In recent events we have heard about Data Privacy and Cyber Libel being invoked by politicians when a certain news item is not in congruence to their liking. But we have to take note that there is information that is out of scope in RA10173 or the data privacy act of 2012 mainly:
information that are matters of public concern
personal information processed for journalistic, artistic, or literary purposes, subject to applicable laws
personal information processed for research purposes, subject to applicable laws and ethical standards
information necessary for public authorities to carry out their functions
information necessary for banks and financial institutions to comply with the law
personal information collected from residents of a foreign jurisdiction in accordance with the latter’s laws
This information has a special category under the data privacy act so to balance with other principles of the human person like freedom of expression and the right to information specifically on public concerns.
We have to take note that the exemption only relates to “information” but does not extend to the juridical entities that process personal information which we popularly call data controllers and processors in the parlance of data protection. The main gist of the DPA is the implementation, measurement of controls being implemented by entities to protect their digital asset and these entities have to take note that they are custodians of this personal information not the sole owner of PI and SPI.
So when a public official calls out the DPA and calls a zoom meeting as “PUBLIC SECRET” then we know that it cannot stand in court since items 1 and 2 specifically states that information that are matters of public concern and if personal information has been processed on articles on a journalistic manner then DPA cannot be invoked.
Mayor Vico Sotto has done great things for the city of Pasig and his trust rating is at the highest now for all mayors in Metro Manila and recently the City of Pasig has mandated to have a contact tracing application rolled out for the city’s populace may it be visiting or residents of the city and the establishment as well. When you visit an establishment e.g., Grocery, Supermarket or any building in Pasig and if you don’t have a Pasig Pass the guards will deny you on entering the establishment.
For the ordinary citizen it can be a good app since you can now enter an establishment without filling a health declaration and what is needed is only a QR code but what is lacking for Pasig Pass is the health declaration that is supposed to be the essence of contact tracing if you have symptom of COVID19. This alone violates privacy of the individual and it also defeat the purpose of contact tracing.
If we examine the promise of PasigPass we may presume that it was just copied on a template without even thinking of any process with regards to contact tracing. Let us look at the promise of Pasig Pass on its Privacy Notice:
Information Collection
We may collect, store and transfer the following information:
name and address
contact information including email address.
demographic information such as postcode, preferences and interests
other information relevant to individual’s request and/or offers.
But what is the 4th bullet for? Other information relevant to individual’s request and offers? We must remember that the only purpose of this kind of applications are contact tracing. Meaning that if a person visits an establishment and has acquired COVID the LGU can tag the establishment as a RED ZONE and if the establishment has no trace of COVID then it is in GREEN Zone. In RA10173 or the Data Privacy of 2012 it is explicit that any applications, process or project that collects personal data must adhere to three principles which are: TRANSPARENCY, LEGITIMATE PURPOSE and PROPORTIONALITY.
An individual can request for his / her data because the data subject has the right to his or her information in the context of contact tracing. If this kind of applications are being used on other purpose it violates its sole purpose.
They also mentioned:
Purpose of Collected Data
You consent that your collected Personal Information may be used:
To help improve our data and services and customize user experience;
To participate in and facilitate transactions;
To engage in data mining and build up activities;
To deliver the products and services that you have requested;
To perform research and analysis about your use of, or interest in, our products, services, or content, or products, services or content offered by others;
To communicate about relevant services, ads and/or advisories through whichever means are available to the City Government;
To provide better customer experience to the City Government clients and improve, develop, identify and implement services;
To follow safety, security, public service or legal requirements and processes;
To process information for statistical, analytical, and research purposes; and
To identify and prevent errors and inefficiencies due to misuse of the platform;
To enforce our terms and conditions;
The purpose stated above clearly violates the data privacy act!!!!
This only means that PasigPass is not really a contact tracing application but a city-wide application for other services of the LGU. And when a city restricts entry to an establishment to buy his food then it also discriminates people on entry because not everyone has a smart phone or even an internet connection.
For this kind of application. We must educate the head of the LGU on Data Privacy, Cyber Crime and Business Resiliency because if the city is in violation of RA10173 or RA10173 then the Mayor which is the head of the LGU will be liable for these Republic Acts. I believe that the good mayor has good intentions, but ignorance of the law and implementation of a sloppy project will be a cause of a lowering of his trust rating.
