While it supports the use of digital technologies in the processing of personal data to enable health authorities to contain the Covid-19 pandemic, the National Privacy Commission (NPC) said this practice should only be done if it preserves and protects the data privacy rights of individuals.
In a statement issued on Monday, April 20, the privacy agency said the Covid-19 apps being rolled out by the government and the private sector will only be effective if these solutions will allow users to share information without fear of misuse or discrimination.
“Covid-19 related apps can only achieve the desired level of uptake if it is clear about its legitimate purpose, is transparent on how it uses personal data, and proportional in its collection. The app must not over-collect personal information from users and collect only what is necessary for the purpose,” said NPC chair Raymund Liboro.
Liboro said from the design stage, personal information controllers (PICs) must make sure that the app is solidly built on a legitimate purpose – making sure that it is limited to and consistent with the objective of helping defeat the Covid-19 pandemic.
“Thus, the app’s design, functionalities, personal data collection and extent of processing must never deviate from this purpose. Once the purpose is achieved, personal data processing must stop, while the collected and generated personal data must be disposed or discarded in a secure manner to prevent any further use. In doing so, breach-related privacy risks are minimized, thus enabling user trust and adoption by the general public,” the official said.
The personal data to be collected and the manner of processing must be moderated with the principle of proportionality, the NPC chief said. “This means PICs must collect only the minimum data necessary to achieve the declared and specific purpose, using the least intrusive method,” he said.
Liboro pointed out that PICs must also ensure transparency by telling individual users, through an easy-to-understand privacy notice, how the app or digital solution will collect, use, store, and dispose their personal data. “Users must also be made aware to whom, if any, shall their personal data be disclosed incidental to the processing,” he added.
Considering the inherent vulnerability of personal data processing over the Internet and in anticipation of the latest cyberthreats, Liboro said PICs must also ensure that appropriate security measures are identified and implemented. “PICs are also expected to inform users of their data subject rights and incorporate mechanisms to easily exercise them,” he concluded.