Don’t collect excessive personal info, restaurants told

MANILA, Philippines — The National Privacy Commission (NPC) reminded business establishments such as restaurants, barbershops and beauty salons not to collect excessive personal information in the health contact tracing forms they require their customers to fill out so as to minimize risks of data privacy breach.

The NPC said the Data Privacy Act of 2012 requires business establishments to adopt data privacy and security measures if they take on the role of personnel information controllers (PICs) once they gather personal data for contact-tracing purposes.

In NPC Bulletin 15 released the other day, the NPC said that businesses, particularly restaurants, salons and barbershops, were told to collect only what is necessary.

They were also advised to provide easy to understand information to data subjects and to implement measures to ensure that personal data do not fall into the wrong hands.

The NPC also asked establishments to use the information only for purposes declared. Should there be a need to use the information for other purposes, businesses are expected to contact data subjects to seek their consent.

Privacy commissioner Raymund Enriquez Liboro told The STAR that NPC’s move to issue the reminder came in response to the alarm sounded recently by multi-titled National University Pep Squad member Ghicka Bernabe over a series of unwanted calls and text messages that she received from male harassers whom she suspects got her contact number from mandatory COVID-19 contact tracing forms she had filled up.

The NPC said that establishments are responsible for complying with the data privacy law, so owners and top management must remind their staff as well as third-party service providers, such as security personnel, that using the personal data of customers or visitors for any other purpose is punishable under the law.

The NPC also reminded businesses that all personal data collected for the purpose of contact tracing will be retained only for a period allowed by existing government issuances, in this case Department of Trade Memorandum Circular 20-28, s. 2020 or “Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons” and DTI MC 20-37, s. 2020 or “Guidelines to Follow on Minimum Health Protocols for Dine-in Restaurants and Fastfood Establishments.”

Once these rules are no longer in force, all personal data collected should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or disclosure.