Your Employee Referral Program Might Be Violating the Data Privacy Act

Your Employee Referral Program Might Be Violating the Data Privacy Act

You risk imprisonment anywhere between 1 to 6 years, and fines up to 5M pesos for violation of the RA 10173 or the Data Privacy Act


The Data Privacy Act, or the Republic Act No. 10173, was signed a couple of years ago on August 15, 2012, by President Benigno S. Aquino III. However, with the rise of multiple digital data channels tailored for recruitment, it has become much more significant today than ever before.

In a time where the “war for talent” is at its peak, Employee Referral Programs offer a measurable competitive advantage. Hiring through referrals are not only faster, but they generally cost less when comparing between other methods.

But one of the best advantages of referrals is the fact that referred candidates are usually a better fit for the company in terms of culture and values. This is because the candidate was referred by an employee on the inside - someone who knows the ropes and someone who can tell whether or not their friends are a good fit in all aspects of the organization.

How An Employee Referral Program Violates the Data Privacy Act

The problem is that most Employee Referral Programs, especially traditional manual ones, have the potential for violating the Data Privacy Act (DPA).

Each referral your employee makes involves the processing of personal and/or sensitive personal information - two different types of data defined by the DPA. Most of the time, employees will simply pass on the resume of a friend or potential candidate to the HR department or recruitment team.

When they do this, the referral’s personal and/or sensitive personal information is available to the organization to process. It’s a simple and straightforward process, but it actually violates the DPA if done incorrectly.

You could be violating the Data Privacy act if:

  • Your employees give their friends’ contact details, personal information, sensitive personal information, or privileged information to you or your recruitment team without proper consent
  • Your organization or or your recruitment team stores the referral’s personal information longer than is required or necessary for processing
  • Your recruitment team processes the referral and reaches out to the candidate without the referrals prior knowledge (again, no consent given by the candidate)

The keyword here is CONSENT.


One of the key provisions in the DPA that will poses the most consequences for organizations is the fact that the data subject (in this case, the candidate who was referred) needs to give their full consent and must know the purpose and extent of processing of their information, as stated in Section 19(a)(1) and Section 19(a)(2) respectively.

What is “Consent”? Is verbal confirmation acceptable?

Consent, as stated in Section 3(c) is:

“Consent of data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.

Simply put, consent is when the referred candidate agrees to the collection and processing of his/her personal information together with an informed indication of will. This means that your employee simply telling you that the candidate gave their consent is not enough. There must be written, electronic, or recorded evidence of this consent.

Usually, the tools or databases used in analogue or manual referral programs (using tools like Excel) cannot automatically get the consent of the referral. It’s also a challenge to apply the provision that states that data can only be stored until necessary.

What happens if you violate the Data Privacy act?

There are heavy punishments and large fines for violating the Data Privacy Act. Prison term and fines depend on which Section of the Act you violated. Some of the penalties include:

  • IMPRISONMENT for 1-3 years for unauthorized processing of personal information and/or imprisonment for 3-6 years for unauthorized processing of sensitive personal information
  • FINES that range anywhere from 500,000 to 2M Pesos, and fines up to 5M Pesos for a combination or series of violations
  • REVOCATION of company rights and licenses
  • DEPORTATION for foreign violators

All of the penalties can be found in Rule XIII Penalties of the DPA.

Avoid Violations and Penalties

Referrals are so effective that people have a hard time giving it up. It may be difficult to comply with the Data Privacy Act if your referral program is done manually, but there are a lot of technologies and solutions that enable referral programs to run smoothly without violating the DPA.

Recruitday’s Social Referral programs, for example, utilizes both employee and non-employee referrals to find the best talent for companies under the compliance of the DPA. Our system ensures that no data is given out during the recruitment process - only when the referred candidate chooses to apply. All data is provided by the candidate with full knowledge and consent for what it will be used for.

Looking for talent? Let’s talk recruitment! Send us a message at inquiries@recruitday.com or visit our Social + Referrals page.