Biometrics Consent Form (Philippines)
BIOMETRIC DATA CONSENT FORM
Data Privacy Act of 2012 (Republic Act No. 10173) – Sensitive Personal Information
Date: [Consent Date]
Organization: [Organization Name]
Address: [Organization Address]
NPC Registration No.: [NPC Registration Number]
Data Protection Officer: [DPO Contact]
INDIVIDUAL INFORMATION
Name: [Individual Name]
ID Number: [Individual ID]
Relationship: [Individual Relationship]
1. BIOMETRIC DATA TO BE COLLECTED
The following types of biometric data will be collected:
[Biometric Types]
Biometric system: [Biometric System]
2. PURPOSE OF BIOMETRIC DATA PROCESSING
[Organization Name] will collect and process your biometric data for the following specific purpose:
[Biometric Purpose]
Legal basis: Explicit consent under Section 13(a) of the Data Privacy Act of 2012 (RA 10173), as biometric data constitutes sensitive personal information under Section 3(l) of RA 10173.
3. SECURITY AND STORAGE
Storage method: [Storage Method]
Encryption and security measures: [Encryption Standard]
Third-party access: [Third Party Access]
4. RETENTION AND DELETION
[Retention Period]
In the event of a personal data breach involving biometric data, [Organization Name] will notify the National Privacy Commission and affected individuals within 72 hours of discovery, as required by NPC Circular 16-03.
5. YOUR RIGHTS AS DATA SUBJECT
Under Sections 16-18 of RA 10173, you have the right to access, correct, object to, and request erasure or blocking of your biometric data, and to withdraw this consent at any time by notifying the DPO. Withdrawal of consent may affect your ability to use the biometric-based system (e.g., time and attendance, access control).
Contact DPO: [DPO Contact]
File complaints with NPC: [email protected] / (02) 8234-2228
EXPLICIT CONSENT DECLARATION
I, [Individual Name], declare that:
(a) I have read and understood this Biometric Data Consent Form.
(b) I understand that biometric data (fingerprints, facial recognition templates, and/or other biometric identifiers) constitutes sensitive personal information under Section 3(l) of the Data Privacy Act of 2012 (RA 10173).
(c) I have been informed of the specific purpose, storage method, security measures, retention period, and third-party access arrangements for my biometric data.
(d) I understand that once enrolled, my biometric template cannot be 'reset' if compromised, unlike a password.
(e) I understand my rights under Sections 16-18 of RA 10173, including the right to withdraw this consent.
(f) I freely, voluntarily, and without coercion give my explicit consent to the collection and processing of my biometric data by [Organization Name] for the purpose stated above.
[Individual Name]
Data Subject
Date: [Consent Date]
Data Subject
________________
Signature
Data Protection Officer / HR Representative
________________
Signature
Witness
________________
Signature
What Is a Biometrics Consent Form (Philippines)?
A Biometrics Consent Form in the Philippines evidences that consent has been freely given, identifying exactly what has been agreed to and by whom.
The Philippine Identification System Act (RA 11055, signed August 6, 2018) authorizes the Philippine Statistics Authority (PSA) to collect biometric data (fingerprints, iris scan, front-facing photograph) from all Filipino citizens and resident aliens for enrollment in the Philippine Identification System (PhilSys). The PSA's collection of biometric data under PhilSys is based on statutory authority, not individual consent. However, private employers, healthcare providers, schools, banks, and technology companies collecting biometric data for their own systems — time and attendance, logical access control, customer identity verification, medical diagnosis — must comply with RA 10173's consent requirements because their biometric collection is not authorized by a specific statute equivalent to RA 11055.
Under Section 12 of RA 10173, the processing of personal information is permitted only if not otherwise prohibited by law and the data subject has given consent or another lawful basis applies. Section 13 of RA 10173 imposes a stricter standard for sensitive personal information (which includes biometric data): processing is allowed only when the data subject has given explicit consent. The NPC has emphasized in multiple advisory opinions that biometric data deserves heightened protection because a breach can cause irreversible harm — unlike a compromised password, a compromised fingerprint template cannot be reset. Organizations failing to obtain valid consent before collecting biometric data face penalties under Section 26 of RA 10173, including criminal prosecution with imprisonment from 3 to 6 years and fines from PHP 500,000 to PHP 4,000,000. The Bangko Sentral ng Pilipinas (BSP), through Circular No. 1149 (2022), and the Securities and Exchange Commission (SEC) have also issued supplementary guidance on biometric data use in financial services and corporate governance contexts.
