Human Resources Security
Plain English Translation
Organizations are responsible for ensuring that all employees, agents, and representatives who handle personal data are subject to appropriate background checks, trained on privacy obligations, and bound by strict confidentiality duties. A formal process must exist for immediately revoking access when employment or a working relationship ends. These HR security controls prevent insider threats and unauthorized access to personal data.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Require all new hires to sign an NDA before their first day of work.
- Remove user accounts manually within 24 hours of an employee's departure.
Required Actions (scaleup)
- Implement a learning management system (LMS) to track annual security and privacy training completion.
- Automate the provisioning and de-provisioning of access via single sign-on (SSO) tied to the HR system.
Required Actions (enterprise)
- Integrate continuous privacy awareness modules into daily workflows and test staff with regular simulated phishing campaigns.
- Implement zero-trust network access (ZTNA) where employee access is dynamically evaluated based on role, device health, and training status.
Under RA 10173, human resources security requires organizations to implement careful hiring procedures, conduct privacy training, enforce strict confidentiality agreements, and maintain formal termination processes.
Yes, IRR Section 26(c) explicitly requires organizations to implement capacity building, orientation, or training programs for employees regarding privacy and security policies.
Orientation should cover the organization's privacy policies, proper data handling procedures, incident reporting protocols, and the fundamental rights of data subjects.
Yes, organizations must impose a duty of strict confidentiality on individuals processing personal data, typically enforced through Non-Disclosure Agreements (NDAs) that survive employment.
While the law mandates capacity building and orientation, industry best practice and National Privacy Commission expectations dictate that privacy awareness training should be conducted at least annually.
Employees must maintain strict confidentiality regarding all personal data they access. This obligation is binding during their employment and continues indefinitely even after they leave the organization.
During hiring, organizations must assess the potential employee’s capacity and competence to perform the role securely, especially evaluating their fitness to handle and access personal data.
Organizations must have a formal process for ending employment to ensure that inappropriate access to personal data does not occur, mandating the immediate revocation of IT and physical access.
Organizational security measures include appointing a Data Protection Officer, maintaining privacy policies, managing human resources security, and overseeing third-party processing contracts.
CISOs can prove compliance by presenting signed employee NDAs, training completion logs, documented hiring procedures, and completed termination checklists verifying access revocation.
Training programs are only useful for compliance when the organization can prove who completed them, when they were assigned, and whether overdue users were followed up. Tools like WatchDog Security's Security Awareness Training can support role-based privacy courses, completion tracking, and evidence records for RA 10173 employee training obligations.
Confidentiality controls require more than a signed template; organizations need a repeatable way to issue agreements, track acceptance, and show that updated obligations were communicated. Tools like WatchDog Security's Policy Management can help manage NDA-related policy versions, employee acknowledgements, and audit-ready acceptance records.
"Any natural or juridical person or other entity involved in the processing of personal data shall have the responsibility of selecting and supervising its employees, agents or representatives... It must implement or impose: Procedures for hiring... Capacity building, orientation or training programs... Duty of Strict confidentiality... A formal process for ending a person's employment..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Team | Initial publication |

