NPC probes reports vs establishments over mishandling of contact tracing data

After receiving reports over the mishandling of contract tracing data, the Philippines’ National Privacy Commission (NPC) has begun probing a number of business establishments to verify the allegations. The reports also prompted the commission to check on their compliance with the Data Privacy Act (DPA) and the guidelines issued by the Commission and other government agencies.

With the lack of automated forms of collecting data, most, if not all, establishments require customers to write their basic information in a logbook or contract tracing forms. The data such as name, address, and contact numbers are openly available for subsequent visitors to see.

“We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures,” Privacy Commissioner Raymund Liboro said.

NPC: Data Privacy Act is not a hindrance to contact tracing

NPC works with DOH on COVID-19 contact tracing, issues privacy guidelines

Data collection was done in haste without proper privacy notices or system in place.

Contract tracing is crucial in curbing the spread of the virus that causes COVID-19. Infected people have to be tested and quarantined for a period of time to ensure that no one else will be infected.

Liboro emphasized that NPC’s move to check on companies to uphold data protection and privacy rights was pro-consumer and pro-business. The move would enable businesses to gain the trust of customers and support government contact-tracing efforts.

Other concerns included using personal data for purposes besides contact tracing, absence of a privacy notice, and baseless retention period.

“Building trust is especially crucial now as we begin to open the economy gradually,” Liboro said. “Building trust is possible if we have cleared citizens’ doubts over potential misuse and abuse of their data.”

The NPC met on Oct. 9 with data protection officers (DPOs) from the Privacy Council for the retail and manufacturing sector to guide their contact-tracing practices.

“As you are in the best position to anticipate and manage risks based on your store setup, you should be able to identify points of possible risks for you to develop the security measures appropriate for your operations,” said Olivia Khane Raza, director, Compliance and Monitoring Division (CMD), NPC.

To address public concerns, Raza called on companies to adopt best data-privacy practices, such as collecting what is minimum necessary; providing a transparent data privacy notice; having proper disposal mechanism; imposing a limited period for storage; and training employees on data privacy protocols and urging them to observe the protocols strictly.

According to Raza, compliance checks are early warning mechanisms to help businesses prevent more complaints that could lead to legal action.

The CMD chief added that if a company received a notice of deficiency, it should “act and address deficiencies within the prescribed time. Otherwise, this can lead to orders, such as a cease and desist order.’’

Depending on the violations committed, negligent businesses might be penalized under the DPA with imprisonment and fines. With a combination of prohibited acts, a violator could be fined up to P5 million and imprisoned for a maximum of six years.

Gela Boquiren, head of the Privacy Council for the retail and manufacturing sector and DPO of San Miguel Corp., said retailers must base their contact-tracing efforts on two joint memorandum circulars: the NPC and the Department of Health (“Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response”) and the Department of Trade and Industry, and Department of Labor and Employment (“Supplemental Guidelines on Workplace Prevention and Control of COVID-19”).

Boquiren also advised retailers to ensure that the rest of the processing cycle — storage, use, transfer, and destruction — of customers’ data was always protected.