Malacañang on Monday urged establishments to ensure data privacy when handling contact tracing data.
This, after the National Privacy Commission (NPC) announced that it was looking into reports on the misuse and mishandling of data retrieved by some business establishments from contact tracing efforts.
In a Palace press briefing, Presidential Spokesperson Harry Roque said individuals better heed the advice of the NPC.
“Ang privacy po is a specialized law at ang nakakaintindi po niyan ay Privacy Commission (Privacy is a specialized law and it’s the Privacy Commission who best understands it). So let’s heed the advice of those who have specialized knowledge on the law,” he said.
The NPC, in a statement, said customers raised concerns over “the improper use of logbooks and the lack of appropriate data-protection measures that left in the open filled-out contact-tracing forms that contain customers’ data, such as names, addresses and contact details, which other people could see.”
Other concerns were that “personal data were used for purposes other than contact tracing in the absence of a privacy notice and baseless retention period,” the agency said.
“We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures,” NPC Commissioner Raymund Liboro said.
The commission did not identify specific businesses but the statement said the concerned establishments include a mall, fast-food and drugstore chains, supermarkets, a European fast-fashion retailer, and a North American coffee shop franchisee.
Currently, contact tracing efforts are done in accordance with the joint memorandum circular “Privacy Guidelines on the Processing and Disclosure of Covid-19 Related Data for Disease Surveillance and Response” of the NPC and the Department of Health.
It is also done in accordance with the Supplemental Guidelines on Workplace Prevention and Control of Covid-19 of the Department of Trade and Industry and Department of Labor and Employment.
To ensure data privacy, establishments are directed to adopt the following: Collecting minimum necessary information, providing a transparent data privacy notice, having a proper disposal mechanism, and imposing a limited period for the storage of collected information.
Employees must also be trained on data privacy protocols and urged to strictly observe them.
Under the Data Privacy Act, the NPC said establishments who violate data privacy may be penalized with a fine of up to PHP5 million and imprisonment for a maximum of six years. (PNA)