[Editor’s Note: Incognito is the new online column of data privacy lawyer Jamael “Jam” Jacob. A graduate of the UP College of Law, Atty. Jacob previously worked for the National Privacy Commission. He is now connected with the Ateneo de Manila University at its data protection officer.]
A couple of weeks ago, the Pep Squad coach of a certain UAAP school complained of an experience involving the improper use of her personal information. She narrated how she received a call from a complete stranger the same day she filled out information sheets on public utility vehicles (PUVs) she rode on and establishments she visited while going around Metro Manila. The caller talked to her as if they were old acquaintances and even offered her a ride.
Her experience is not an isolated case.
In New Zealand, a woman went through a similar ordeal. After dropping by a restaurant, she soon found out she got more than just the sandwich she bought. She also received a Facebook request, an Instagram request, a Facebook message, and even a text from a person who turned out to be an employee of the restaurant.
Tying these two incidents together is the fact that the data collection in both cases is required by no less than the government.
The Ministry of Health in New Zealand had issued guidelines requiring bars, cafes, and restaurants to maintain Covid-19 guest registers that feature each guest’s name, address, and phone number or email address, as well as the date and time of visit.
Here in the Philippines, the Department of Trade and Industry (DTI) issued Memorandum Circular 20-37 which requires all restaurants and fastfood businesses to collect the following information from their personnel, suppliers, and customers (including their companions): name, residence, sex, age, mobile number, temperature, signature, date and time served, and the kind of service availed of. There are several questions that need to be answered, too.
In May, the Land Transportation Franchising and Regulatory Board (LTFRB) also announced that PUVs will be required to keep a record of their passengers. Even churchgoers will be asked to provide basic information when they attend mass or other religious services, according to the Catholic Bishops Conference of the Philippines. Meanwhile, in Bacolod an ordinance was approved requiring establishments to record their customer’s personal information. They all say the same thing: the information may be needed later for contact tracing.
That in itself is fine. There is a public health crisis and this can be justified as a public health measure. What is unacceptable, though, is that no safeguards have been provided to make sure these mandatory data collection measures are not abused.
The DTI, for instance, does not instruct restaurants to separate this new information system from their other data processing practices (e.g. loyalty program). Even a simple prohibition on the use of the collected data for purposes other than contact tracing is glaringly absent in its issuance.
As a result, these measures that are supposed to mean well now pose significant privacy and security risks to the public. And these dangers are particularly high for women, minors, and other vulnerable groups who are already frequent targets of harassment and discriminatory practices.
At least in New Zealand, the Office of the Privacy Commissioner (OPC) was quick to recognize the danger and immediately released key reminders.
The Philippine government should learn from its peers who are handling this crisis more effectively and do better. In this case, it would not hurt to echo some of the tips given by the OPC and convert them into policy:
These basic steps (and more), if mandated by government, will go a long way towards protecting people’s privacy and even physical safety. Sure, we now have a data protection law; experience tells us though that people often need to be shown how a policy directly applies to their situation. That is the case here.
Moving forward, let’s hope our leaders will be more circumspect when coming up with policies so that they don’t create problems worse than the ones they are trying to cure.
The author is a lawyer, artist, photographer, and privacy advocate