Mayor Vico Sotto has done great things for the city of Pasig and his trust rating is at the highest now for all mayors in Metro Manila and recently the City of Pasig has mandated to have a contact tracing application rolled out for the city’s populace may it be visiting or residents of the city and the establishment as well. When you visit an establishment e.g., Grocery, Supermarket or any building in Pasig and if you don’t have a Pasig Pass the guards will deny you on entering the establishment.
For the ordinary citizen it can be a good app since you can now enter an establishment without filling a health declaration and what is needed is only a QR code but what is lacking for Pasig Pass is the health declaration that is supposed to be the essence of contact tracing if you have symptom of COVID19. This alone violates privacy of the individual and it also defeat the purpose of contact tracing.
If we examine the promise of PasigPass we may presume that it was just copied on a template without even thinking of any process with regards to contact tracing. Let us look at the promise of Pasig Pass on its Privacy Notice:
Information Collection
We may collect, store and transfer the following information:
- name and address
- contact information including email address.
- demographic information such as postcode, preferences and interests
- other information relevant to individual’s request and/or offers.
But what is the 4th bullet for? Other information relevant to individual’s request and offers? We must remember that the only purpose of this kind of applications are contact tracing. Meaning that if a person visits an establishment and has acquired COVID the LGU can tag the establishment as a RED ZONE and if the establishment has no trace of COVID then it is in GREEN Zone. In RA10173 or the Data Privacy of 2012 it is explicit that any applications, process or project that collects personal data must adhere to three principles which are: TRANSPARENCY, LEGITIMATE PURPOSE and PROPORTIONALITY.
An individual can request for his / her data because the data subject has the right to his or her information in the context of contact tracing. If this kind of applications are being used on other purpose it violates its sole purpose.
They also mentioned:
Purpose of Collected Data
You consent that your collected Personal Information may be used:
- To help improve our data and services and customize user experience;
- To participate in and facilitate transactions;
- To engage in data mining and build up activities;
- To deliver the products and services that you have requested;
- To perform research and analysis about your use of, or interest in, our products, services, or content, or products, services or content offered by others;
- To communicate about relevant services, ads and/or advisories through whichever means are available to the City Government;
- To provide better customer experience to the City Government clients and improve, develop, identify and implement services;
- To follow safety, security, public service or legal requirements and processes;
- To process information for statistical, analytical, and research purposes; and
- To identify and prevent errors and inefficiencies due to misuse of the platform;
- To enforce our terms and conditions;
The purpose stated above clearly violates the data privacy act!!!!
This only means that PasigPass is not really a contact tracing application but a city-wide application for other services of the LGU. And when a city restricts entry to an establishment to buy his food then it also discriminates people on entry because not everyone has a smart phone or even an internet connection.
For this kind of application. We must educate the head of the LGU on Data Privacy, Cyber Crime and Business Resiliency because if the city is in violation of RA10173 or RA10173 then the Mayor which is the head of the LGU will be liable for these Republic Acts. I believe that the good mayor has good intentions, but ignorance of the law and implementation of a sloppy project will be a cause of a lowering of his trust rating.
Let’s continue on the Data Sharing:
Our Disclosure of your Personal Information to Third Parties
We may share your personal information with third parties only in the ways that are described in this Privacy Statement:
- we may provide your information to our sub-processors who perform functions on our behalf;
- third party contractors may have access to our databases. These contractors sign a standard confidentiality agreement and data sharing agreement;
- we may share your data with any parent company, subsidiaries, joint ventures, other entities under a common control or third party acquirers. We expect these other entities will honor this Privacy Policy;
- we may allow a potential acquirer or merger partner to review our databases, although we would restrict their use and disclosure of this data during the diligence phase;
- as required by law enforcement, government officials, or other third parties pursuant to a subpoena, court order, or other legal process or requirement applicable to our Agency;
- we may transfer personal information to third parties for any legally permissible purpose at our sole discretion; and
- we may share your information with third parties with your consent or direction to do so.
The above statements I assume is a copy to other privacy notice in the web. The statements must be explicit on who they are sharing this data. We also must remember that this is a privacy notice meaning this is a promise not a policy. A policy is internal to the organization on fair use, data sharing, security policies etc…
And when an organization says:
- we may transfer personal information to third parties for any legally permissible purpose at our sole discretion; and
- we may share your information with third parties with your consent or direction to do so.
We as citizens must know the relationship of these entities. Who are they? What is the relationship of these entities to the LGU? Who really is the Personal Information Controller and Processor? Sharing means there is a joint controller who are these? Is there a custodian of the data? And what merger-partner are they talking about? Will these data be used on election and other purpose?
As citizen we need to be mindful of our personal data and our rights as individual. Because the 8 universal rights of data privacy e.g. access, information, data portability, complain, block, indemnify etc.. are based on 4 domains which are also on the bill of rights in our constitution:
And also, on the privacy notice there is no contact information of the Data Protection Officer so in fact even if you want to exercise your right to be removed on the system you cannot do so because you cannot even email them for such request.
We must remember that all of this rights and principles has a process flow on data mapping which is illustrated below. The flow of data must comply to both data privacy principles (transparency, legitimate purpose and proportionality) and the 8 Rights of a Data Subject.
To end, LGUs or any other organization doing a privacy notice must keep in mind the criteria of good privacy notice / promise:
- Must be freely given
- Must be specific
- purpose specification as a safeguard against function creep,
- granularity in consent requests, and
- clear separation of information related to obtaining consent for data processing activities from information about other matters.
- Must be informed
- adequate information about the processing must be communicated to the data subject “in an intelligible and easily accessible form, using clear and plain language” prior to obtaining their consent
- Consent must be unambiguous
And if the above criteria are not met any data subject can easily file a complaint to a privacy commission which in this case is the National Privacy Commission.