The National Privacy Commission (NPC) announced recently it was looking into reports involving the misuse and mishandling of data collected by businesses for contact tracing purposes.
With its probe still pending, the agency gave out some initial advice, as has been its practice. It said companies should limit data collection, provide a data privacy notice, maintain a proper disposal mechanism, and impose a similarly limited data retention period.
On paper these steps seem easy enough to follow. Reality, though, presents a far more elaborate and confusing picture. This is because, unlike other countries, ours sorely lacks a clear and coordinated response to the Covid-19 pandemic.
It’s in stark contrast to countries like New Zealand where specific operating guidelines for businesses were issued during this pandemic. To facilitate contact tracing, those guidelines state that businesses must maintain a Covid-19 register that records for each customer, client, or guest (“customer”), his or her full name, date of visit, time of visit, and contact number or email address. These data are kept for two months and must only be used for contact tracing. A privacy statement is also recommended.
One problem here in the Philippines is that there is no single guidance document on getting a contact tracing system up and running. Worse, those that we have are often incomplete and can sometimes be confusing.
The Department of Health (DOH) and the NPC have their joint issuance, of course, but that has to do more with health information. If it’s contact tracing that concerns you, you have several policies to consider.
For example, if you are a private business establishment, you need to look into the Department of Labor and Employment (DOLE) and the Department of Trade and Industry’s (DTI) Joint Memorandum Circular No. 20-04. If you happen to be a restaurant, fast food place, barbershop, or salon, the DTI has more rules for you.
On the other hand, if you’re into providing land-based public transportation, you have to be aware which of at least seven issuances (so far!) by the Land Transportation Franchising and Regulatory Board (LTFRB) applies to you.
The Maritime Industry Authority (MARINA) also came out with an advisory listing down additional information that must be placed on each vessel’s Passenger Manifest.
It seems that only the Civil Aviation Authority of the Philippines avoided issuing a new or additional policy, and that’s probably because it has long been requiring General Declaration and Health Forms from passengers, anyway.
With all these different policies in effect, one can begin to appreciate why businesses can get it wrong.
To help simplify matters a bit, I’ve come up with this list of tips that aligns itself with that of the NPC and other data protection authorities but offers concrete details. If you’re a business establishment or into public transportation, you may want to take note:
- Develop and use a short Privacy Notice. Let everyone know you will be collecting their personal data and why. Make sure your customers are aware of your data collection and the reason behind it. Place a short Privacy Notice in a visible area of your establishment or vehicle. It may also be found in your contact tracing form or in your contact tracing app—if you’re using one. What’s important is that the customer gets to read it. Those regulated by the LTFRB can use the same space to include the information you are required to display: (a) plate number or body number of the vehicle; (b) date and time of boarding; and (c) route.
- Collect only what’s needed. This one‘s a bit tricky, so bear with me. Remember that data collection here has a very specific purpose. Thus, all you need to gather is what’s necessary to accomplish that purpose.
If you are a business establishment, however, the DOLE and DTI also wants you to collect his or her: (a) complete current address; (b) email address; (c) seating/table number or location; and (d) signature. And then, for restaurants, fast food joints, barbershops, and salons, these are also necessary: (a) sex; (b) age; (c) temperature; (d) service availed of; (e) name of attending staff; and (f) answers to specific questions pertaining to COVID-19 symptoms, if any, contact with probable or confirmed COVID-19 case, and travel history.
I know what you’re thinking. DTI is asking too many questions. It’s as if they’re performing contact tracing already, with all those questions about symptoms and travel history! The NPC should talk to them about that.
Now, for land-based public transport required to distribute Passenger Contact Forms (e.g., PUBs, UV Express, traditional PUJ), other information included in the form are: (a) type of service you provide; (b) your plate number; and (c) the destination of the passenger. The LTFRB does not specify what information are to be recorded in the passenger manifests required for the other types of vehicles. LTFRB also asks drivers, conductors and “all related personnel” to keep a log of their daily travel to and from work.
Finally, for water-based public transport, you must also ask for the passenger’s: (a) complete address of destination; (b) name of nearest relative/s to contact in case of emergency; (c) contact number of that nearest relative/s; (d) body temperature at the time of embarkation; (e) assigned seat/bunk number; (f) places visited for the past fourteen days; and (g) if the passenger has a service vehicle, the parking space number of said vehicle.
- Keep the data safe and secure. When you collect personal data, keep it safe. This often means maintaining their confidentiality and not using them for unrelated purposes. In most organizations, this responsibility is assigned to the information security unit or at least the office charged with the collection. For some reason, though, the DOLE-DTI issuance gives this job to the “HR Officer”.
For sea vessels and most land-based public transportation (e.g., provincial and premium point-to-point buses, UV Express, provincial PUBs, TNVS, taxis), they are mandated to have a passenger manifest where the personal data are recorded. Keeping this document in a secure area should be a priority. It must only be made available to public health authorities like the DOH and its deputized agents.
Those vehicles required to hand out Passenger Contact Forms must put up drop boxes where these forms may be placed by disembarking passengers. They, too, must be handled with confidentiality in mind. The LTFRB “prefers” that operators encode the collected data for easier data sharing. Apart from being an additional chore, this actually gives rise to a new risk: human error when encoding the information. Operators should be extra careful.
MARINA is of a similar mind. It says the collected data must be recorded using a “Web-based document management application” in order to facilitate data sharing. Of course, data processing in this manner has its own issues that businesses must be wary of.
- Retain the data within the specified period and then dispose of them properly. It is a basic principle in data privacy that personal data be kept only while still necessary for its intended purpose. Here, it would be ideal if the government already prescribes the retention period. Unfortunately, only the DOLE and DTI came to this same conclusion, stating that the collected data must be retained for thirty days before being disposing of securely. That seems reasonable. For those in public transportation, I would recommend observing the same protocol.
As a privacy advocate, I feel there are so many other things to be said about how the government has handled this task of helping businesses set up their respective contact tracing systems. There is a lot of room for improvement and it doesn’t take much to see those much-needed changes realized. Hopefully, the government knows this too and acts accordingly. After all, the responsibility to maintain data privacy is a shared one. It’s on all of us.
The author is a lawyer, artist, photographer, and privacy advocate. Additional information and queries may be sent to firstname.lastname@example.org