Privacy officials tweak rules on digital lending
The National Privacy Commission (NPC) said it has amended certain provisions in the guidelines on the processing of personal data for loan-related transactions to further address the data privacy concerns due to the prevalence of online lending.
According to a statement issued last Wednesday quoting Privacy Commissioner John henry D. Naga, the agency’s Circular 2022-02 provides amendments “that will serve as an added protection to borrowers and lending companies.”
Naga said the privacy body aims for “smooth transactions” between the two parties, where borrowers are afforded their data privacy rights and lending companies, on the other hand, are given the opportunity to “ethically” conduct their business and establish trust among their customers.
Under Circular 2022-02, the amendments cover the following: processing of personal data for evaluating loan applications, granting loans, collection of loans and closure of loan accounts; character references; and, a newly-added provision for guarantors.
Under Section 3 (A)(5) of the amended Circular, a lending company, financing company and other persons acting as such should provide just-in-time notices before obtaining the consent of the data subjects in loan-related transactions. (See https://www.privacy. gov.ph/2023/01/npc-amendscircular-on-the-processing-ofpersonal-data-for-loan-relatedtransactions/#:~:text=under%20 Npc%20circular%2 No., Privacy%20commissioner%20 John%20henry%20d.
According to the country’s privacy body, the just-in-time notice provides data subjects with information on how a particular piece of information they are asked to provide will be processed.
Privacy rights
IN loan processing activities, Section 3(D) of the amended Circular provides that a lending company, financing company or other persons acting as such are prohibited from conducting unnecessary processing, which includes requiring “unnecessary” permissions that involve personal and sensitive personal information.
“When the purpose for accessing an application permission has already been achieved and there are no other applicable lawful criteria for such access, such online applications shall prompt the data subject to turn off, disallow these permissions, or inform the data subject that access to the relevant application permissions may already be revoked,” the Circular states.
The privacy body said there is also an amendment in the Circular protecting the data privacy rights of a borrower’s character reference and guarantor.
Under Section 4 of the said Circular, a character reference is a person whose contact information is provided for verification of the identity and veracity of the information provided by the borrower for the grant of a loan.
Section 4(D) of the Circular prohibits “contacting character references for purposes other than for the verification of identity and veracity of the information provided by the borrower, such as but not limited to, marketing, cross-selling, or sharing to third parties for purposes of offering other products or services.”
The NPC said violators of the amended Circular will be subject to penalties, fines and other disciplinary measures provided in the Data Privacy Act, its implementing rules and regulations and other issuances of the NPC.