Data is the oil of the information age. Despite the varied and complex socioeconomic and political landscapes, many Asian jurisdictions are taking giant strides in strengthening personal data safeguards
The Philippines’ Data Privacy Act (DPA) applies to the processing of all types of personal information and any natural or juridical person involved in it, whether personal information controllers or processors.
The act has extraterritorial applications to personal information controllers (PIC) and processors (PIP) who, although not found or established in the Philippines, use equipment located in the country, or maintain an office, branch or agency in the Philippines, subject to exceptions stated in section 4 of the DPA.
Personal information refers to “any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”.
The act also distinguishes personal information and sensitive personal information such as age, ethnic origin, marital status, colour, religious, philosophical and political affiliations, individual’s health, education, genetic or sexual life, offences committed or alleged, government-issued identification, health records, and tax returns. Meanwhile, privileged information under the Rules of Court, namely information disclosed during an attorney-client relationship, is treated as sensitive personal information.
Processing, as intended by the law, is “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organising, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data”.
Personal information may be processed if the requirements under sections 11 and 12 of the act are complied. Under section 11, the processing should adhere to the principles of transparency, legitimate purpose and proportionality. Section 12 states that processing is permitted as long as it is not prohibited by law and at least one of the conditions exists, such as consent of the data subject, necessary for fulfilment of contract or to comply with legal obligations, etc.
Processing sensitive personal information is generally prohibited. Exceptions are: the data subject has given his consent; allowed by existing laws and regulations; necessary to protect the life and health of the data subject or another person in instances where the former cannot express his consent; necessary to achieve lawful and non-commercial objectives of public organisations and their associations; necessary for purposes of medical treatment; necessary for protection of lawful rights and interests of natural or legal persons in court proceedings; or for establishment, exercise or defence of legal claims, or when provided to a government or public authority.
Finally, the National Privacy Commission (NPC) Advisory Opinion, issued in August 2017, clarified how consent should be given.
It emphasised that implied or inferred consent is not valid, and cited recital 32 of the EU’s General Data Protection Regulation, which specifies that “silence, pre-ticked boxes or inactivity should not constitute consent”.
Rights of data subjects. Under section 16 of the DPA, the data subject is entitled to the following rights:
- Right to be informed of the processing of personal information including the existence of automated decision-making and profiling.
Moreover, this includes a data subject’s right to know to whom their personal information is sold or disclosed, and contents of personal information processed;
- Right to access;
- Right to object to processing;
- Right to erasure or blocking;
- Right to damages;
- Right to file a complaint, subject to the requirement of exhaustion and timeliness;
- Right to rectify; and
- Right to data portability.
Data protection officer. A PIC must appoint a data protection officer who shall be accountable for compliance under the DPA.
Registration. DPA implementing rules and regulations mandate the registration of personal data processing systems of organisations if:
- Sensitive personal information of at least 1,000 individuals is processed;
- The PIC or PIP employs at least 250 persons;
- Less than 250 persons are employed but the processing is not occasional; or
- Less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject.
Transfer. The PIC is responsible for personal information transmitted to third parties.
Breach. The PIC or PIP is required to notify the NPC and affected data subject of a personal data breach within 72 hours of its discovery.
The following are up-to-date applications of the DPA.
Contact tracing apps. The NPC clarified that contact tracing apps must “allow users to opt-in and out of digital contact tracing. Use of the app must be voluntary, with data subjects allowed to withdraw consent at any time … When different purposes exist in the app, there must be a separate consent and the purpose must be explained beforehand to users.”
Employee surveillance. Under the NPC advisory opinion No. 2018-084, monitoring employee activities on company-issued computers “may be allowable under the DPA, provided the processing falls under any of the criteria for lawful processing of personal data under section 12 and/or 13 of the law”.
The same opinion clarified that “secret surveillance” is frowned upon and it “is the duty of the employer to explain the conduct of computer monitoring to the employees, the specific purpose, scope and actual method of monitoring, security measures to protect personal data, as well as the procedure for redress in cases where the rights of the employee as a data subject are violated … Every employer conducting computer monitoring or employee monitoring should ensure that the data collected directly satisfies the purpose of monitoring, and that it clearly aligns with the need(s) and objectives of the organisation.”
The NPC public health emergency bulletin No. 14 later clarified that work monitoring software may be installed in company-issued devices, but employers are required to notify employees of the existence of such software, to conduct a privacy impact assessment to determine risks and mitigation procedures, and to use less privacy-intrusive means of monitoring employees.
To elaborate, the means of monitoring should only be proportional to the intended purpose. Requiring employees to stay on video while working is thus considered excessive. The means of monitoring should be “adequate, relevant, suitable and necessary, and not excessive”.
E-learning. The NPC recommends that teachers “must always consider the privacy, equity and peculiarity among students during online classes”.
The NPC recommends making webcam use optional in online classes, but also understands that video-conferencing might be helpful during online proctoring or examination monitoring. The NPC advises that teachers should balance the interests of students and the educational institution, and always obtain explicit consent of the students.
Moreover, the NPC reminds teachers not to publicly post personal data such as grades and results of assignments. Teachers should ensure that personal data are safeguarded and stored in personal accounts or devices.
In addition, teachers should allow alternative means of submitting projects and assignments, not disincentivise non-use of webcams and lack of eye contact, and not force students to turn on webcams.
Proof of vaccination. Private establishments may refuse the entry of persons who do not present vaccination records. Access to private establishments is subject to the consent and conditions imposed by the owner of the said establishment. However, vaccination records contain sensitive personal information, so private establishments cannot force data subjects to disclose it.
The practice of some government offices to require presentation of vaccination records for basic government services is highly disputable at this point. This, in turn, is an indirect mandate for citizens to be vaccinated to avail of basic government services. However, under Jacobson v Massachusetts, the US Supreme Court ruled that state police power allows the state to enact a compulsory vaccination law.
Surveillance advertising. The NPC emphasises that “it is a misconception that publicly accessible personal data can be further used or disclosed for any purpose whatsoever without regulation”.
The NPC also clarified that marketers become PICs of the personal information of potential clients they obtained from publicly available sources. Therefore, marketers should follow the criteria for lawful processing of personal, sensitive personal and privileged information as provided in the DPA.