How many times have you received unsolicited phone calls from persons who aggressively offer you products or services? Or perhaps a random text message from an unregistered phone number, offering cash loans?
I’m quite sure you have encountered these disruptions from time to time. Aren’t they annoying? You also wonder how they got your contact details, and what other personal information they may have about you.
Although there may not be any controversial information about you, these incidents prompt you to ask, ‘Do these incidents constitute a violation of your privacy?’
I still remember the time I applied for my first job. Other than my résumé, the Human Resource person gave me a personal information sheet to fill out, with data such as my religion, Tax Identification number, and Social Security number. As a newbie, I was just excited about the prospect of being part of the nation’s workforce so that I did not hesitate to complete the form.
Looking back, I never did ask myself if the information I gave was too much, or if the company would use it for purposes other than my employment.
I wasn’t mindful then if I gave too much personal information. Probably, I was too afraid to even ask — it might jeopardize my chances of getting hired.
Nowadays, a number of organizations use online application forms to gather information from prospective applicants. The means of collecting data may have changed, but the kind of information being collected remains the same.
The Data Privacy Act 2012 protects the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation, growth and national development. As an individual, it gives me comfort that the government has recognized its inherent obligation to make sure that personal data in information and communication systems of both government and private sector are secured and protected. However, does this mean that protecting my privacy is solely the obligation of the government and the private sector?
Who is responsible for protecting our data privacy?
In my opinion, it should be a collective effort of the government, the private sector and the data subject himself (i.e. every individual whose personal, sensitive, or privileged information is processed).
With the passage of the Act, I’m hopeful that the government, through the National Privacy Commission (NPC), will be devoted in its mandate and initiatives to administer, implement, and monitor our country’s compliance with international standards on personal data protection.
On the part of the private sector, the law will definitely bring changes to the way organizations’ personal information controller (PIC) or personal information processor (PIP) collect, store, transmit, use, distribute, retain and dispose/destroy personal information.
By now, organizations that employ at least 250 employees, or those that process sensitive personal information of at least 1,000 individuals, should have already registered their data protection officer (DPO) with the NPC to show their commitment in complying with the Act.
PICs and PIPs should be aware of the five pillars of data privacy accountability and compliance mandated by the commission to comply with the requirements of the Act.
(1) Commit to comply: Appoint a data protection officer. Designating a DPO is the first essential step towards compliance. A DPO must be independent in the performance of his or her functions, and should be accorded a significant degree of autonomy by the PIC or PIP.
(2) Know your risks: Conduct a privacy impact assessment (PIA). The organization should conduct a PIA to
evaluate and manage the impact on privacy of a particular program, process, measure, system or technology. It takes into account the nature of the personal data to be protected, the personal data flow, the risks to privacy and security posed by processing personal information.
(3) Write your plan: Create your privacy management program (PMP).The organization should develop a program that will provide a holistic approach to privacy and data protection, ensuring that it develops the appropriate data protection policies.
(4) Demonstrate your compliance: Implement privacy and data protection measures. The organization should translate its PMP into actions by implementing and monitoring the appropriate privacy and security measures and procedures as planned within the program.
(5) Be prepared for breach: Regularly exercise your breach reporting procedures (BRP). PICs and PIPs must implement a security incident management policy, including the creation of a Security Incident Response Team responsible for implementing security incident management policy of the organization and managing security incidents and personal data breaches.
For additional guidance, the organization may refer to the Commission’s Privacy Toolkit available on the NPC’s website.
Lastly, as data subjects ourselves, we play a vital role in protecting our own privacy. We should be proactive in securing our own personal data and unafraid to ask why our personal information must be collected or processed.
To protect ourselves, we need to be aware of our rights under the Act. In this manner, we will be able to know our choices (right to object, the right to dispute inaccuracy or error, the right to suspend, and the right to withdraw or order the blocking or removal) as well as the consequences when we give our consent before our personal information gets processed.
It’s a three-way collaboration between the government, the private sector, and data subjects. While the law mandates the government and the private sector to secure and protect personal data, we, as data subjects, should also do our part in contributing to the effective implementation of the Data Privacy Act of 2012. After all, we stand to benefit from it.
Ray Jan P. Roque is a risk assurance director at Isla Lipana & Co./PwC Philippines. Email your comments and questions to firstname.lastname@example.org. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.