them or why.
Can I read an employee's work email after they resign?
Limited use. You can preserve the inbox for legal/business continuity, but you cannot read personal content. NPC guidance suggests a designated, documented access process — not casual reading.
What about freelancers and contractors?
Same rules apply. Anyone whose data you process — employee, contractor, intern — has the same data subject rights.
Are there sector-specific exceptions?
Some — financial services, healthcare, and security industries have specific regulatory monitoring requirements that override default privacy. Check with your industry regulator and NPC for specifics.
Get Your Workplace Privacy in Order
Employee privacy is one of the most common compliance gaps we find during DPO audits — and one of the most under-recognized risks. At RDahunan I.T. Services we draft Employee Privacy Notices, consent forms, and monitoring policies as part of our DPO service. Want a free 30-minute workplace privacy assessment? Send us a message.
General DPO guidance. Not legal advice. Consult a Philippine labor lawyer for employment-specific issues.
