Legal Requirements for Employment Background Checks in the Philippines

Legal Requirements for Employment Background Checks in the Philippines A Comprehensive Practitioner’s Guide (2025 edition)

1. Why this matters

Hiring the wrong person can expose an employer to fraud, safety, and reputational risk—but probing too deeply can violate privacy, anti-discrimination, and labor laws. Philippine regulation therefore seeks a “proportionality balance”: collect only what is reasonably necessary, do it transparently, secure the results, and act on them fairly.

2. Primary Legal Sources

Instrument Key Points for Background-Check Compliance
1987 Constitution (Art. III, Sec. 2 & 3) Right to privacy of communication and correspondence; basis for requiring lawful purpose + consent.
Labor Code (PD 442, as amended) & DOLE issuances Pre-employment medical exam (Art. 134); due-process standards for refusal to hire; wage privacy.
Data Privacy Act of 2012 (RA 10173) & IRR Defines “personal” vs “sensitive personal” data; requires lawful criteria (consent, contract, legal obligation, vital interest, public authority, legitimate interest); data-subject rights; breach notification; cross-border transfer rules.
National Privacy Commission (NPC) Circulars & Advisory Opinions (e.g., NPC Circular 16-02 on data sharing; AO 2021-045 on pre-employment screening) Operationalizes DPA; sets proportionality test and “least intrusive means.”
Anti-Age Discrimination in Employment Act (RA 10911) Bars age questions unless a bona-fide occupational qualification (BFOQ) exists.
Magna Carta for Women (RA 9710) & Safe Spaces Act (RA 11313) Restrict sex-, gender- or marital-status-based queries that are irrelevant to the job.
Mental Health Act (RA 11036) Medical data is “sensitive personal” data; disclosure requires explicit consent & strict necessity.
Special-sector rules:
BSP Circulars 950/1022 (bank fit-and-proper)
Insurance Code (IC CL 2016-69 on trust officers)
DepEd/CHED hiring rules		 Impose mandatory clearances (NBI, BI, credit, PRC license) for covered positions.

3. Permissible Types of Checks (and Typical Legal Bases)

Check Lawful Basis Under RA 10173 Special Conditions
Identity & civil-status verification (PSA certificates, passport, biometric ID) Contract performance (pre-contract stage) Securely store scans; redact ID numbers when unnecessary.
Employment & academic history Legitimate interest; consent Verify only final degrees or last 5 years unless stricter industry rule applies.
Professional licenses/eligibility (PRC, Bar, TESDA) Legal obligation (for regulated professions) Keep photocopy only until onboarding is complete.
Criminal record (NBI / PNP clearance) Legal obligation for regulated roles; legitimate interest + consent for others Must rely on official clearances, not informal barangay gossip.
Credit history (Bankers, fiduciaries) Legal obligation (BSP “fit & proper”) Obtain authority to access Credit Information Corporation (CIC) data.
Medical & drug test Legal obligation (pre-employment medical per DO 198-18; drug test per DOH AO 2018-0001) Results are sensitive personal data; release only to company physician & applicant.

4. Mandatory Procedure Under the Data Privacy Act

  1. Privacy Notice – Describe: purpose, categories of data, lawful basis, retention period, recipients, data-subject rights, contact details of the Data Protection Officer (DPO).

  2. Written Consent – Freely given, specific, informed, recorded (e-signature acceptable).

  3. Proportionality Assessment – Document why each data field is necessary; retain a matrix in your Privacy Impact Assessment.

  4. Third-Party Agreements

    • Outsourcing/Processing Agreement for background-check vendors (Art. 3[f])
    • Data-Sharing Agreement when two controllers exchange data (NPC Circular 16-02).

  5. Security Measures (RA 10173, Sec. 20) – Data classification, encryption at rest & in transit, role-based access, audit trails, secure disposal (shredding, digital wiping).

  6. Retention & Disposal – Keep raw reports only until the later of: (a) expiration of the probationary period, or (b) resolution of any contest to the hiring decision. Keep a minimal record (e.g., “verified/failed”) for 5 years to defend against labor claims.

  7. Adverse-Action Protocol – Before rejecting an applicant based on a finding, give them a copy, opportunity to explain/correct, and record the deliberation (due-process requirement).

  8. Cross-border Transfer – Allowed if the foreign jurisdiction has “substantially similar” protection or by contractual clauses + consent (DPA, Sec. 21; NPC Advisory 2017-03).

