Most employers asking about monitoring are thinking about it the wrong way.
They’re imagining spy software. Catching someone doing something wrong. Surveillance.
That’s not what compliant monitoring looks like and that framing is exactly what gets employers into legal trouble with the National Privacy Commission.
Good monitoring is transparent, proportional, and documented. It protects both you and your remote worker if questions about hours or deliverables ever arise.
This guide covers what Philippine law actually permits, where the hard lines are, and how to build a monitoring framework that holds up.
The Legal Framework: RA 10173 and Internet Monitoring in the Philippines
Republic Act 10173 — the Philippine Data Privacy Act of 2012 — is the governing law for any employer collecting data about Filipino workers, including internet activity, application usage, and time records.
It applies to foreign employers. Location is not a defense.
The National Privacy Commission enforces RA 10173 and has issued specific advisory opinions on employee and contractor monitoring.
The NPC’s position is consistent: monitoring is permissible when it is lawful, transparent, and proportional to the stated purpose.
Three legal requirements apply before any monitoring begins:
Legitimate purpose — You must have a documented business reason for the monitoring. Billing verification, data security, and compliance with client contracts are legitimate.
Informed consent — Consent under the DPA must be written, specific, and voluntary. A generic clause buried in a contractor agreement does not satisfy this standard.
Proportionality — The monitoring method must match the business purpose. You cannot collect more data than the purpose requires. See the dedicated section below.
For a full overview of how these principles apply to your remote work contracts, see our Data Privacy Policies Guide.
The Proportionality Test: Ensuring Monitoring Is Not “Excessive”
The proportionality principle is where most employer monitoring frameworks fail.
Under NPC Circular 2020-01, data collection must be “adequate, relevant, suitable, necessary, and not excessive in relation to the purposes for which they are collected.”
This is the proportionality test and it applies directly to internet activity monitoring.
Practical application:
- Tracking time spent in work applications → proportional for billing verification
- Tracking website categories (social media, news, productivity) → proportional for general oversight
- Recording every specific URL visited → difficult to justify for most roles
- Keystroke logging → requires specific documented security justification
- Continuous screen recording → rarely proportional; requires strong documented rationale
- Always-on webcam monitoring → almost never justifiable under NPC standards
The test is not “can I justify this if asked” — it’s “is this the minimum necessary to achieve the stated business purpose?” If lighter monitoring would accomplish the same goal, heavier monitoring fails the test.
Step-by-Step Guide to Setting Up Compliant Monitoring
How you implement monitoring matters as much as what you monitor.
Company devices simplify compliance. Everything on a company-issued device is work equipment. You can install monitoring software without the BYOD complications. Lock admin rights so monitoring tools can’t be disabled. Pre-install approved software before the device is handed over.
Adjust tools to minimum necessary. Most monitoring software is configurable. Track website categories rather than specific URLs. Track time in applications rather than content within them. Turn off webcam and audio monitoring unless you have a specific documented justification — and even then, only during defined working hours.
Make monitoring boundaries explicit. Workers should know exactly when they are and aren’t monitored. On the company VPN during work hours — monitored. Using their personal device during break — not monitored. This clarity reduces anxiety, builds trust, and satisfies the NPC’s transparency requirement.
Three levels to consider:
Level 1 — Basic time tracking: Clock in/out with daily or weekly standup submissions. No screenshots, no website tracking. Appropriate for most remote contractor arrangements.
Level 2 — Activity monitoring: Adds application usage tracking and website category reporting. Periodic screenshots at reasonable intervals. Appropriate when billing accuracy or client compliance requires more granular verification.
Level 3 — Full monitoring: Screen recording, keystroke logging, complete activity logs. Reserved for legally regulated industries — financial services with compliance mandates, healthcare with patient data. Most employers will never need this.
Start at Level 1 for the first 90 days. If your remote workers deliver quality work on schedule, you likely don’t need more. Escalate only when you have a specific documented reason — and update your privacy assessment when you do.
Restricted Data: What Employers Cannot Legally Track Under NPC Rules
Some monitoring crosses legal lines regardless of consent or policy language.
