Is It Legal for Employers to Take Photos of Employee Payroll ATM Cards?

In the modern workplace, the digitization of HR processes often leads to requests for various forms of identification and financial documentation. One common point of contention is whether an employer in the Philippines can legally take a photo or keep a photocopy of an employee’s payroll ATM card.

The short answer is: Yes, it is generally legal, but it is strictly regulated by the Data Privacy Act of 2012 (Republic Act No. 10173).

1. The Legal Basis for Collection

Employers have a "legitimate interest" in ensuring that salaries are credited to the correct individual. To facilitate this, companies often require proof of account ownership. A photo of the ATM card serves as a record of:

  • The account holder's name.
  • The account number.
  • The bank branch/type.

Under the Data Privacy Act (DPA), the processing of personal information is permitted if it is necessary for the fulfillment of a contract (the employment contract) or for the employer's legitimate interest, provided such interest is not overridden by the fundamental rights of the data subject.

2. Compliance with the Data Privacy Act

While the collection is legal, the employer must adhere to the three pillars of data privacy: Transparency, Legitimate Purpose, and Proportionality.

Transparency and Consent

The employer must inform the employee why the photo is being taken. Usually, this is for payroll enrollment or verification. While consent is often embedded in employment contracts, the National Privacy Commission (NPC) emphasizes that the employee should be aware of the specific use of that image.

Proportionality (The "Masking" Principle)

This is where many employers fail. The principle of proportionality states that only the information necessary for the purpose should be collected.

  • What is necessary: The Account Name and Account Number.
  • What is NOT necessary: The CVV/CVC (the 3-digit code on the back) or the full 16-digit card number if only the account number is needed for bank transfers.

Best Practice: If an employer takes a photo of an ATM card, they should only capture the front. If the card contains sensitive information (like a CVV on the back), that portion must never be photographed or stored.

3. Data Security and Storage

Once the photo is taken, the employer becomes a Personal Information Controller (PIC). This carries heavy legal responsibilities:

  • Security Measures: The photo must be stored in a secured system (either a locked physical file or an encrypted digital folder). It should not be sitting loosely in an HR officer’s personal smartphone gallery.
  • Retention: The data should only be kept for as long as necessary. Once the payroll is set up and verified, the "need" to keep a photo of the physical card diminishes, although many HR departments keep it for the duration of employment for audit purposes.
  • Disposal: When the employee leaves the company or the data is no longer needed, it must be disposed of in a manner that prevents further processing (e.g., shredding or permanent digital deletion).

4. Potential Risks and Violations

If an employer collects these photos and a data breach occurs—such as an HR employee’s phone being hacked or a physical file being stolen—the company can be held liable under the DPA.

Penalties for "Accessing Personal Information and Sensitive Personal Information Due to Negligence" can include:

  • Imprisonment ranging from 1 to 3 years.
  • Fines ranging from PHP 500,000 to PHP 2,000,000.

5. Can an Employee Refuse?

An employee can technically object to the photographing of their card, especially if they provide an alternative, such as a formal Bank Certificate or a validated deposit slip that shows the account details without needing a photo of the actual card.

However, if providing the account details is a requirement for the employer to fulfill its obligation to pay wages via an automated system, unreasonable refusal by the employee may complicate the payroll process.

Summary Table: Rights vs. Responsibilities

Stakeholder Right / Responsibility
Employer Right to verify the correct bank account for payroll purposes.
Employer Responsibility to protect the photo and prevent unauthorized access.
Employee Right to be informed of the purpose of the photo.
Employee Right to demand the masking of sensitive digits or CVV codes.

While the practice is a standard administrative tool in the Philippines, it must be handled with high levels of digital security and strict adherence to the mandates of the National Privacy Commission.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login