The NPC Circular No 16-01 mandates registration of data processing systems with the National Privacy Commission before commencing biometric collection from 1,000 or more data subjects. The Philippine Statistics Authority (PSA) under Republic Act 11055 (Philippine Identification System Act) administers the national PhilSys biometric enrollment program separately from private-sector biometric systems, which remain fully subject to RA 10173 consent requirements enforced by the NPC through its Complaints and Investigation Division.
When Do You Need a Biometrics Consent Form (Philippines)?
A Biometrics Consent Form is needed in the Philippines whenever a private organization — as opposed to a government agency exercising statutory authority — proposes to enroll, collect, or process an individual's biometric data. Specific situations requiring a biometrics consent form include:
Workplace biometric attendance systems: Philippine employers commonly deploy fingerprint or facial recognition scanners for time and attendance under DOLE Labor Advisory No. 06-2020 on payment of wages. The National Privacy Commission (NPC) confirmed in Advisory Opinion 2018-016 that employee consent under RA 10173 is required before enrolling employees in such systems, even where the employer has a legitimate operational purpose.
Building access control: Office buildings, condominiums registered with DHSUD, and gated subdivisions governed by homeowners associations under RA 9904 that use fingerprint or iris scanners to control physical entry must obtain a Biometrics Consent Form from each enrolled individual prior to enrollment.
Banking and financial services KYC: Banks and e-money issuers supervised by the Bangko Sentral ng Pilipinas (BSP) use biometric facial recognition for digital onboarding under BSP Circular No. 1149 (2022). Individual consent under RA 10173 is still required for the biometric component of the Know-Your-Customer (KYC) verification process.
School and university systems: Student attendance and campus security systems require biometrics consent from the student and — for minors under 18 — the parent or guardian must countersign the consent form under RA 10173.
Healthcare and hospital systems: Hospitals and diagnostic centers using fingerprint enrollment for patient identity management and electronic health records access must obtain a Biometrics Consent Form from each patient, separate from the general hospital admission consent.
Fintech and e-commerce identity verification: Platforms collecting facial recognition data for liveness detection in selfie-based identity verification must obtain explicit biometric consent under Section 13(a) of RA 10173 before capturing and processing facial recognition templates. Failure to do so exposes organizations to NPC enforcement proceedings and potential criminal liability under Section 26 of RA 10173.
Government agencies collecting biometric data under statutory authority — such as the Department of Foreign Affairs (DFA) for passport biometrics, the Philippine National Police (PNP) for firearms licensing under RA 10591, and the Bureau of Immigration for alien registration — operate under specific statutory exemptions but must still comply with the proportionality and security requirements of RA 10173 and NPC Circular No 16-03 on personal data breach notification.
What to Include in Your Biometrics Consent Form (Philippines)
A Philippine Biometrics Consent Form must contain specific components to satisfy Republic Act 10173 and National Privacy Commission requirements for valid biometric data processing consent.
Organization identity: State the full legal name of the personal information controller, its NPC Certificate of Registration number under NPC Circular No 16-01 (mandatory for organizations processing sensitive personal information on a significant scale), principal office address, and the name, designation, and contact information of the registered Data Protection Officer (DPO) required under Section 21 of Republic Act 10173.
Description of biometric data: Specify precisely which types of biometric data will be collected — fingerprints (all ten, specific fingers, or index only), facial recognition templates processed by algorithms under ISO/IEC 19794 standards, iris scan images, voice recordings — using technical precision to enable the data subject to understand exactly what is being captured and stored.
Purpose and legal basis: State the specific purpose of biometric processing — such as employee time and attendance tracking under DOLE Labor Advisory No 06-2020 on payment of wages, or customer identity verification for Know-Your-Customer compliance under BSP Circular No 1149 (2022) — and confirm that consent under Section 13(a) of Republic Act 10173 is the legal basis, or cite the applicable statutory exception under Section 13(b) through 13(f).
