[Editor’s Note: INCOGNITO is the new online column of data privacy lawyer Jamael “Jam” Jacob. A graduate of the UP College of Law, Atty. Jacob previously worked for the National Privacy Commission. He is now connected with the Ateneo de Manila University at its data protection officer.]
A couple of weeks ago, the Pep Squad coach of a certain UAAP school complained of an experience involving the improper use of her personal information. She narrated how she received a call from a complete stranger the same day she filled out information sheets on public utility vehicles (PUVs) she rode on and establishments she visited while going around Metro Manila. The caller talked to her as if they were old acquaintances and even offered her a ride.
Her experience is not an isolated case.
In New Zealand, a woman went through a similar ordeal. After dropping by a restaurant, she soon found out she got more than just the sandwich she bought. She also received a Facebook request, an Instagram request, a Facebook message, and even a text from a person who turned out to be an employee of the restaurant.
Tying these two incidents together is the fact that the data collection in both cases is required by no less than the government.
The Ministry of Health in New Zealand had issued guidelines requiring bars, cafes, and restaurants to maintain Covid-19 guest registers that feature each guest’s name, address, and phone number or email address, as well as the date and time of visit.
Here in the Philippines, the Department of Trade and Industry (DTI) issued Memorandum Circular 20-37 which requires all restaurants and fastfood businesses to collect the following information from their personnel, suppliers, and customers (including their companions): name, residence, sex, age, mobile number, temperature, signature, date and time served, and the kind of service availed of. There are several questions that need to be answered, too.
In May, the Land Transportation Franchising and Regulatory Board (LTFRB) also announced that PUVs will be required to keep a record of their passengers. Even churchgoers will be asked to provide basic information when they attend mass or other religious services, according to the Catholic Bishops Conference of the Philippines. Meanwhile, in Bacolod an ordinance was approved requiring establishments to record their customer’s personal information. They all say the same thing: the information may be needed later for contact tracing.
That in itself is fine. There is a public health crisis and this can be justified as a public health measure. What is unacceptable, though, is that no safeguards have been provided to make sure these mandatory data collection measures are not abused.
The DTI, for instance, does not instruct restaurants to separate this new information system from their other data processing practices (e.g. loyalty program). Even a simple prohibition on the use of the collected data for purposes other than contact tracing is glaringly absent in its issuance.
As a result, these measures that are supposed to mean well now pose significant privacy and security risks to the public. And these dangers are particularly high for women, minors, and other vulnerable groups who are already frequent targets of harassment and discriminatory practices.
At least in New Zealand, the Office of the Privacy Commissioner (OPC) was quick to recognize the danger and immediately released key reminders.
The Philippine government should learn from its peers who are handling this crisis more effectively and do better. In this case, it would not hurt to echo some of the tips given by the OPC and convert them into policy:
- Transparency. Establishments must make sure their customers are aware why their information is being collected. They should also provide sufficient information about what happens to the data after it is obtained. All these can be explained in a properly drafted Privacy Notice.
- Security. Establishments must keep the collected information safe and secure. Not all employees need to have access to them. The fewer people that are involved, the better. An access log would also help when tracing who might have misused information featured in the database.
- Use. Establishments should refrain from using the collected information for other purposes (e.g. marketing, sales, etc). This system is exclusively for contact tracing.
- Disclosure or Data Sharing. Establishments must not give parties outside of those government agencies involved in contact tracing access to the collected data. In fact, during collection, they should make sure customers are unable to see or access the information provided by customers who came before them.
- Retention and Disposal. The collected data cannot be kept forever. They should be disposed of after a reasonable period of time. In New Zealand, it’s eight weeks, while in the United Kingdom it’s 21 days. Asking the DTI for guidance may be necessary. Once it’s time to dispose of the data, it has to be done in a safe and secure manner.
These basic steps (and more), if mandated by government, will go a long way towards protecting people’s privacy and even physical safety. Sure, we now have a data protection law; experience tells us though that people often need to be shown how a policy directly applies to their situation. That is the case here.
Moving forward, let’s hope our leaders will be more circumspect when coming up with policies so that they don’t create problems worse than the ones they are trying to cure.
The author is a lawyer, artist, photographer, and privacy advocate