Data Security Best Practices When Hiring Filipino Virtual Assistants

The Philippines has a Data Privacy Act (RA 10173).

It’s strict. Really strict.

It applies to anyone processing personal data in the Philippines including you, the foreign employer working with Filipino contractors.

There are actual penalties for mishandling data. Not just “oops, my bad” penalties. Real legal consequences.

The country also has a Telecommuting Act (RA 11165). It explicitly says employers are responsible for protecting data that remote workers use and process.

So this isn’t just best practice. You’re dealing with regulated environments in both countries.

Most people don’t know this. Now you do.

Give People Only What They Actually Need

Here’s the most common mistake I see.

Someone hires a Filipino contractor to manage their Shopify store. 

They hand over their owner login credentials.

Now that person can see customer payment methods. Shipping addresses. Order history. Everything.

They didn’t need any of that.

Shopify lets you create staff accounts. So does almost every major platform.

The contractor can upload products, manage inventory, and handle customer service without ever seeing a single credit card number.

Your main email address? Don’t share it.

Set up a separate email for the contractor. Forward what they need. 

Keep your recovery options and personal inbox completely separate.

I’ve seen people do this with banking too, which is wild.

If a contractor needs to pay for tools, use virtual cards with spending limits.

Before you onboard anyone, ask yourself: what systems does this person truly need to do their job?

Give them exactly that. Nothing more.

Password Managers Are Your Best Friend

LastPass. 1Password. Bitwarden. Dashlane. Pick one.

Here’s why they work so well.

You can share credentials without revealing the actual password. The contractor sees asterisks but can log in through the tool.

More importantly: you can revoke access instantly.

Relationship ends? One click. They’re out of everything.

Use unique, long passwords for every single account. If one system gets compromised, nothing else falls with it.

Keep two-factor authentication on your own devices. More on that in a second.

Two-Factor Authentication Isn’t Optional

Enable 2FA on every critical account.

Email. Payment processors. Domain registrars. CRMs. Everything that matters.

Keep the 2FA device with you. Not the contractor.

They can either use app-specific passwords, or work in accounts where 2FA prompts come to you for approval.

Device Security Matters More Than You’d Think

Here’s something most people miss.

You’re focused on credentials and access. That’s good.

But what about the actual computer your contractor is using?

Is it running outdated software? No antivirus? Connecting to public Wi-Fi at a coffee shop?

All your password-manager security means nothing if they’re working on a compromised device.

Minimum requirements should be:

Updated operating system. Current antivirus software. Full-disk encryption. Screen lock when idle.

No working on public Wi-Fi. Ever.

If they absolutely must work from somewhere with questionable internet, require a trusted VPN.

BPO companies in the Philippines already enforce these standards. You should too.

If you need accountability without invasive monitoring, focus on time tracking instead. 

Clock-in/clock-out systems with manual adjustment capabilities give you visibility into work hours without crossing privacy boundaries. 

You can review and approve time entries, which is different from installing spyware on someone’s computer.

Legal Agreements That Actually Work

Most people have contractors sign NDAs. That’s good.

But here’s the reality: enforcing an NDA against an overseas contractor who makes $5-10/hour is incredibly difficult.

NDAs are recognized in the Philippines. But cross-border enforcement is expensive and complicated.

Does that mean skip the contract? No.

It means understanding what it actually accomplishes.

A good contract is a deterrent and a framework. It sets clear expectations. It makes people think twice.

But it’s not your primary line of defense.

Background Checks Done Right

In the Philippines, employers commonly request NBI Clearance, it shows if someone has a criminal record.

BPO companies ask for it as standard practice.

You can too.

Platforms like HireTalent.ph have these NBI verification as part of its pre-vetting process. This removes the manual back-and-forth of collecting and verifying documents yourself.

For positions where someone will handle customer data, payment information, or sensitive business details? Absolutely request NBI Clearance.

Also ask for:

Government-issued ID and proof of address.

Professional references you can actually check.

Some people feel weird asking for this stuff. Don’t.

How to Handle Access from Day One to Day Done

Access management isn’t a one-time thing.

It’s a lifecycle.

When someone starts:

Create accounts with minimum necessary permissions. Not “admin” because it’s easier.

Add them to your password manager vault with only the specific credentials they need.

Document which systems and credentials you granted. 

If you’re managing multiple contractors, use a system that tracks hire dates, employment type, and what access each person has. This becomes critical when you’re juggling several people across different roles.

Have them sign the contract and privacy agreements before they touch anything.

While they’re working:

Review their access every few months. Did their role change? Remove tools they don’t use anymore.

On high-risk systems – email, CRM, ad accounts – occasionally spot-check activity.

Not because you don’t trust them. Because that’s what responsible data management looks like.

When the relationship ends:

Same-day checklist. No delays.

Revoke password manager access. Remove staff roles from all platforms. Disable accounts, don’t delete them yet – you might need logs.

Rotate any remaining shared passwords they might know.

Check for any accounts you forgot about. Social media, analytics tools, project management platforms.

One person told me they found out three months later that a former contractor still had access to their Instagram business account.

That shouldn’t happen. Ever.

The Philippine Telecommuting Act says employers are responsible for data protection throughout the entire remote work arrangement.

That includes the ending.

The Tools That Make This Actually Work

Theory is nice. Execution is what matters.

Here’s the practical stack that works:

Password manager (1Password, Bitwarden, LastPass) – Non-negotiable. This is your foundation.

Shared inbox tools (Help Scout, Front, Zendesk) – Give email access without handing over your Gmail login. You get activity tracking and assignment features.

Project management (Asana, ClickUp, Monday) – Tasks and communication happen here instead of scattered across email and messages.

Virtual cards (Privacy.com, Revolut Business, Ramp) – If they need to purchase tools or services, give them a card with a spending limit. Not your main business card.

VPN service – For them to use when working on client systems. Prevents IP-based account locks and adds encryption.

Screen recording for SOPs (Loom, CloudApp) – Record yourself doing tasks. They follow the SOP exactly. Reduces the need to explore systems they shouldn’t touch.

Notice what’s not on this list: invasive employee monitoring software that tracks every keystroke.

Filipino workers in online communities push back hard against that stuff. They call it privacy violations.

They’re right.

Focus your monitoring on business account activity, not their entire computer.

How to Think About Data Classification

This is simpler than it sounds.

Divide everything in your business into four categories:

Public/marketing – Blog posts, social media content, general marketing materials. Safe to share widely.

Internal but not sensitive – SOPs, general metrics, process documentation. Helpful for work but not dangerous if leaked.

Confidential – Customer details, pricing, proprietary processes, business strategy. This is where most business data lives.

Highly sensitive – Payment information, personal IDs, medical records, tax documents, banking credentials.

When you hire someone new:

Week one: Public and internal-only data. They prove they can follow instructions.

Month one: Confidential data, but with proper tools. Password manager. Two-factor. Logging turned on.

Long-term trusted relationship: Still keep highly sensitive data away from them if possible.

If they absolutely must touch highly sensitive information, restrict it to tightly scoped workflows. Keep detailed logs.

The Philippine Data Privacy Act requires you to protect personal and sensitive data throughout its lifecycle.

This categorization makes that manageable.

What Nobody Talks About

Here’s the thing about data security.

Everyone focuses on protecting against malicious contractors.

That’s not the real risk.

The real risk is accidents. Mistakes. Miscommunication.

Someone accidentally deletes a customer list. Someone falls for a phishing email. Someone shares a password with the wrong person.

These systems I’ve described? They protect against both malicious behavior and honest mistakes.

That’s why they work.