The National Privacy Commission (NPC) said on Monday, October 12, that it is investigating reports from citizens over the mishandling and misuse of contact-tracing data by several business establishments.
Some of the companies being probed include a mall, fast-food joints, drugstore chains, supermarkets, a European fast-fashion retailer, and North American coffee shop franchisee.
The NPC said the chief concerns were the improper use of logbooks and the lack of appropriate data-protection measures that left in the open filled-out contact-tracing forms that contain customers’ data, such as names, addresses and contact details, which other people could see.
Other concerns included using personal data for purposes besides contact tracing, absence of a privacy notice, and baseless retention period.
“We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures,” NPC chair Raymund Liboro said.
Liboro emphasized that NPC’s move to check on companies would enable them to gain the trust of customers and support government contact-tracing efforts.
“Building trust is especially crucial now as we begin to open the economy gradually,” Liboro said. “Building trust is possible if we have cleared citizens’ doubts over potential misuse and abuse of their data. Kapag ma-ingat sa datos ng mga tao, aangat ang negosyo.”
The NPC met on Oct. 9 with data protection officers (DPOs) from the Privacy Council for the retail and manufacturing sector to guide their contact-tracing practices.
NPC director Olivia Khane S. Raza of the Compliance and Monitoring Division (CMD) advised business establishments to devise a reasonable way to collect data to prevent accidental and unauthorized viewing.
“As you are in the best position to anticipate and manage risks based on your store setup, you should be able to identify points of possible risks for you to develop the security measures appropriate for your operations,” Raza said.
To address public concerns, she called on companies to adopt best data-privacy practices such as:
- Collecting what is minimum necessary;
- Providing a transparent data privacy notice;
- Having proper disposal mechanism;
- Imposing a limited period for storage; and
- Training employees on data privacy protocols and urging them to observe the protocols strictly
According to Raza, compliance checks are early warning mechanisms to help businesses prevent more complaints that could lead to legal action.
She added that if a company received a notice of deficiency, it should “act and address deficiencies within the prescribed time. Otherwise, this can lead to orders, such as a cease and desist order.”
Depending on the violations committed, negligent businesses might be penalized under the DPA with imprisonment and fines. With a combination of prohibited acts, a violator could be fined up to P5 million and imprisoned for a maximum of six years.
Gela Boquiren, head of the Privacy Council for the retail and manufacturing sector, said retailers must base their contact-tracing efforts on two joint memorandum circulars. One is from the NPC and the Department of Health (“Privacy Guidelines on the Processing and Disclosure of Covid-19 Related Data for Disease Surveillance and Response”) and the other from the Department of Trade and Industry, and Department of Labor and Employment (“Supplemental Guidelines on Workplace Prevention and Control of COVID-19”).
Boquiren, also the DPO of San Miguel Corp., advised retailers to ensure that the rest of the processing cycle (storage, use, transfer, and destruction) of customers’ data was always protected.
“As we start to support our favorite stores physically, we need to accomplish contact-tracing forms with correct information so authorities can contact us, just in case,” she said.
She added that establishments “have to assure customers that personal information collected will be secured and used only for the primary purpose of contact tracing.”
Boquiren also appealed for support from owners of malls, which house many retailers, in ensuring “that businesses use proper contact-tracing forms and prevent the unauthorized use of customers’ contact details.”