National Privacy Commission (NPC) deputy commissioner Leandro Angelo Y. Aguirre discussed the rights of consumers with respect to data privacy during the opening day of the National Digital Consumer Conference 2018 on July 26 at the Green Sun Hotel in Makati City.
In his talk on “ICT Data Privacy, Confidentiality, and Intellectual Properties,” Aguirre said that under the principle of transparency, companies which collect personal information from customers such as banks should disclose certain things either before data gathering or within a reasonable period after.
These are the following: the exact type of data that they need, the purpose for gathering that data, their method of processing data, how long will they keep such data, the rights of their data subjects and how the latter can avail these rights.
Consumers have the right to object from providing such information or to withhold consent after it has been given. However, if they are required to do so under a contract or pursuant to a subpoena and the like, they cannot object.
According to Aguirre, the transparency principle underscores various rights.
One of these is the right to access contents and sources of personal data, names and addresses of those who received one?s personal data, manner of data processing, reason for disclosure of data, information on automated processes, date when data was last accessed or modified, name and address of the personal information controller (PIC).
Another is the right to erasure and blocking in the case of false, outdated, and unlawfully authorized data, withdrawal of consent, unlawful processing, or violated rights by the PIC or personal information processors (PIP).
The right to rectification allows the subject to question an inaccurate personal data and have it corrected by the PIC and third parties if applicable. The right to data portability allows him to acquire a copy of his personal data from the PIC in an electronic/structured format.
Meanwhile, the right to damages indemnifies an individual if his data privacy rights and freedoms are violated.
Another principle of data privacy is legitimate purpose. “Consent should be freely given. It should be specific. It should be an informed indication of will. How can you consent to something that you don’t know?” Aguirre said.
Therefore, statements such as “If you don’t reply within 5 days, that is the equivalent of consent,” are prohibited, Aguirre said. Consent should also be in written, electric, or any recorded form, the NPC deputy commissioner added.
Furthermore, consent should be granular and unbundled. “[They] can’t make certain optional services contingent on [your] availment of the main service,” he explained. “They have to unbundle the different types of services that they offer so that the data subjects can just choose what type of service they want.”
In terms of granular consent, Aguirre cited subscription lists as an example. When a person agrees to be part of a company’s subscription list, he should be given choices as to how to receive information from the company such as by email, text, and others.
However, when specific agencies are the ones collecting the information, consent is not needed. These are the Securities and Exchange Commission, Bangko Sentral ng Pilipinas, Bureau of Internal Revenue, Civil Service Commission, Credit Information Corporation, and the Anti-Money Laundering Council.
Finally, under the principle of proportionality, companies should collect only the information necessary for them to perform the type of processing that is required.
The NPC encourages everyone to report any violation of data privacy to their office via telephone number 517-7806 or [email protected].