NPC warns businesses vs repurposing of data
In an advisory covering the guidelines for work places and establishments processing personal data for COVID-19 response, the NPC said repurposing personal data is punishable under the Data Privacy Act.
NPC warns businesses vs repurposing of data
Louella Desiderio (The Philippine Star) - October 30, 2020 - 12:00am

MANILA, Philippines — The National Privacy Commission (NPC) has warned business establishments against the use of personal data collected through contact tracing forms and employee health declaration forms for direct marketing, profiling or any other purpose not required for the prevention and control of the coronavirus disease 2019 (COVID-19).

In an advisory covering the guidelines for work places and establishments processing personal data for COVID-19 response, the NPC said repurposing personal data is punishable under the Data Privacy Act.

The NPC issued the advisory amid complaints from citizens against business establishments for mishandling and misuse of contact tracing data such as customer’s name, address, age, cellphone number and email.

“Since the COVID-19 pandemic hit, we are seeing an unprecedented manner of data collection and processing, which proportionally also increased its associated privacy risks. Data privacy is crucial to the survival of businesses and therefore must be embedded into processes or policies that involve the personal data of employees and customers,” Privacy Commissioner Raymund Liboro said.

Under the advisory, establishments should consider privacy and security in all stages of the data life cycle from the collection to use, storage and disposal.

“As personal information controllers, establishments play a big role in the implementation of contact tracing. For this reason, they are expected to guarantee the protection of personal data under their safekeeping,” Liboro said.

He said companies and businesses also need to exhibit transparency on the data being collected and its purpose.

As part of the guidelines, businesses should inform employees, clients or customers, and visitors through a privacy notice of the details of the processing of their personal data for COVID-19 prevention.

The privacy notice should be easy to understand, noticeable, and visible in the business establishment.

When QR codes are used for collection of data, the privacy notice should be located beside the QR code with the contact number of the data protection officer of the establishment.

If paper-based forms are used, businesses must provide a designated area where employees and clients or visitors can accomplish such to observe physical distancing and eliminate the risk of data exposure.

Security personnel or other authorized staff of the establishment must ensure all required fields in the paper-based and digital client/visitor contact-tracing forms and employee health-declaration forms are filled and data provided there are accurate and readable.

Accomplished forms must also be physically segregated to prevent unintended disclosure of personal data.

If QR codes are used, establishments should assign a unique QR code to each employee, while QR codes for clients should be posted at the entrance of the establishment.

Digital forms must be equipped with adequate safeguards such as encryption to prevent data breach.

In cases when establishments allow the use of their electronic devices by employees or customers in data entry, they must make sure the operating system and security patches are up to date and regularly scanned for viruses.

In addition, businesses should disable the Web browser’s autofill feature to prevent other users from seeing information previously entered in the digital form.

Businesses also need to activate the automatic lock feature, deploy a password, and a remote wipe functionality, whenever practicable, to make sure data are securely deleted when the devices get lost or stolen.

Disclosure of the personal data collected through the health declaration form is limited to the Department of Health and its partner agencies, local government units, and authorized entities, officers or personnel.

  • Latest
  • Trending
Are you sure you want to log out?
Login is one of the most vibrant, opinionated, discerning communities of readers on cyberspace. With your meaningful insights, help shape the stories that can shape the country. Sign up now!

or sign in with