BEFORE leaving home, a netizen books a place via AirBnB and completes a booking for a flight out the country. He then receives confirmation of his bookings and air ticket in his email. He books a ride from home to office on Uber. He keeps his GPS open. On the way to the office something catches his attention and takes a photo of the scene. Making an ATM (at the moment) post, he shares the photo on his Instagram account which is automatically shared in his Facebook account. He accesses Facebook and responds or reacts to certain posts. He sees an ad and he accesses the site to make a purchase. He gets a notification on his smartphone and proceeds to read the news on his favorite media site. He twits reactions via his Twitter account. He makes a call to the office to inform the secretary that he will be there for a meeting. He gets off at a coffee shop, gets coffee. He then proceeds to the office in time for the meeting. While at the meeting, he verifies certain information with a colleague who is not yet in the office via Viber. At midday, he pays his bills via his bank’s online payment system. The rest of the day he makes a few more phone calls and responds to Viber and text messages. Before the day ends, he makes a reservation at a favorite restaurant and books a seat to watch a movie. He then books a ride with Uber to go home. All his transactions were paid using his credit card.
The netizen’s online activities for the day have been collected by several organizations, local and international: Airbnb, the airline, Uber, Instagram, Facebook, the online shop, the news media site, Twitter, Viber, the bank, the restaurant, the theater, the credit card company, and, of course, the telecommunications company. If somebody was watching, he’d know exactly where this netizen has been and what his activities were. Information like this is highly valued by organizations like Google, Facebook, Instagram and Twitter, among others.
Have we lost control over our data? Once posted in the net, it stays in the net. For example, the voter personal information records in the Commission on Elections’ database which were illegally copied and posted on internet sites, although they were supposed to have been deleted, are still out there. We will never know when they will resurface but voters’ personal information can be used to track netizens’ online accounts.
The COME Leak incident generated heightened awareness on the need to protect personal information. The National Privacy Commission (NPC), a government agency mandated “to administer and implement the provisions of this [Data Protection] Act, and to monitor and ensure compliance of the country with international standards set for data protection,” came up with “The 5 Commandments of Data Privacy Protection” which will guide organizations’ compliance with the Data Protection Act.
1. Data Protection Officer (DPO). A DPO must be designated to take over the reins of ensuring that the organization complies with the law.
2. Privacy Impact Assessment (PIA). The PIA seeks to identify the vulnerabilities and attendant risks in the programs and processes of an organization in the collection, storage, processing, and transmission of personal information. The PIA results will enable the DPO to identify the organizational and technical measures necessary to protect personally identifiable information and implement the same. A PIA must be conducted for each program or process that involves personal data. Such assessment shall be updated regularly or as necessary.
4. Organizational Commitment. The NPC recommends developing a strong commitment to protect personal information that organizations collect, store, process, and transmit. Organizations are encouraged to conduct capacity-building programs on the need to protect personal information among its employees and drive the implementation of organizational and technical measures to protect personal information.
5. Preparedness. One of the tools that organizations must develop is a Data Breach Response Plan. The plan will guide the organization on how to respond to data breaches, including notification to its stakeholders and to the NPC, law enforcement, and other regulators. The plan also includes all possible actions and responses that the organization can take to remedy the breach. The plan must be tested and exercised regularly, and updated as deemed necessary.