Technology and security: Describe the biometric system vendor and equipment (ZKTeco, Suprema, or Innovatrics biometric terminal), whether raw biometric images or only encrypted mathematical templates are stored, the encryption standard used (at minimum AES-256 for stored biometric templates), whether biometric data will be stored on-device, on a local server, or in a cloud service, and the technical controls preventing unauthorized access consistent with NPC Advisory Opinion 2018-016.
Retention and deletion: State the period for which biometric data will be retained after the end of the employment, membership, or customer relationship. NPC Circular No 16-01 recommends deletion within 30 days of relationship termination for most biometric systems. The secure deletion method should be cryptographic erasure or physical destruction of storage media per NPC security guidelines under Section 20 of Republic Act 10173.
Data sharing: Identify any third parties receiving biometric data — including the biometric system vendor cloud platform, parent companies, payroll processors, and building management system operators — and the countries to which data may be transferred, triggering cross-border transfer safeguards under Section 21 of Republic Act 10173 and NPC Circular No 17-01 on cross-border data flows.
Data subject rights: Advise the individual of their rights under Sections 16 through 18 of Republic Act 10173 — the right to be informed, right to object, right to access, right to erasure — noting that objection or erasure may affect their ability to use the biometric-based service. The National Privacy Commission (NPC) enforces these rights through its Complaints and Investigation Division under RA 10173 Section 7.
Signature block: Capture the full name, signature, and date, and — for minors under 18 — the parent or guardian countersignature and relationship. The forms-legal.com Biometrics Consent Form (Philippines) template incorporates all NPC-required consent elements under the Data Privacy Act 2012, NPC Circular No 16-01 registration requirements, and NPC Circular No 16-03 breach notification obligations enforced by the National Privacy Commission of the Philippines. Philippine employers and organizations subject to NPC Circular No 16-01 registration obligations must implement a Privacy Management Program and appoint a Data Protection Officer before deploying any biometric attendance or access control system under Republic Act 10173.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Biometrics Consent Form (Philippines) (Philippines) [Legal document template]. Forms Legal. https://forms-legal.com/philippines/personal/consent/biometrics-consent-philippines
"Biometrics Consent Form (Philippines) (Philippines)." Forms Legal, 2026, https://forms-legal.com/philippines/personal/consent/biometrics-consent-philippines.
@misc{formslegal-biometrics-consent-philippines,
author = {{Forms Legal}},
title = {Biometrics Consent Form (Philippines) (Philippines)},
year = {2026},
howpublished = {\url{https://forms-legal.com/philippines/personal/consent/biometrics-consent-philippines}},
note = {Free legal document template. Based on Data Privacy Act of 2012 (RA 10173)}
}Frequently Asked Questions
This is a contested area under Philippine law. The National Privacy Commission (NPC) in Advisory Opinion 2017-031 acknowledged that employers may use biometric time and attendance systems for legitimate operational purposes (accurate payroll computation, DOLE compliance), but consent must be freely given — meaning the employee cannot be penalized solely for refusing biometric enrollment if alternative non-biometric attendance tracking methods are available. However, where biometric attendance is the only available system and the employer provides a clear, proportionate business justification, Philippine labor jurisprudence under the Labor Code (PD 442) and management prerogative doctrine — as affirmed in Manila Electric Company v. Quisumbing (G.R. No. 127598) — allows employers to implement reasonable workplace policies including attendance monitoring. The safest approach is to include biometric consent in the employment onboarding documents, implement alternative attendance tracking for employees who genuinely object, and document the processing under a formal HR data privacy notice compliant with the Data Privacy Act of 2012 (RA 10173).
Collecting or processing biometric data without valid consent in the Philippines violates Section 13 of the Data Privacy Act of 2012 (Republic Act No. 10173), which requires explicit consent for sensitive personal information — and biometric data falls squarely within this category. Under Section 26 of RA 10173, unauthorized processing of sensitive personal information carries imprisonment of 3 to 6 years and a fine of PHP 500,000 to PHP 4,000,000. The National Privacy Commission (NPC) may also initiate an investigation motu proprio or upon complaint, issue compliance orders, and impose administrative fines of up to PHP 5,000,000 per violation under NPC Circular No. 16-04. Organizations found to have collected biometric data without proper consent face mandatory breach notification obligations under NPC Circular No. 16-03 if the data is subsequently compromised. Directors and officers of corporate violators may be held personally liable under Section 34 of RA 10173. The NPC has issued enforcement orders against Philippine establishments — including employers and building management companies — for non-compliant biometric data collection, making proper consent documentation critical for legal operations in the Philippines.
