True Lab Porever (TLP) in data privacy (Or, one QR code to rule them all 2)
SORRY, that was click bait. There is no for ever in data privacy (seriously; will get to that in a while) but the most important letters in data privacy are TLP.
Transparency, Legitimate Purpose, and Proportionality.
Transparency means the data subject—the person whose data is being collected—must be told the reasons for the collection; the methods to be used in handling the data; with whom the data will be shared; and for how long, and where, the data will be kept.
These are the basic rights of the data subject: if they´re keeping tabs on you, the least they can do is tell you they’re doing it. Unless, of course, you´re already under investigation, in which case your rights as a data subject are limited.
Legitimate purpose means there must be a legal basis for collecting your personal information.
The law sets the criteria: Section 21 of the Implementing Rules and Regulations (IRR) of the Data Privacy Act says processing must be based on consent, contract, or law; or needed to respond to a national emergency.
The last criteria sounds tricky: “Necessary to pursue the legitimate interests of the personal information controller, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution.” Though it acknowledges legitimate purpose as basis for collection and processing of personal data, to me this means that even when there is a legitimate basis, that basis cannot override our constitutional rights and freedoms.
Proportionality means only the needed information—based on the legitimate purpose earlier stated—should be collected.
How does this work?
For example: LGU XX develops an app to do contact tracing for Covid-19. All residents and visitors to the town are required to register in the app, which will then assign them a unique QR code. That QR code is linked to their personal information, and serves as an ID to gain entry to all establishments in the city, both commercial and public, as well as to ride public transportation. No QR code, no entry/ride. Data Subject Y is concerned this will establish a pattern of his movements around the city, and maybe allow others not to only to track him down, but also to profile him. What can he do? Apply TLP. Based on the principle of transparency, Y can ask LGU XX who— or what organizations—will be collecting and processing his/ her data, what data will be collected, how long it will be kept, and with whom it will be shared. This information should be in LGU XX’s privacy notice, or in the privacy policy; both should be accessible to the public.
Y should then check the legitimate basis: What is the basis of processing?
If it’s based on law, or an ordinance, Y should read the ordinance and compare what it says with what the privacy policy/statement/notice says. Does the ordinance say the personal data collected will only be used to trace those who have had contact with COVID-19 patients? Or are there other reasons mentioned for the data collection? Are the reasons mentioned in the ordinance the same as those detailed in the privacy notice/privacy policy? Why is this important?
If, for example, the privacy policy says the data collected will be used for research into Y’s preferences, then that means whatever personal data collected about Y will be kept even if Covid-19 mutates into the common cold, because LGU XX still have reasons to use Y’s personal data. It also means the app will continue to track down Y and collect his personal data, even after the world has forgotten what Covid-19 means.
Was that declared use—to find out Y’s preferences—in the ordinance? If not, the collection and processing might not be legitimate use. Y needs to ask LGU XX’s Data Protection Officer (DPO) to limit the purpose to that mentioned in the ordinance. If the DPO ignores him/her, he/she can file a complaint with the National Privacy Commission.
If the personal data was collected for contact tracing, as the ordinance says, then the privacy notice should state that the information gathered should only kept only as required by law for contact tracing. LGU XX is not allowed to keep the personal data longer than it needs to (there is no poreber in data privacy, remember? See Section 19 (d) and (e) (3) of the IRR). Nor should LGU XX use that personal information for a purpose other than that stated in the law, or disclosed to the data subject.
What if Y registers with the app? Ahh, there’s the rub. He/she would have given consent to the collection and processing of his personal information. LGU XX can keep it for as long as the reasons stated in the privacy statement exist. That is, of course, if it was a valid consent, and if it was recorded. As you can see by now, in data privacy, the details matter.
***
Dana Batnag heads the policy and risk management section in the data privacy office of a private company. She may be contacted at yourdataprotectionofficer@protonmail.com.