Here’s everything you genuinely need from a Filipino VA.
Their legal name.Bank account details for payment.
That’s the core list.
For US tax compliance, you need a W-8BEN form. It confirms they’re not US residents. It qualifies them for tax treaty benefits.
The form needs their name, address in the Philippines, and foreign tax ID.
You don’t need their employment history. You don’t need their family background. You don’t need photos of every document they’ve ever received.
That’s the simple gist of things. Here’s more of what you need to know.
What the FTC Started Doing in 2023 That Changed Everything
The Federal Trade Commission started cracking down on data collection.
They’re targeting companies that collect information without clear justification.
Companies that share data beyond what users consented to.
Companies that don’t delete data when it’s no longer needed.
One recent case involved geolocation tracking. The company collected location data from contractors. They couldn’t explain why they needed it.
The FTC made them stop. And pay penalties.
No screenshots. No activity monitoring. Just Clean Time Tracking
ManagePH only collects what’s needed nothing more nothing less
How to Set Up Systems That Don’t Collect Unnecessary Stuff
Most platforms collect way more than needed by default.
Time tracking software often includes screenshot capture. Activity monitoring. Website tracking. Keystroke logging.
Turn it off.
Configure systems to record start time, end time, total hours. Nothing else.
For invoicing, collect invoice number, hours worked, rate, total amount. Don’t store personal notes about people’s families or backgrounds in their profiles.
Access controls matter more than most employers realize.
Not everyone needs to see everyone else’s bank information. Your project managers don’t need access to payment details. Your accountant doesn’t need to see medical leave requests.
Set up user roles. Give people access only to what they need for their specific job.
This is called privacy by design.
It means your default settings protect privacy automatically. People don’t have to dig through menus to limit data collection.
The system does it for them.
The Simple Security Steps Most People Skip
Multi-factor authentication should be mandatory.
If someone can access your team’s personal information with just a password, you’re not protecting it properly.
Bank account details need more than a password.
Government ID numbers need more than a password.
Health information definitely needs more than a password.
Enable MFA on everything that contains personal data.
Encryption matters too.
When a VA submits a W-8BEN form, don’t send it through regular email. Use encrypted file transfer. Or a secure platform.
When you store the form, it should be encrypted at rest.
NDAs are fine. They create legal obligations.
But they don’t prevent breaches.
You need technical controls. Encryption, access restrictions, audit logging, security training.
“We have an NDA” doesn’t satisfy the National Privacy Commission. They want to see actual security measures.
When to Delete Data (And Why Most People Never Do)
Most employers keep everything forever.
Old tax forms from contractors who left three years ago. Payment records from 2018. Time tracking data from people who worked for you once five years ago.
Why?
“We might need it.”
But here’s the thing.
Every old record creates ongoing obligations. Security requirements. Compliance responsibilities.
Tax records require seven-year retention in most cases.
After seven years, delete them.
You don’t need bank account details from 2015. You don’t need payment records from 2016. You don’t need tax forms from 2017.
Set calendar reminders. Review old data quarterly. Purge what’s past the retention period.
Document your deletion practices. Write down what you keep and for how long.
Then actually follow it.
Most companies have deletion policies. Almost nobody actually deletes anything.
Be different.
Why Philippine Law Applies to Your Remote Team
The Philippines Data Privacy Act of 2012 doesn’t care where your company is incorporated.
If you’re processing personal data belonging to Filipino citizens, Philippine law applies to you.
When a Filipino VA sends you their birth certificate to verify their identity, that document falls under Philippine data protection rules.
When you store their bank account numbers for monthly payments, those records must comply with National Privacy Commission requirements.
The GDPR Applies to More People Than You Think
“I’m not in Europe. GDPR doesn’t apply to me.”
Maybe.
If any of your clients are in the EU, GDPR might apply. If you’re marketing to EU residents, GDPR might apply.
GDPR follows the data.
Article 5 requires data minimization. Personal data must be “adequate, relevant and limited to what is necessary.”
That’s not optional.
Article 25 requires privacy by design. Your systems must collect minimal data automatically, as the default setting.
If your Filipino VA handles customer service for European customers, they’re processing EU personal data. GDPR applies.
Most employers don’t realize this until they’re already in violation.
Why the IRS Actually Cares About Your Filipino Contractors
New IRS guidance came out recently. Revenue Ruling 2025-3.
It clarifies when contractors get reclassified as employees.
If the IRS decides your Filipino VAs are actually employees, not contractors, everything changes.
Suddenly you need Form I-9 documentation. Payroll tax records. Compliance with employment laws you never prepared for.
You need way more data.
The IRS emphasizes consistency. If you treat similar workers differently, that’s a red flag. If you collect tons of information from some contractors but not others, auditors notice.
Here’s the smart approach.
Collect the minimum from everyone. Be consistent. Document your classification reasoning.
Don’t give the IRS reasons to dig deeper.
What You Can Do Right Now
Start with an inventory.
List every piece of information you collect about your team. Write down why you need each item.
This usually reveals you’re collecting stuff out of habit.
Review your onboarding process. What do you ask new VAs for?
Cut anything that isn’t immediately necessary.
Audit your current storage. Where is personal data right now?
Spreadsheets on someone’s laptop? Cloud storage with broad access? Old email threads?
Consolidate into secure systems. Delete the scattered copies.
Set up automated deletion. Most platforms can purge old records automatically.
Configure it based on your retention requirements.
Train your team. Make sure everyone understands what can be collected, how it should be stored, when it needs deletion.
Create simple opt-outs. If you’re collecting optional information like profile photos, make it easy to decline.
Document everything.
Write down why you collect each piece of data. Write down retention periods. Write down security measures.
This documentation protects you during audits. It forces you to think critically about whether each piece of data is truly necessary.
The Real Point of All This
Data minimization isn’t about compliance.
It’s about running a better business.
Less data means less to protect. Less to explain. Less to manage. Less liability when things go wrong.
The companies that get in trouble are the ones that collect everything.
The companies that stay out of trouble are the ones that collect only what matters.
Your Filipino VA doesn’t need you to store her entire life history.
She needs you to pay her on time, treat her fairly, and protect the information you actually need.
That’s simpler than most employers think.
Collect what you need. Protect it properly. Delete it when you’re done.
That’s the whole system.