The National Privacy Commission (NPC) on Saturday, Aug. 5, warned against the “prevalent practices” by certain businesses and associations of taking photos of identification (ID) cards of customers or other persons using the electronic devices of their employees or agents without safeguards or privacy notice.
The privacy body cited some examples of these practices:
- Hotel receptionists taking photos of guest IDs using their personal smartphones instead of company-issued phones;
- Car sales agents taking photocopies of the ID of a potential customer for verification purposes;
- Agents of a telcos requesting a potential customer to send a photo of the customer’s ID via private communication such as Viber, WhatsApp, or Facebook Messenger; and
- Homeowners and condominium associations taking copies and requiring the deposit of physical IDs with Sensitive Personal Information without appropriate policies and security measures for their PIP security agency to implement.
A personal information processor or PIP is a person or organization who processes personal data on behalf of a personal information controller (PIC). A PIP is separate and distinct from the PIC, which refers to any person or organization who controls the collection, holding, processing, or the use of personal information.
The NPC emphasized that these “types of activities carry a great risk of causing security incidents, data breaches, unauthorized uses, inadequate disposal, lack of informed consent, and profiling or discrimination, among others.”
It added: “PICs/PIPs shall obtain the consent of the data subjects prior to the collection and processing of their personal data, subject to exemptions provided by the DPA and other applicable laws and regulations.”
The NPC emphasized that it is the duty of the businesses and organizations, as well as their employees or representatives, to uphold the confidentiality and privacy of the personal data that they process.
To achieve this goal, the NPC said it is now mandating the following practices:
- Consent: Where it is the necessary criteria for lawful processing of Sensitive Personal Information under Sections 13 of the DPA, the PIC must obtain explicit consent from individuals to capture and process their identification photos and details.
- Privacy Notice: Provide a clear, understandable, and transparent privacy notice before capturing their IDs. The notice should include the purposes of the processing, the security measures implemented, the retention period, and the purpose limitation, among others.
- Secure Storage and Transmission: Implement policies to ensure that photos taken by personal devices are stored in a manner that is in compliance with company policies and the 1 Section 19 of the Implementing Rules and Regulations of the Data Privacy Act of 2012. DPA. Implement safeguards that ensure that the photos cannot be used by the employees, agents, or personnel for other purposes, such as encryption, access controls, and other tools.
- Proper Disposal: Establish policies and procedures that ensure the disposal and deletion of the photos once the purpose is fulfilled. The PIC should conduct verification and audits to ensure that disposal policies have been complied with.
“We reiterate that processing personal data violative of the Data Privacy Act of 2012 and related issuances of the Commission is subject to penalties and administrative fines,” the agency said.