Data Privacy Act: Compliance in convenience
We live in a technological system of connections. Innovative approaches in our daily pursuits have made our identities more accessible, and, concomitantly, our lives more exposed. This statement holds true for everyone. In this age of convenience, every transaction allows for a window to compromise our often personal, sensitive, or privileged information.
The obsession with convenience has made data security the elephant in the room – an obvious problem initially swept to the side, relegated to the back seat in favor of the more imposing superlatives of speed and satisfaction. While we may be aware that not all personal affairs are of public concern and in the public domain, the existing social climate is not proactive enough to ensure that it stays that way.
Most consumers passively receive random phone calls from sales agents without having the slightest hint of curiosity as to where their phone numbers were sourced. Almost everyone tends to treat the data policies and confirmations on websites and e-mails as unnecessary preludes, if not insignificant parts, to swift purchases and approvals. Unfortunately, what the ordinary citizen fails to understand is that the contents of the often-unread documents may very well be his basis for reparations in case fraud or injury ensues.
However, the tides have turned with the signs of the times. After alarming news of cybercrimes, data leaks, and privacy breaches, such as the leakage of the COMELEC’s voter database and the exposure of Facebook’s data scandal, public awareness on the importance of data privacy has expanded.
The Philippines passed Republic Act No. 10173, also known as the Data Privacy Act (DPA), in 2012. Its Implementing Rules and Regulations (IRR) took effect in 2016. The law aspires to protect the fundamental human right of privacy while ensuring the free flow of information. The declaration raises the bar on what the Filipino’s concept of data privacy should be. It does not end with the protection of information, but balances the right to free flow of information by integrating its responsible use.
To ensure the efficient enforcement of the law, the National Privacy Commission (NPC) was established as its lead agency vested with rule-making power.
Under the DPA, personal information is defined as “any information from which the identity of an individual can be reasonably and directly ascertained.” This information, when wielded properly, can help build strong foundations for the free flow of information. Personal data can range anywhere from name, age, and address to government ID numbers. Generally, these can only be processed if consent is given. Otherwise, it would be unauthorized.
The succession of recent advisory opinions issued by the NPC is a useful guideline in approaching matters anent an issue that has been often overlooked. For instance, in one of the posted inquiries, the NPC was asked to comment on a rather interesting topic – visitor logbooks. The issue centered on the privacy considerations of handling documents containing personal data of office visitors. In response, the NPC directed the custodian of the information, formally known as the personal information controller, to “comply with duties and responsibilities under the law and implement appropriate security measures to ensure the protection and security of such personal data.” This entails a proper determination of the relevance of the information collected and placement of a privacy notice to advise prospective visitors of the workplace.
The NPC also had the opportunity to clarify the implications of posting a list of admitted students on a school’s bulletin board. It acknowledged the act as a lawful processing of data. As a form of legitimate purpose, it ruled that the main objective of the posting is to inform the aspirants who among them are eligible for admission to the educational institution.
Another advisory opinion concerned the personal details included in a Company ID. In illustrating the principles of transparency, legitimate purpose, and proportionality, the NPC advised that the company should have a policy on the types of personal information to be included in the card, and instill awareness among the employees as to its purpose.
For data policies to be transparent, the individual should be acquainted with the “nature, purpose, and extent” of the processing. The principle of legitimate purpose calls for processing of data that is for a declared and specific purpose not contrary to law. Lastly, the use of information must be proportional – adequate and not excessive.
Under the DPA, personal data should be processed fairly and lawfully. It provides that entities who control and process personal information should “implement reasonable and appropriate organizational, physical, and technical security measures” to protect data subjects.
Perhaps one of the biggest contributions of the DPA and its IRR is its express provisions of accountability on data processing and storage. Personal information controllers are accountable for data under their custody, and any breach against the personal information should be reported to the NPC and to the affected subject. Data protection officers should be assigned by organizations to ensure compliance with the law. A Privacy Impact Assessment aids in evaluating the current data processing flows and identifying any risk that the system may encounter.
Moreover, the DPA penalizes acts which put the personal data of the subject at risk, including but not limited to: unauthorized processing, access, improper disposal of personal information and sensitive personal information, intentional breach, malicious disclosures, or any combination of these acts.
Data privacy should not be placed on the back burner of civic consciousness. As a matter of public policy, individuals have a right to be informed on matters concerning their personal information – from point of collection to their disposal. From a business perspective, it is likely that consumers will patronize service providers that properly handle their data. This added incentive translates to more bang for the buck.
While compliance with data protection policies may be an uphill battle, it is not an impossibly long shot. With the end goal in sight, surely a little inconvenience wouldn’t hurt.
The views or opinions expressed in this article are solely those of the author and do not necessarily represent those of Isla Lipana & Co. The content is for general information purposes only, and should not be used as a substitute for specific advice.