Most foreign employers hiring Filipino remote workers have never heard of the National Privacy Commission.
That’s a problem.
The Philippine Data Privacy Act (Republic Act 10173) applies to you the moment you collect personal data from a Filipino worker.
That includes onboarding documents, time tracking logs, payroll records, and compliance forms.
Non-compliance carries fines of up to ₱5,000,000 PHP under NPC Circular No. 2022-01.
This guide covers exactly what RA 10173 requires, how it affects your remote work contracts, and what you need to put in place before your next hire.
Philippine Data Privacy Act (RA 10173)
RA 10173 was signed into law in 2012 and is enforced by the National Privacy Commission. It governs how personal data about Filipino individuals is collected, stored, processed, and shared — regardless of where the employer is located.
If you’re a US, UK, or Australian employer with Filipino remote workers, you are subject to this law.
Under RA 10173, personal data includes anything that identifies or could identify a person: names, addresses, government IDs, bank details, payroll records, time logs, screenshots, and activity data captured by monitoring tools.
Three principles govern how you can handle that data:
Legitimacy — You need a legal basis to collect it. For employment relationships, that’s usually contractual necessity or legal obligation. “I want to” is not a legal basis.
Transparency — You must tell workers what data you’re collecting, why, and how it will be used. This must happen before collection begins.
Proportionality — The data collected must match the stated purpose. Collecting more than you need — or monitoring more than your business requires — is a violation, not just bad practice.
The 5 Pillars of NPC Compliance for Remote Workforces
Meeting RA 10173 isn’t just about what you collect — it’s about how you protect it. The NPC requires these baseline security measures for any organization handling Filipino personal data:
1. Access controls — Only personnel who need specific data to do their job should have access to it. A payroll manager needs bank details. A project manager does not.
2. Secure transmission — Personal data must be sent through encrypted channels. Bank details and tax documents via regular email is not compliant. Use encrypted file transfers or a secure platform.
3. Immediate access revocation — When a contractor relationship ends, all system access must be cut off immediately. Former workers should not retain login credentials to your tools or data.
4. Encryption at rest and in transit — Data stored on your systems — payroll records, ID documents, compliance forms — must be encrypted. So must data moving between systems.
5. Documented data retention and deletion — You cannot keep personal data indefinitely. Set a retention schedule. Delete data you no longer need. Document when and how deletion occurs.
For questions about what applies to time tracking specifically, see our guide on legal access to time logs.
How to Create BYOD Policies for Remote Workers Using Personal Devices
BYOD — Bring Your Own Device — is the default for most remote contractor arrangements. Buying laptops for every hire isn’t practical. But it creates data privacy obligations you can’t ignore.
Your BYOD policy must draw a clear line between what you can and cannot access on a personal device.
You CAN monitor: company email accounts, work applications you manage, logs related to your own systems and data.
You CANNOT monitor: personal photos, personal messages, personal browsing history, or any application unrelated to work.
This distinction isn’t just policy — it’s a legal requirement under RA 10173. Monitoring personal data on a personal device without consent and legitimate purpose is a violation.
Security requirements to include in your BYOD policy: strong passwords on any device accessing company systems, multi-factor authentication for company accounts, VPN for connections to company resources, and up-to-date anti-malware software.
Write this out explicitly. Workers need to know what you can see before they agree to use their own device.
For a detailed breakdown of where this line sits, see our guide on monitoring company devices vs privacy.
Network Security Requirements for Remote Workers and Virtual Assistants
Remote workers connect from home networks you don’t control. That’s a data security risk that RA 10173 holds you accountable for.
Require VPN use whenever contractors access company systems. A VPN encrypts the connection between their device and your network, protecting data in transit — which is a specific NPC requirement under the security pillar.
Set minimum home network standards: password-protected WiFi, no public WiFi for work access without a VPN active.
Define which tools and platforms are approved for work use. Shadow IT — workers using unapproved apps to handle company data — creates exposure you can’t manage.
Required Compliance Documents When Hiring Filipino Contractors
Compliance documents contain some of the most sensitive personal data you’ll ever collect from a contractor. RA 10173 applies directly to how you handle them.
The W-8BEN form is the most common for US-based employers. It certifies the contractor as a foreign person not subject to US tax withholding. Your policy should explain what it is, why it’s required, and how to submit it.
For every compliance document you collect, your policy must state:
- The legal basis for collection (contractual necessity or legal obligation)
- How the document will be stored and who can access it
- How long it will be retained before deletion
- How the contractor can request access to or deletion of their own data
Provide clear templates and instructions. Most Filipino remote workers are not familiar with US or UK tax forms. Reducing confusion upfront reduces errors and repeated submissions.
Essential Data Privacy Clauses for Your VA Contract
A verbal understanding is not enough. RA 10173 requires documented consent and disclosure — and your contractor agreement is where that happens.
Every contract with a Filipino remote worker should include these clauses:
Data Collection Disclosure — A specific list of what personal data you collect, including monitoring tools, payroll data, compliance documents, and any third-party platforms that process their data.
Purpose Limitation — A statement that data collected for one purpose (e.g., billing verification) will not be used for another purpose (e.g., disciplinary action) without separate consent.
Third-Party Processors — Identify any platforms that handle contractor data on your behalf — payroll tools, time tracking software, payment platforms. Contractors have the right to know who else touches their information.
Data Subject Rights — Under RA 10173, contractors have the right to access, correct, and request deletion of their personal data. Your contract must explain how to exercise those rights.
Exit and Deletion Procedures — What happens to their data when the relationship ends. Cut off system access immediately. Require deletion of company files from personal devices. State how long you’ll retain their records before deleting them.
Ongoing Confidentiality — Confidentiality obligations don’t end when the contract does. Make this explicit.
Run a full review of your current contracts against these clauses. If any are missing, you have a compliance gap.
For a structured approach, see our guide on conducting a remote team compliance audit.
FAQ
What is RA 10173 and how does it protect remote data?
Republic Act 10173, the Data Privacy Act of 2012, is the Philippine law that governs how personal data about Filipino individuals is collected, stored, and processed. It gives workers the right to know what data is collected about them, why it’s collected, and who can access it. The National Privacy Commission enforces the law and can impose administrative fines.
Can I be fired for violating data privacy under Article 282 of the Labor Code?
Article 282 (now renumbered under DOLE’s revised Labor Code) covers termination for just cause, including serious misconduct. For employers, the more relevant risk runs in the opposite direction: if you collect monitoring data in violation of RA 10173 that data may not be usable in any disciplinary proceeding and could expose you to NPC liability.
Does a US or UK company need to register with the National Privacy Commission?
Registration with the NPC is generally required for organizations that process personal data of 1,000 or more individuals, or those processing sensitive personal information as a core function. Many foreign employers with small Filipino remote teams fall below this threshold. However, RA 10173 still applies to your data practices regardless of registration status.
What are the penalties for DPA non-compliance in the Philippines?
Under NPC Circular No. 2022-01 (Guidelines on Administrative Fines), penalties for RA 10173 violations can reach up to ₱5,000,000 PHP per violation. Separate criminal penalties under RA 10173 itself include imprisonment of up to six years for serious violations such as unauthorized processing of sensitive personal information.