The Data Privacy Act of 2012 (RA 10173) and the National Privacy Commission (NPC) do not prescribe a single fixed retention period for biometric data — instead, Section 11(e) of RA 10173 requires that personal data be retained only for as long as necessary for the purposes for which it was collected or as required by law. For employee biometric data, the NPC's advisory opinions recommend deletion within 30 days after the employment relationship terminates and the employee's access to the biometric-secured systems ceases. For customer biometric data collected for Know-Your-Customer (KYC) compliance under BSP Circular No. 1149, the Bangko Sentral ng Pilipinas (BSP) requires retention for at least 5 years after the account is closed to comply with Anti-Money Laundering Act (AMLA, RA 9160 as amended) record-keeping requirements — creating a conflict between data minimization and AML retention obligations that organizations must resolve through a documented data retention policy. For building access control biometrics, deletion upon the individual's departure from the building's access list is recommended. The Biometrics Consent Form must state the specific retention period and the secure deletion method — cryptographic erasure of encrypted templates or physical destruction of storage media.
A Biometrics Consent Form (Philippines) does not legally require a lawyer in Philippines, and individuals and businesses may draft and execute the document independently. The Data Privacy Act of 2012 (RA 10173) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Philippines lawyer or a registered Data Protection Officer (DPO) is recommended for organizations processing biometric data on a large scale, given the complexity of NPC compliance requirements, the criminal penalties for violations under Sections 25-32 of RA 10173, and the technical security obligations prescribed by NPC Circular No. 16-01. A lawyer or DPO can verify that the consent form satisfies the explicitness requirement under Section 13(a) of RA 10173, complies with NPC Advisory Opinions on biometric data, and incorporates appropriate data subject rights disclosures. The Supreme Court of the Philippines and NPC have jurisdiction over disputes arising from biometric data processing. Professional legal review is particularly advisable where the organization is NPC-registered or subject to BSP, SEC, or DOLE oversight.
Yes, in many cases. Under NPC Circular No. 16-01 (Rules and Regulations on the Security of Personal Data), personal information controllers (PICs) that employ 250 or more persons, or those that process sensitive personal information of at least 1,000 individuals, are required to register their data processing systems with the National Privacy Commission (NPC). Because biometric data is classified as sensitive personal information under Section 3(l) of the Data Privacy Act of 2012 (RA 10173), organizations collecting biometric data from 1,000 or more data subjects — such as employers with large workforces, banks with extensive customer bases, hospitals, and schools with student enrollment above the threshold — must complete NPC registration through the NPC's online portal before commencing biometric data collection. Registration requires designating a Data Protection Officer (DPO), submitting a Privacy Impact Assessment (PIA) for each biometric data processing system, and implementing a Privacy Management Program. Failure to register when required constitutes a violation of RA 10173 and may result in NPC enforcement action.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Personal Data Consent Form (Philippines)
Consent form for the collection, processing, and disclosure of personal data in the Philippines, compliant with the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations (IRR), and National Privacy Commission (NPC) guidelines.
Research Consent Form (Philippines)
Informed consent form for research participants in the Philippines, compliant with the Philippine Health Research Ethics Board (PHREB) National Ethical Guidelines for Health and Health-Related Research 2017, the Data Privacy Act of 2012 (RA 10173), and the Declaration of Helsinki.
Hospital Admission Consent Form (Philippines)
A Hospital Admission Consent Form for patients in the Philippines, authorizing admission, routine diagnostic procedures, and data processing. Compliant with Republic Act No. 10173 (Data Privacy Act), Republic Act No. 11223 (Universal Health Care Act), and DOH Administrative Order No. 2020-0014 on Patient Rights and Informed Consent.
Data Processing Agreement (Philippines)
A Data Processing Agreement (DPA) between a personal information controller and personal information processor under the Data Privacy Act of 2012 (RA 10173). Covers processing instructions, security measures, sub-processor rules, data breach notification, data subject rights assistance, and NPC compliance obligations in the Philippines.