The National Privacy Commission (NPC) on Thursday, July 9, reminded business establishments to take on data privacy and security measures, as prescribed by the Data Privacy Act (DPA) of 2012, as they conduct contact-tracing efforts.
In NPC Bulletin 15 released on July 8, businesses, particularly restaurants, salons and barber shops, were told to collect only what is necessary.
They were also advised to provide easy to understand information to data subjects on the purpose of the collection, and to implement measures to ensure that personal data they gather do not fall into the wrong hands.
The NPC also asked establishments to use the information only for purposes declared before the collection. Should there be a need to use the information for other purposes, businesses are expected to contact data subjects to seek their consent.
As establishments are responsible for complying with the DPA, owners and top management must remind their staff as well as third-party service providers, such as security personnel, that using the personal data of customers or visitors for any other purpose is punishable under the law.
The NPC also reminded businesses that all personal data collected for the purpose of contact tracing will be retained only for a period allowed by existing government issuances, in this case Department of Trade (DTI) Memorandum Circular (MC) 20-28, s. 2020 or “Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons” and DTI MC 20-37, s. 2020 or “Guidelines to Follow on Minimum Health Protocols for Dine-in Restaurants and Fastfood Establishments.”
Once these rules are no longer in force, all personal data collected for their purposes should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or disclosure, the NPCC said.