NPC Advisory Opinion on Labor Union Request for Information
The National Privacy Commission (NPC) released Advisory Opinion No. 2023-011 addressing the inquiry on the propriety of an employer’s refusal to give the labor union access to certain documents.
The representative of the National Federation of Labor (NFL) explained that some of its member-unions wanted to have financial information—financial statements, balance sheets, enrollment data, and patient/customer data—from their employers who were either hospital or educational institutions. Furthermore, the private hospital unions sought for documents on the distribution and amounts of certain allowances—Special Risk Allowance (SRA), Meals and Transportation Allowance (MAT), Health Emergency Allowance (HEA), and One COVID-19 Allowance (OCA).
First of all, the NPC said that the Data Privacy Act (DPA) is applicable to all types of personal data, and to any natural or juridical persons involved in personal data processing. However, data concerning juridical persons are not considered personal data so they are not under the DPA. Thus, the financial information sought by the member-unions are outside the scope of the DPA; making the employers’ refusal to disclose such, misplaced.
Second, the educational institution’s data on employees, student enrollment, and other income sources; as well as the hospital’s data on patients, employees, and those on the benefits mandated by law, were described by the NPC as personal information for they can identify the individuals to which they pertain.
Thus, the NPC explained that the union members should establish their legitimate interest in the personal data sought by establishing: 1) that the processing is for the sole purpose of pursuing the legitimate interest of the union for effective negotiations of benefits; 2) that the disclosure or processing shall be limited to the personal information specifically requested, and are necessary and proportionate to achieve its legitimate interest; and 3) that the processing of personal information must be done in the least intrusive way.
The NPC closed its advisory opinion by reiterating that processing of personal information should be done lawfully, fairly, and with strict adherence to the basic data privacy principles of transparency, proportionality, and legitimate purpose.
The Advisory Opinion may be read in full here.