National Privacy Commission flags alleged mishandling of contact tracing data by establishments

enablePagination: false
maxItemsPerPage: 10
maxPaginationLinks: 10

Metro Manila (CNN Philippines, October 12) — The National Privacy Commission (NPC) is looking into reports on the misuse and mishandling of data retrieved by some business establishments from contact tracing efforts.

"The chief concerns were the improper use of logbooks and the lack of appropriate data-protection measures that left in the open filled-out contact-tracing forms that contain customers’ data, such as names, addresses and contact details, which other people could see," the agency said in a statement Monday.

The NPC said personal data was also used for reasons apart from contact tracing. It also flagged the absence of a privacy notice in some contact tracing forms and a "baseless" retention period for collated information.

The commission did not identify specific businesses but the statement said the concerned establishments include a mall, fast-food and drugstore chains, supermarkets, a European fast-fashion retailer, and a North American coffee shop franchisee.

During his regular briefing, Presidential Spokesperson Harry Roque enjoined erring entities to follow the commission's directives on protecting customer data privacy.

"Ang (data) privacy po is a specialized law at ang nakakaintindi po niyan ay (National) Privacy Commission," said the official. "So let's heed the advice of those who have specialized knowledge on the law."

[Translation: Data privacy is a specialized law, and the National Privacy Commission understands it best.]

The NPC has also provided some "best" data-privacy practices companies should adopt for contact tracing efforts, such as only collecting minimum necessary information, providing a transparent data privacy notice, having a proper disposal mechanism, and imposing a limited period for the storage of collected information.

Employees must be trained on data privacy protocols and urged to observe them strictly as well.

All contact tracing efforts must also be based on two joint memorandum circulars: one from the NPC and the Health Department, titled Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response, and another from the Trade Department and Labor Department, called Supplemental Guidelines on Workplace Prevention and Control of COVID-19.

Erring businesses may be penalized under the Data Privacy Act, with combined violations possibly leading to a fine of up to ₱5 million and imprisonment for a maximum of six years, the commission added.