The protection of personal information

(First of two parts)

By Cecille S. Visto

First Published in Business World (1/21/2013)

With the passage of Republic Act 10173, or the Data Privacy Act of 2012, companies may have to change the way they handle employee data, suppliers’ information, and even customer details. The law, which was approved on August 15, 2012, is expected to not only create a new breed of human resource executives or organizations specifically tasked to handle and protect employee information, but also to compel the adoption of stringent measures to prevent any form of data breach.

In large organizations with thousands of employees, numerous suppliers and a wide customer base, the careful handling of data may be taken for granted, which may result in unauthorized access, use, misuse, and even disclosure of information. RA 10173 was enacted precisely “to protect the privacy of communication while ensuring free flow of information to promote innovation and growth.” It also seeks to ensure the security and protection of personal information stored in information and communication systems in the government and in the private sector.

Section 3 of the law defines personal information as any information from which the identity of any individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify the individual. The residential address, place of birth, and amount of salary are examples of personal information. Meanwhile, sensitive personal information refers to personal information on an individual’s marital status, age, religious affiliation, health, education, and tax returns. It also includes information issued by government agencies peculiar to an individual such as tax identification and social security numbers, and licenses (or their denial, suspension or revocation). Information that relates to the positions or functions of an incumbent or former government officer or employee, and information on government contractors or service providers on the performance of such services, are excluded. RA 10173 likewise does not apply to information used for journalistic purposes and those necessary to carry out the official functions of monetary authorities and law enforcement and regulatory agencies in pursuit of their legal mandate.

Personal information is gathered and collated on a regular basis. Under the law, this information may be “processed” (i.e., collected, recorded, organized, stored, updated, used, consolidated, among others) provided it is done in a transparent manner and for a legitimate purpose. Suffice it to say that the gathered information must be accurate, adequate, and relevant for the purpose for which it was collected.

Information can be exchanged and processed in a number of ways.

In a typical corporate setting, an employee furnishes data to the employer during application and/or during recruitment. The Human Resources Department (HRD) normally encodes the data in a database, or keeps the hard copies for future reference. The HRD may then access the data upon the request of certain institutions, such as credit card companies and other financial institutions, conducting background investigation; or when the company includes the employee in the group insurance coverage; or to comply with reportorial requirements of government institutions such as the submission of the alpha list to the Bureau of Internal Revenue (BIR) or the updated list of Social Security System members.

A service or utility company also requires its subscribers to provide personal data in the subscription or service agreement. The submission of lease contracts with supporting valid government-issued identification cards is also usually required. Credit card applications are not processed without certificates of employment and copies of the latest withholding tax returns indicating the annual gross and net taxable compensation.

A supplier – whether participating in an open bid or entering into a negotiated contract – may likewise be required to provide information on its business to its prospective customer.

While most companies are careful about divulging information to third parties, there are still some institutions that have not embraced the culture of confidentiality. Thus, the law puts a premium on the role of the personal information controller (PIC), the one who is tasked to implement appropriate measures to protect personal information against any accidental or unlawful destruction, alteration, or disclosure. The PIC shall also determine the appropriate level of security to be adopted, depending on the nature of the personal information protected. More importantly, the PIC is not only responsible for personal information under his or her custody, but also for information that have been transferred to a third party for processing, whether domestically or internationally, including business process outsourcing (BPO) companies. The PIC must comply with the requirements of RA 10173, including notifying the affected personnel and soon-to-be-formed National Privacy Commission of any unauthorized data breach that may pose harm to data subjects. Notification of any data breach is required to allow for any mitigation strategy and even promote trust and transparency within the company.

In light of RA 10173, companies may need to secure the permission of employees, customers, and suppliers to process data gathered in the course of their relationship. For instance, the employee must be informed whether personal information on him or her will be, is being, or has been processed. Before the entry into the processing system, the personal information and the purpose for which these are processed must be described.

In lieu of securing such permission, any of the following conditions must exist:
• The processing is necessary for, or related to, the fulfillment of a contract;
• It is required for compliance with a legal obligation of the PIC;
• It is necessary to protect the life and health of the data subject;
• It is required due to a national emergency or to fulfill public authority functions; and
• Legitimate interests are served, except when such interests are overridden by fundamental constitutional rights and freedoms.

Unless it falls under any of these six conditions, processing of personal information may not be permitted and the burden of proving that any of the conditions exist lies on the PIC.

Latest jurisprudence on the right to privacy
In a July 24, 2012 decision, promulgated before the passage of RA 10173, the Supreme Court reiterated its ruling in the landmark case of Morfe vs. Mutuc that compelling state interest may yield to the right of privacy. However, the SC declined to specifically rule on whether the sharing of information during intelligence gathering is illegal pending the enactment of a data protection law. It nonetheless cautioned investigating entities to observe strict confidentiality in information sharing.

The Supreme Court also discussed the writ of habeas data, which is a remedy designed to protect the image, privacy, honor, information, and freedom of information of an individual. The writ, the Supreme Court said, is available to any person whose right to privacy is violated or threatened by an unlawful act or omission of a public official or employee, or of a private individual or entity engaged in gathering, collecting or storing of data information on the aggrieved party.

With the Data Privacy Act, aggrieved parties are given the option to seek relief not directly from the courts but from the National Privacy Commission, which can issue a temporary or permanent ban on the processing of personal information and compel any entity to abide by its orders.
Next week, we will discuss the implementation of RA 10173 and how companies can comply with the provisions of the new law.

Cecille S. Visto is a Senior Tax Director of SGV & Co.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.