WikiFrameworksPhilippines DPA (2012)Human Resources Security

Human Resources Security

Plain English Translation

Organizations are responsible for ensuring that all employees, agents, and representatives who handle personal data are subject to appropriate background checks, trained on privacy obligations, and bound by strict confidentiality duties. A formal process must exist for immediately revoking access when employment or a working relationship ends. These HR security controls prevent insider threats and unauthorized access to personal data.

Executive Takeaway

The organization must secure its workforce by integrating privacy training, strict confidentiality agreements, and formalized hiring and termination access controls.

ImpactHigh
ComplexityMedium

Why This Matters

  • Insider threats, whether malicious or negligent, are a primary cause of data breaches, making employee security controls critical.
  • Failure to enforce confidentiality agreements exposes the organization to legal liabilities and data exfiltration after an employee leaves.
  • The National Privacy Commission actively investigates organizations that lack demonstrable employee privacy training programs after a security incident.

What “Good” Looks Like

  • All employees sign strict Non-Disclosure Agreements (NDAs) that legally survive their employment term.
  • Mandatory data privacy and security awareness training is completed during onboarding and annually thereafter; tools like WatchDog Security's Security Awareness Training can track assignments, completions, and overdue follow-ups.
  • A formal offboarding checklist ensures IT and physical access is immediately revoked upon an employee's termination; tools like WatchDog Security's Compliance Center can help retain checklist evidence for audit review.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Under RA 10173, human resources security requires organizations to implement careful hiring procedures, conduct privacy training, enforce strict confidentiality agreements, and maintain formal termination processes.

Yes, IRR Section 26(c) explicitly requires organizations to implement capacity building, orientation, or training programs for employees regarding privacy and security policies.

Orientation should cover the organization's privacy policies, proper data handling procedures, incident reporting protocols, and the fundamental rights of data subjects.

Yes, organizations must impose a duty of strict confidentiality on individuals processing personal data, typically enforced through Non-Disclosure Agreements (NDAs) that survive employment.

While the law mandates capacity building and orientation, industry best practice and National Privacy Commission expectations dictate that privacy awareness training should be conducted at least annually.

Employees must maintain strict confidentiality regarding all personal data they access. This obligation is binding during their employment and continues indefinitely even after they leave the organization.

During hiring, organizations must assess the potential employee’s capacity and competence to perform the role securely, especially evaluating their fitness to handle and access personal data.

Organizations must have a formal process for ending employment to ensure that inappropriate access to personal data does not occur, mandating the immediate revocation of IT and physical access.

Organizational security measures include appointing a Data Protection Officer, maintaining privacy policies, managing human resources security, and overseeing third-party processing contracts.

CISOs can prove compliance by presenting signed employee NDAs, training completion logs, documented hiring procedures, and completed termination checklists verifying access revocation.

Training programs are only useful for compliance when the organization can prove who completed them, when they were assigned, and whether overdue users were followed up. Tools like WatchDog Security's Security Awareness Training can support role-based privacy courses, completion tracking, and evidence records for RA 10173 employee training obligations.

Confidentiality controls require more than a signed template; organizations need a repeatable way to issue agreements, track acceptance, and show that updated obligations were communicated. Tools like WatchDog Security's Policy Management can help manage NDA-related policy versions, employee acknowledgements, and audit-ready acceptance records.

PHILIPPINES-DPA IRR Section 26(c)

"Any natural or juridical person or other entity involved in the processing of personal data shall have the responsibility of selecting and supervising its employees, agents or representatives... It must implement or impose: Procedures for hiring... Capacity building, orientation or training programs... Duty of Strict confidentiality... A formal process for ending a person's employment..."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content TeamInitial publication