Human resources (HR) departments should take better care of the personal information that passes through their hands during the hiring process, a data security expert said.

Sensitive documents, such as the resumes of rejected applicants, should be shredded and anonymized by hiring managers instead of being used as scratch paper, said Ernest Richard Ocson of Cosaint Consulting, a company that offers governance, risk, and compliance services.

“The data is still theirs,” he said. “We process their documents, but the data is still theirs.”

HR practices that also need to be reevaluated include selling old documents, such as manuals, for recycling as well as processing a job applicant’s resume without their explicit consent. Neither align with the Data Privacy Act, Mr. Ocson said in a Jan. 13 webinar organized by the Learning Innovation Hub PH.

The Data Privacy Act (DPA) of 2012, or Republic Act 10173, assures the “free flow of information to promote innovation and growth” while protecting an individual’s rights to privacy.

“Integrity is ensuring data privacy is kept throughout the life cycle of that data,” Mr. Ocson said, who also advised verification before disclosure.

If the HR department gets a call from someone supposedly doing background checks on an employee applying for a bank loan, whoever accepts the call shouldn’t “blindly disclose information,” said Mr. Ocson.

“We need to verify the identity of the person calling first,” he added. “If we don’t verify, then we already violated that employee’s rights.”

Coordination is likewise necessary between HR and the information technology department as the company submits its annual security incident report to the National Privacy Commission (NPC).

The definition of a security incidence is relatively broad, Mr. Ocson said. A security breach can mean anything from sending documents to the wrong person, opening files that should not have been opened, visiting links that should not have been visited, losing access to corporate resources, or misplacing identification cards.

Not every company will need to register their data processing systems in compliance with NPC Circular 17-01, Mr. Ocson added. Every company that processes personal information, however, will need to comply with the DPA.

(Per NPC Circular 17-01, an organization that employs fewer than 250 persons is not required to register, unless “the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, is not occasional, or includes sensitive personal information of at least 1,000 individuals.”)

“Data privacy compliance at the organizational level has business value,” Mr. Ocson said. “The other risks for not complying — apart from penalties and fines — are employee disengagement, operational disruptions, and reputational damage.” — Patricia B. Mirasol