Is employee monitoring legal in the Philippines?
Yes, employee monitoring is legal in the Philippines, but it is regulated by the Data Privacy Act of 2012 (Republic Act 10173). Employers must have a lawful basis for the monitoring, tell employees exactly what is collected and why, and keep the monitoring proportionate to a legitimate business purpose. The National Privacy Commission enforces these rules.
Updated on 6 July 2026. This page is general information, not legal advice.
What law governs employee monitoring in the Philippines?
The Data Privacy Act of 2012, usually shortened to the DPA, is the primary law. Its implementing rules and regulations were issued in 2016, and the National Privacy Commission (NPC) is the regulator that interprets and enforces both. There is no standalone workplace surveillance statute: monitoring is regulated because the data a monitoring tool collects about an identifiable employee is personal information, and an employer that collects it is a personal information controller under the DPA.
Philippine labour law does recognise an employer's management prerogative to supervise work. That prerogative is real, but it operates inside the DPA and the constitutional right to privacy, not above them. The NPC has addressed workplace monitoring directly, most notably in Advisory Opinion No. 2018-025, which confirms that employers may monitor employees when the DPA's conditions are met.
Does the Data Privacy Act cover monitoring software?
Yes. Screenshots, screen recordings, activity logs, keystroke counts, browsing history and AI-written activity summaries all describe an identifiable person's behaviour, so they are personal information the moment they are collected. The DPA also defines a stricter category, sensitive personal information, which includes health information, government identifiers and similar data. This matters for monitoring design: a tool that stores raw screenshots or footage will sooner or later capture sensitive personal information on screen, such as a medical result in a browser tab or a customer's ID document, and that content is subject to the strictest rules in the law.
Do employers need employee consent to monitor?
Not necessarily, and consent alone is often the weakest choice. Section 12 of the DPA lists several lawful bases for processing personal information: consent, performance of a contract with the data subject, compliance with a legal obligation, protection of vital interests, national emergency and public order, and the legitimate interests of the controller. In an employment relationship consent is fragile because of the power imbalance: an employee who fears for their job cannot refuse freely, so the NPC and practitioners generally treat contract performance and legitimate interests as the sturdier bases for ordinary work monitoring.
Notice is not optional under any basis. Employees must be told what is collected, why, how long it is kept, who sees it and what their rights are, before monitoring begins.
Sensitive personal information is different. Section 13 prohibits processing it except with consent or under narrow statutory exceptions, and there is no general legitimate-interest gateway. The practical consequence is simple: the less sensitive content a monitoring tool captures and stores, the easier the lawful-basis question becomes.
What does the National Privacy Commission expect?
The NPC evaluates monitoring against the DPA's three general privacy principles: transparency, legitimate purpose and proportionality. Processing must be declared and explained, serve a purpose that is specified and lawful, and be adequate, relevant, necessary and not excessive for that purpose.
For workplace monitoring specifically, NPC guidance points to a consistent checklist. Employers should establish a lawful basis, notify employees before monitoring starts, conduct a proportionality assessment of the chosen method, keep monitoring within work hours and work-related activity, and store what is collected securely. Organisations that meet the NPC's thresholds must also appoint a data protection officer and register their data processing systems, and a privacy impact assessment before deploying a monitoring tool is widely treated as expected practice. A written monitoring policy, acknowledged by each employee, is the cleanest way to evidence notice.
What are the penalties for unlawful monitoring?
The DPA carries criminal penalties, and the NPC can impose administrative fines on top of them. The table below summarises the main criminal offences most relevant to monitoring gone wrong.
| Offence | Imprisonment | Fine |
|---|---|---|
| Unauthorised processing of personal information | 1 to 3 years | PHP 500,000 to 2,000,000 |
| Unauthorised processing of sensitive personal information | 3 to 6 years | PHP 500,000 to 4,000,000 |
| Processing sensitive personal information for unauthorised purposes | 2 to 7 years | PHP 500,000 to 2,000,000 |
Since August 2022, NPC Circular 2022-01 has also allowed the Commission to impose administrative fines: 0.25% to 2% of annual gross income for major infractions and 0.5% to 3% for grave infractions, capped at PHP 5 million for a single act or omission. The NPC can additionally issue compliance orders and cease and desist orders, and data subjects can pursue damages. Unlawful monitoring is therefore not just a reputational risk in the Philippines; it carries personal criminal exposure for those responsible.
