MANILA – The National Privacy Commission (NPC) is looking into several business establishments for possible violations of the Data Privacy Act (DPA) due to improper handling of contact tracing data.
In a statement, the NPC said it has received several reports of business establishments “mishandling” contact tracing data such as the improper use of logbooks that leave filled-out contact tracing forms open to the eyes of the public, using personal data for purposes besides contact-tracing, absence of a privacy notice, and having a baseless retention period for customer data.
“Several business establishments -- from a mall, fast-food and drugstore chains, and supermarkets to a European fast-fashion retailer and a North American coffee shop franchisee -- have been the subject of reports from citizens over mishandling and misuse of contact-tracing data,” the NPC said.
Depending on violations committed, it said that businesses may be penalized under the DPA with up to PHP5 million in fines and imprisonment for a maximum of six years for multiple violations.
NPC Commissioner Raymund Liboro said the compliance checks that the NPC would conduct on business establishments are both “pro-consumer and pro-business” as it would help gain the trust of customers.
“Building trust is possible if we have cleared citizens’ doubts over potential misuse and abuse of their data. Kapag ma-ingat sa datos ng mga tao, aangat ang negosyo (Being careful with customer data improves one’s business),” Liboro said.
NPC Compliance and Monitoring Director Olivia Raza advised businesses to address the public’s concerns by collecting only the minimum necessary data, providing a transparent data privacy notice, having proper data disposal mechanism, imposing a limited period for storage of data, and training employees on data privacy protocols and its enforcement.
She said the NPC’s compliance checks would serve as an early warning to help businesses prevent more complaints that could lead to lawsuits.
If a business receives a notice of deficiency after a compliance check, she said its management must “act and address deficiencies within the prescribed time. Otherwise, this can lead to orders, such as a cease and desist order.”
Gela Boquiren, head of the privacy council for the retail and manufacturing sector, said retailers must base their contact-tracing forms on two joint memorandum circulars -- the “Privacy Guidelines on the Processing and Disclosure of Covid-19 Related Data for Disease Surveillance and Response” by the NPC and the Department of Health and the “Supplemental Guidelines on Workplace Prevention and Control of Covid-19” by the Department of Trade and Industry and Department of Labor and Employment. (PNA)