5. Prohibited or Restricted Practices

  • Blanket waivers of privacy rights are void.
  • Collecting religion, political affiliation, union membership unless a BFOQ exists (sensitive personal data).
  • Polygraph or “voice stress” tests: no specific Philippine ban, but NPC treats physiological data as highly sensitive—use only with express, revocable consent and documented necessity.
  • Releasing an applicant’s criminal history to unauthorized third parties violates Art. 287 of the Revised Penal Code (unjust vexation) and DPA Sec. 25 (Unauthorized processing).
  • Age-based shortlisting unless age is a BFOQ (RA 10911, Sec. 4).
  • Asking female applicants about pregnancy plans—constitutes gender discrimination (MCW) and is irrelevant medical data.

6. Penalties & Enforcement

Violation Criminal Penalty (RA 10173) Administrative Civil
Unauthorized processing of sensitive personal data 3-6 years + ₱500k-2 M fine NPC compliance orders, suspension of processing Actual & moral damages, exemplary damages possible
Improper disposal 1-3 years + up to ₱500k
Access due to negligence 1-3 years + up to ₱500k
Age-based refusal to hire (RA 10911) ₱50k-500k + 3 months-3 years imprisonment DOLE inspection citations Damages under Art. 1701 Civil Code
Non-observance of DOLE medical-exam rules Administrative fines (DO 198-18) Closure order in severe cases

NPC has issued dozens of decision-and-order letters imposing compliance directives and, in rare cases, monetary penalties for companies that retained applicants’ NBI scans on unencrypted cloud folders or shared background reports with affiliate entities without a Data-Sharing Agreement.

7. Sector-Specific Nuances

  • Banking & Finance – BSP Circular 950 requires banks to vet directors, officers & employees for integrity, experience and financial soundness; clearances must be updated every 2 years.
  • Business-Process-Outsourcing (BPO) – Export clients often demand U.S.-style checks; Philippine controller must still ensure DPA compliance and forbid data export of sensitive fields without adequate protection.
  • Work with Children – RA 11862 (Expanded Anti-Trafficking) and DepEd Orders require child-work clearance; even expunged criminal records relating to child abuse must be considered.
  • Foreign Nationals – BI clearances; data transfer to home office requires cross-border rules, and host employer remains the “controller.”

8. Best-Practice Compliance Framework

  1. Policy – Adopt a stand-alone Background-Check Policy approved by top management.
  2. Training – HR & recruiters must take annual DPA and anti-discrimination workshops; include test cases.
  3. Vendor Due Diligence – Require ISO 27001 or PCI-DSS where financial data is involved; audit every 3 years.
  4. Layered Notices – Short notice at application page + full policy link.
  5. Consent Architecture – Use unticked check-boxes; separate from Terms of Use.
  6. “Need-to-Know” Access – Recruiters see summary pass/fail; only DPO sees full report.
  7. Adverse Action Timing – Give applicant at least 5 business days to dispute before final decision (mirrors NPC’s equitable approach).
  8. Record-Keeping Matrix – Map data types, basis, retention, deletion schedule; include in your Privacy Management Program (PMP).
  9. Annual Audit – Internal audit plus external DPO assessment; remedy gaps within 30 days.
  10. Breach Simulation – Table-top exercise on lost USB or mis-sent e-mail containing background report; test 72-hour breach notification workflow.

9. Emerging Trends & Pending Bills (2024-2025)

  • House Bill 10389 (“Fair Employee Screening and Reporting Act”) – Would codify a 10-year look-back limit on criminal checks and require free copy of any adverse report; still at Committee on Labor.
  • NPC Draft Circular on Automated Decision-Making – Proposes explicit opt-out if algorithms decide on hiring based on background-check scoring.
  • Digital Clearance Platforms – NBI’s “e-Clearance 2.0” offers API integration; controllers will need Data-Sharing Agreement + NPC registration for automated pulls.
  • Guidance on Social-Media Screening – NPC Advisory under consultation; likely to require manifest notice and exclusion of private or “friends-only” posts.

10. Quick Compliance Checklist (printable)

  • Privacy Notice displayed before data capture
  • Signed consent or documented lawful basis other than consent
  • Scope limited to job relevance (no religion, political views)
  • Processor contract with screening vendor + NPC registration (if >250 employees or high-risk)
  • Background-check report retained securely, encrypted, limited access
  • Adverse finding shared with applicant; opportunity to clarify
  • Deletion schedule diarised; secure disposal method in place
  • Audit log of every person who viewed the report
  • Breach-response plan tested within past 12 months

Conclusion

Conducting employment background checks in the Philippines is entirely lawful—but only when purpose-driven, transparently disclosed, proportionate in scope, and backed by robust privacy safeguards. Employers that embed these principles in policy, contracts, and everyday HR practice substantially reduce litigation, regulatory exposure, and reputational risk while still protecting the workplace and their customers.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login