- A bus conductor privately messages one of the passengers, complainant cries foul on FB post
- Viral post about breach of privacy sparks online debate amongst netizens
- Data Privacy Act 2012 protects all forms of information and may penalize offenders of said law
In this Age of Sharing, where we give out our information to any entity – sometimes as a procedural requirement – we sometimes fail to see the risk it involves compared to the services we get in return, e.g. processing of passports, registering to a needed mobile application, online banking, online shopping, accessing discounts under government policies, and ride-sharing amenities.
We cannot help but disclose our personal details obediently, despite knowing our information may not always be kept safe (read: passport data breach at the start of this year). Recently, a netizen shared in her Facebook account one incident where a conductor of JAC LINER, INC. had overstepped his boundaries and privately messaged her, the passenger.
Lynette Alcantara posted a screenshot of the conversation initiated by the conductor, his personal details included, all the while wondering how he managed to find her social media account. Her post garnered 25 thousand reactions from netizens and a staggering 35 thousand comments which sparked an online debate, where some netizens defended the conductor’s actions while others stood behind the woman’s complaints.
Alcantara wrote: “To those who think na this is okay, fuck no. Conductors ask for students’ IDs for the sole purpose of giving discounts in fares, and not to get your name from your ID and search for your account then message you. This is an issue of privacy breach and of course, unprofessionalism. Since most people misunderstood the mere reason why I posted this – be it known then that this is to raise awareness for all those who are commuting, particularly those who are asked for their IDs – because your information can be mistakenly used. Also, hindi lang pala ako ang minessage nito na pasahero. Last week, he messaged another one. I am firm to take some actions this week.”
https://www.facebook.com/photo.php?fbid=2202141119831988&set=a.647263165319799&type=3&theater
One Facebook user commented, “Delete the post then file a report directly to the company. If you want to raise awareness in social media, share your experience online and make the conductor’s name anonymous but include the bus company’s name. Gets ko nainvade privacy mo pero mukhang mas malaki ata ang epekto nito sa privacy at hanapbuhay ng conductor dahil sa isang creepy chat message.”
This is where Republic Act No. 10173, otherwise known as the Data Privacy Act, seeks to mediate. It is a law that protects all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.
In 2012, the Philippines passed the Data Privacy Act 2012, a comprehensive and strict privacy legislation “to protect the fundamental human right of privacy of communication, while ensuring free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec. 2).
On September 9, 2016, the final implementing rules and regulations came into force, adding specificity to the Privacy Act. The Philippine law takes the approach that “The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”
The information the public shares with various organizations should be secured and protected, according to the Data Privacy Act and the various regulations issued by the National Privacy Commission. The National Privacy Commission (NPC) has even issued guidelines on the recommended information security requirements, although no fixed standard has been established.
And anyone who has experienced a data privacy violation, like Alcantara, can file a complaint with the NPC. Civil and/or criminal cases may also be filed in such a situation.
The law provides separate penalties for various violations, most of which also include imprisonment. Separate counts exist for unauthorized processing, processing for unauthorized purposes, negligent access, improper disposal, unauthorized access or intentional breach, concealment of breach involving sensitive personal information, unauthorized disclosure, and malicious disclosure.
Any combination or series of acts may cause the entity to be subject to imprisonment ranging from three to six years as well as a fine of approximately $20,000 to $100,000 (PHP 1,057,950.00 to PHP 5,289,750.00). Depending upon the circumstances, additional violations may apply.
Data privacy attorney Cecilia Soria provided Spot.ph in October of last year a straightforward bullet pointers to the Data Privacy Act, specifically, an individual’s rights as a data subject:
- Right to be informed – The data subject has the right to be informed about what personal data is being processed, for what purpose, and the details of the processing (by whom, how, when, where, etc.)
- Right to object – After being informed of the details of the processing of their personal data, the data subject has a right to object. This right is not absolute as the right depends on the basis for processing of personal data. If personal data is being processed to comply with the law, data subjects may—depending on the circumstances—be unable to raise their right to object.
- Right to access – The data subject has the right to access information on what type of their personal data is being processed by certain individuals/organizations. In some cases, this may also include obtaining a copy of their personal data being processed.
- Right to rectification – The data subject has the right to ask that individuals/organizations processing their personal data correct or update their personal data.
- Right to erasure or blocking – The data subject has the right to suspend, withdraw, or order the blocking, removal, or destruction of their personal data being processed by individuals/organizations. The basis for the exercise of this right may be any of the following: personal data is incomplete, false, unlawfully obtained, no longer necessary, has withdrawn their consent to the processing, etc.
- Right to data portability – The data subject has the right to ask for a copy of their data that is processed by electronic means and in a structured and commonly used format in the same format. This right allows data subjects to easily transfer from one service provider to another.
- Right to damages – The data subject has the right to be paid or made whole for damages sustained from violations of their data privacy rights.
- Right to complain – The data subject has the right to complain to individuals/organizations processing their personal data and/or to the NPC.
Section 13 of the Data Privacy Act, on the other hand, itemizes the cases where sensitive personal information and privileged information may be processed. These are the following:
(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.