The National Privacy Commission (NPC) said on Tuesday, July 27, that anti-fraud data sharing initiatives of the financial services industry must eliminate potential risks on the personal data of data subjects.
Advisory Opinion No. 2021-026 issued by the NPC guides personal information controllers in protecting the privacy of shared databases through strict adherence to the basic data privacy principles of transparency, legitimate purpose, and proportionality, and the conduct of privacy impact assessments (PIA).
The advisory opinion was issued in response to the initiatives of the financial services industry on cybersecurity that aim to thwart fraud incidents and uphold customers’ confidence in digital payments systems.
The industry’s shift to digital financial and payment services due to the Covid-19 pandemic brought about cyber-attacks and fraudulent schemes on financial institutions and their clients.
The NPC acknowledged that a shared database for KYC (know-your-customer), enhanced due diligence, and anti-money laundering monitoring purposes may boost the integrity and security of the financial system but may have significant legal effects on the rights and freedoms of data subjects included in the database.
To ensure privacy protection in shared databases, the NPC said personal data “must be accurate, relevant, and kept up-to-date. Inaccurate or incomplete data must be rectified, supplemented, destroyed, or their further processing restricted,” the advisory opinion read. “In further upholding the rights of data subjects, mechanisms must be provided for the free exercise of these rights.”