NPC says COVID-19 apps must be transparent in data collection

Technology is proving to play a crucial role in the fight against the COVID-19 pandemic. From research to information dissemination to contact tracing, apps are becoming an essential tool to collect data that would be of use not only in research but also to help in curbing the spread of the virus.

Philippines’ data privacy watchdog, the National Privacy Commission, recognizes the benefits of these apps that the government and private sectors create. However, they should set boundaries on what should be collected and must be transparent on what can be shared.

“COVID-19 related apps can only achieve the desired level of uptake if it is clear about its legitimate purpose, is transparent on how it uses personal data and proportional in its collection,” said Privacy Commissioner Raymund Liboro in a statement issued Monday. “The app must not over-collect personal information from users and collect only what is necessary for the purpose.”

Liboro stressed that organizations “must make sure that the app is solidly built on legitimate purpose.”


“Efforts should be geared not only toward its rapid deployment but also in ensuring that the widest segment of the population with their devices can avail (themselves) of these apps and that data quality is achieved,” he said. “To be effective, such solutions must be trustworthy and acceptable for individual users to use with confidence so that users will share information without fear of misuse or discrimination.”

Personal information controllers (PICs) must ensure the utmost transparency to earn the trust of individuals who are using the app. It can be achieved “through an easy-to-understand privacy notice, how the app or digital solution will collect, use, store, and dispose of their personal data. Users must also be made aware to whom, if any, shall their personal data be disclosed incidental to the processing.”

Secure manner

“Considering the inherent vulnerability of personal data processing over the internet and in anticipation of the latest cyber threats, PICs must also ensure that appropriate security measures are identified and implemented,” Liboro said. “PICs are also expected to inform users of their data subject rights and incorporate mechanisms to easily exercise them.”

The Commission also reminded PICs that once data have served its purpose, data processing must stop and properly disposed of or discarded in a “secure manner.”

Apps are extremely useful but are also extremely vulnerable. If it does not have the right security measures, it is the easiest gateway for cybercriminals to obtain personal information.

“Users must also be made aware to whom, if any, shall their personal data be disclosed incidental to the processing,” Liboro said.