Privacy breach complaints starting to pile up, says NPC

By Paolo Julian

Hundreds of inquiries and complaints on possible data violations have been filed at the National Privacy Commission (NPC), the agency’s head has disclosed.

NPC chair Raymond Liboro speaking during the recent Data Privacy Asia conference

NPC chair Raymond Liboro speaking during the recent Data Privacy Asia conference

The possible violations include cybercrime, unauthorized access or intentional breach, unauthorized processing, unauthorized disclosure, security of personal information, consumer protection and credit card violations, and outright violations of data subject rights.

NPC chair Raymond Liboro said this trend reflects the growing awareness of Filipinos about their rights under the Data Privacy Act and a little over a year after the agency opened its offices in June 2016.

Recently, he said the NPC received a complaint from a lady who complained about a hospital’s delay in releasing the medical records of her brother who was brought to the hospital and discharged with no serious findings. Then he was again rushed to the emergency room where he expired within 24 hours.

The complainant wanted the police to conduct an autopsy for which a medical abstract from the hospital was required. She requested the medical abstract and the hospital promised to provide the abstract within three to five days after which the abstract was still not available.

She sued the hospital for the non-availability of the personal information of her deceased brother, Liboro said, adding the case “illustrates the principles of availability and transmissibility of the rights of data subjects.”

It’s just one of the hundreds of inquiries and complaints on possible violations of the Data Privacy Act made before the NPC which is tasked to receive complaints and institute investigations on personal data protection, he said.

“My duty is to respond to all of these concerns,” Liboro said. “And while I have never failed to remind the public that the NPC sees itself primarily as a partner and fellow advocate, we are firm in our commitment to enforce the law.”

“We want our people to be able to sleep soundly at night knowing fully that those who handle their data and information exercise vigilance, and are mindful of their responsibilities,” he said.

When organizations and institutions are remiss in their obligations under the law, “they will feel our presence, and they will feel it strongly,” Liboro added.

Under the Data Privacy Act, for example, data subjects (or, in the case of the deceased brother, their relatives) have the right to data portability or to take or transfer personal data as they desire.

General data privacy principles, for example, require that data subjects have the right to be informed — they have the right to have access to their data; to object, correct and rectify the data; to block or remove data; to complain; and to be indemnified.

Personal information may only be processed with the rights of data subjects in mind; the information is always accurate; information is collected only adequately but not excessively and with a stated purpose; information is kept only for the time it serves its purpose, and never longer than necessary; and personal data must be secured.

In addition, information processing should adhere to the general principles in the collection, processing, and retention of personal data, as well as to the principles of data sharing, and criteria for lawful processing of personal information, Liboro said.

Comment on this post