No secret monitoring. Covert surveillance violates RA 10173, UK GDPR, and most US state privacy laws. The only narrow exception is a time-limited investigation of suspected serious misconduct — and even that requires legal counsel before proceeding. Disclose all monitoring before it begins, without exception.
No monitoring of personal devices or accounts. A remote worker’s personal laptop, personal email, personal social media, and personal phone are off-limits. Even if they occasionally use personal channels for work communication. If work and personal are mixed on one device, specialized BYOD software that creates a separate monitored work environment is required — you cannot monitor the whole device.
No monitoring outside work hours. When a contractor clocks out, monitoring stops. You have no legitimate business purpose for tracking what websites someone visits at 11 PM. The only exception is on-call staff during explicitly designated on-call periods.
No content capture without specific justification. Tools that record the actual content of emails, messages, or documents go beyond what most employer relationships require. Track time in email without reading emails. Track website categories without recording page content. Unless you’re in a regulated industry with specific legal requirements, content-level monitoring fails the proportionality test.
No always-on webcams. Continuous video monitoring of a worker’s home is explicitly inconsistent with the NPC’s proportionality standard. It is illegal in many jurisdictions and deeply resented everywhere it is technically legal. If you need video presence, schedule it. Don’t record it continuously.
For a clear distinction between legitimate monitoring and surveillance overreach, see our guide on the difference between bossware and monitoring.
What Countries Other Than the Philippines Require
If you’re a US, UK, or Australian employer, your home country’s laws also apply.
US employers: The Electronic Communications Privacy Act permits monitoring of business communications with employee knowledge. Connecticut, Delaware, New York, and several other states require written notice before monitoring begins. No monitoring of personal devices or communications unrelated to work.
UK and EU employers: Monitoring must be necessary, transparent, and proportionate. Consent is not a reliable legal basis because of the power imbalance in employment relationships. The UK Information Commissioner’s Office and EU data protection authorities both state that constant monitoring is rarely justified — document why lighter monitoring won’t achieve your purpose.
Australian employers: State-level Workplace Surveillance Acts require 14 days written notice before surveillance begins. Computer monitoring is covered. Failure to provide notice exposes employers to fines and potential Fair Work claims.
The pattern is consistent across jurisdictions: disclose before you monitor, have a real business reason, use the minimum necessary, and document everything. For a jurisdiction-specific breakdown, see our guide on legally monitoring Filipino contractors.
Measure Results, Not Just Activity
Monitoring tools give you data. Data is not insight.
A worker can show constant activity while accomplishing nothing. A worker can appear idle while reading documentation critical to a complex task.
Activity metrics tell you what the computer was doing — not whether valuable work happened.
The most defensible approach combines minimal monitoring with clear outcome measurement.
Set KPIs. Review deliverables.
Hold regular check-ins. If activity data raises a concern, raise it directly in conversation before drawing conclusions.
This approach also reduces your legal exposure. The less data you collect, the less you’re obligated to secure, retain, and justify under RA 10173.
FAQ
Is it legal to monitor a virtual assistant’s private internet activity?
No. Monitoring is limited to work-related activity on company-owned devices or company systems during work hours. A remote worker’s personal browsing is outside the scope of legitimate monitoring. RA 10173 requires that data collection serve a specific, documented business purpose.
How do I monitor employee internet activity without violating the Data Privacy Act?
Three requirements must be met: informed consent (written, specific, and obtained before monitoring begins, legitimate purpose (a documented business reason such as billing verification or data security), and proportionality (collecting only the minimum data necessary). Practically, this means disclosing exactly what tools you use, what they track, who sees the data, and how long it’s retained.
Can internet activity be monitored if the VA uses their own computer?
This is high-risk legal territory. Personal devices carry a stronger reasonable expectation of privacy under RA 10173 than company-issued equipment. If you need to monitor activity on a personal device, you must use specialized BYOD software that creates a separate, isolated work environment — and monitor only that environment.
What skills does a VA need to manage their own productivity without surveillance?
The best remote workers don’t need monitoring. They manage their own time, hit deadlines, and send clear EOD updates without being asked. They know their tools, flag problems early, and deliver consistent work. The output speaks for itself.