What about BPOs and call centres?
The Philippines is one of the world's largest business process outsourcing markets, and client contracts routinely demand proof of work, quality monitoring and security controls. None of that changes the analysis: the DPA applies in full, and a client's demand is not by itself a lawful basis for processing employees' personal information. The employer still needs its own basis, its own notice and its own proportionality assessment.
BPO screen monitoring also creates a second compliance problem that is easy to miss. An agent's screen shows customers' personal information, so a tool that stores screenshots or recordings is building an archive of customer data as well as employee data. Least-intrusive tooling reduces exposure on both fronts at once, which is why proportionality is not just a legal nicety for BPOs but an operational one.
How does privacy-first monitoring reduce exposure under the DPA?
Proportionality is the principle traditional monitoring tools most often fail. Continuous screenshots or screen video collect far more personal information than a supervision purpose needs, and the stored archive becomes a standing liability: it must be secured, it is discoverable in a breach, and it almost certainly contains sensitive personal information and customer data that were never meant to be processed.
ScreenJournal is an AI work visibility tool that reads on-screen work as it happens, turns it into a detailed timeline of what each person actually did, and then deletes the raw screen data. Timelines accumulate into a searchable chronicle of everyone's work history, and from them ScreenJournal generates timesheets and reports automatically and drafts standup summaries on request, answering questions about any of it in plain English.
That derive-and-discard design maps directly onto the NPC's expectations. It is scoped to work apps and work-related activity; personal activity is skipped in real time. The transient capture is video, deleted immediately during processing, so there is no screenshot or video archive to secure or breach. Employees see the same activity view managers do, and they can redact entries before a manager sees them, which makes the transparency principle a product feature rather than a policy promise. A redacted entry is erased entirely and never appears in anyone's search; redaction is unavailable only for roles a company flags as a data-leak risk. You can see how the derived record works on the work timelines page, compare the approach with a screenshot-based tool in ScreenJournal vs Time Doctor, or read the design rationale in We record work, not people.
One honest caveat: no tool discharges an employer's own DPA duties. You still need notice, a lawful basis, a data protection officer and NPC registration where required. A privacy-first tool makes the proportionality assessment easier to pass; it does not replace it.
ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon.
Frequently asked questions
Do employees have to give consent before monitoring in the Philippines?
Not always. Consent is one lawful basis under the Data Privacy Act, but the NPC also accepts contract performance and legitimate interests for ordinary work monitoring. Notice is mandatory whichever basis is used, and sensitive personal information needs consent or a narrow statutory exception.
Can BPO companies legally monitor their agents?
Yes, provided the employer has a lawful basis, tells agents what is monitored and why before monitoring starts, keeps the monitoring proportionate to a legitimate purpose, and secures the data. A client contract on its own is not a lawful basis.
Are screenshots of employee screens legal in the Philippines?
They are not banned outright, but proportionality applies. If a less intrusive method achieves the same purpose, an archive of screenshots is hard to justify, and stored screens often capture sensitive personal information and customer data, which raise stricter requirements.
Who enforces the Data Privacy Act?
The National Privacy Commission. It investigates complaints, can issue compliance and cease and desist orders, imposes administrative fines of up to PHP 5 million per act, and refers criminal violations for prosecution.
Is ScreenJournal available in the Philippines?
Yes. ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon.
See the work itself, not screenshots of it
Timesheets, reports and answers from the work your team actually did. Available for Windows and macOS, with Linux and mobile support coming soon.