Privacy commission probes misuse of contact tracing data

 October 13, 2020 – 12:00am

MANILA, Philippines — The National Privacy Commission (NPC) is conducting a probe on reports that some business establishments are mishandling contact tracing data.

In a statement yesterday, the NPC said the probe was prompted by reports of citizens on the misuse by establishments such as a mall, fast food and drugstore chains, supermarkets, a European fast-fashion retailer and a North American coffee shop franchisee of the contact tracing data.

NPC said among the concerns brought to the agency were the improper use of logbooks and lack of appropriate data protection measures, with contact tracing forms containing customer data such as names, addresses and contact details left in the open.

The other concerns raised include use of personal data for purposes other than contact tracing, absence of a privacy notice and baseless retention period.

Malacañang said establishments that are collecting information for contact tracing should heed the regulations implemented by the NPC.

“Let’s listen to what the privacy commission is saying because the privacy commission was formed by the law on the proper treatment of data coming from the people. So, they are just implementing the law and it should be heeded,” presidential spokesman Harry Roque said at a press briefing yesterday.

Privacy commissioner Raymund Liboro said the NPC move to check on compliance with data protection and privacy rights is not just for consumers, but also for the benefit of businesses as it would help them gain their customers’ trust and support for the government’s contact tracing efforts.

“Building trust is especially crucial now as we begin to open the economy gradually,” he said.

To help the retail and manufacturing sectors comply with data protection and privacy rights, the NPC met with data protection officers last Oct. 9.

NPC director Olivia Khane Raza of the compliance and monitoring division said the establishments need to come up with a way to collect data and prevent accidental and unauthorized viewing.

To address public concerns, she said businesses should adopt best practices on data privacy such as collecting only what is necessary; providing a transparent data privacy notice; having proper disposal mechanism; imposing a limited period for storage; as well as training employees and ensuring strict observance of data privacy protocols.

In case a company receives a notice of deficiency, she said it should “act and address deficiencies within the prescribed time. Otherwise, this can lead to orders, such as a cease and desist order.’’

Depending on the violations of the Data Privacy Act, businesses can be penalized and face a fine up to P5 million and imprisonment for a maximum of six years.

Gela Boquiren, head of the Privacy Council for the retail and manufacturing sector and data protection officer of San Miguel Corp., said retailers’ contact tracing efforts should be guided by the joint memorandum circular issued by the NPC and the Department of Health on the processing and disclosure of COVID-19 related data, as well as the supplemental guidelines on workplace prevention and control of COVID-19 from the Departments of Trade and Industry and of Labor and Employment. – Alexis Romero, Rainier Allan Ronda