Let’s continue on the Data Sharing:
Our Disclosure of your Personal Information to Third Parties
We may share your personal information with third parties only in the ways that are described in this Privacy Statement:
we may provide your information to our sub-processors who perform functions on our behalf;
third party contractors may have access to our databases. These contractors sign a standard confidentiality agreement and data sharing agreement;
we may share your data with any parent company, subsidiaries, joint ventures, other entities under a common control or third party acquirers. We expect these other entities will honor this Privacy Policy;
we may allow a potential acquirer or merger partner to review our databases, although we would restrict their use and disclosure of this data during the diligence phase;
as required by law enforcement, government officials, or other third parties pursuant to a subpoena, court order, or other legal process or requirement applicable to our Agency;
we may transfer personal information to third parties for any legally permissible purpose at our sole discretion; and
we may share your information with third parties with your consent or direction to do so.
The above statements I assume is a copy to other privacy notice in the web. The statements must be explicit on who they are sharing this data. We also must remember that this is a privacy notice meaning this is a promise not a policy. A policy is internal to the organization on fair use, data sharing, security policies etc…
And when an organization says:
we may transfer personal information to third parties for any legally permissible purpose at our sole discretion; and
we may share your information with third parties with your consent or direction to do so.
As citizen we need to be mindful of our personal data and our rights as individual. Because the 8 universal rights of data privacy e.g. access, information, data portability, complain, block, indemnify etc.. are based on 4 domains which are also on the bill of rights in our constitution:
And also, on the privacy notice there is no contact information of the Data Protection Officer so in fact even if you want to exercise your right to be removed on the system you cannot do so because you cannot even email them for such request.
We must remember that all of this rights and principles has a process flow on data mapping which is illustrated below. The flow of data must comply to both data privacy principles (transparency, legitimate purpose and proportionality) and the 8 Rights of a Data Subject.
To end, LGUs or any other organization doing a privacy notice must keep in mind the criteria of good privacy notice / promise:
Must be freely given
Must be specific
purpose specification as a safeguard against function creep,
granularity in consent requests, and
clear separation of information related to obtaining consent for data processing activities from information about other matters.
Must be informed
adequate information about the processing must be communicated to the data subject “in an intelligible and easily accessible form, using clear and plain language” prior to obtaining their consent
Consent must be unambiguous
And if the above criteria are not met any data subject can easily file a complaint to a privacy commission which in this case is the National Privacy Commission.
The Data Privacy Act and the GDPR of EU was born due to monetization of data by companies. Time Magazine has dubbed data as the new OIL so the law is mandating us to protect the rights of our consumers.
But the data breaches is a story of OLD. We can compare the attackers as the BIG BAD WOLF that will blow our house down. And we as the three little pigs. The story goes like this…. one takeslittle time in building the home out of straw and spends the rest of his time playing and relaxing. A second pig builds a home out of sticks, which takes slightly longer, but he too values relaxation time. A third pig chooses to build a home out of bricks, which requires a great deal of time and effort. He values taking the time to build a home properly over relaxation and recreation. When the Big Bad Wolf comes to the homes, only the third pig’s house of bricks stands up to the pressure applied by the wolf.
Moral of the story… hard work and dedication pays off. Companies nowadays are not like companies in the 1980s we need to adapt or else we will die and building our roadmap to protect the personal information of our stakeholders is vital to our survival because as the former deputy commissioner of the National Privacy Commission has said “Privacy is now a proxy of TRUST if I don’t TRUST you I will not do business with you and on the other hand if I TRUST you I will do business with you”. We need to up our skill in privacy and security since these are intangible assets of the enterprise and respect the rights of our stakeholders.
Today will talk about the 4th pillar in DPA which is to be accountable and implement a privacy and data protection measures and exercise that in a regular basis.
In both GDPR and DPA it is mentioned that an entity has to have:
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, accessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
In most organization since the Data Privacy Officer is a lawyer his mind is raising how the heck will I do that and since there are so many ISO that is being thrown into me. The answer is to incorporate your Business Continuity Programs to Data Privacy / GDPR
We need to look at two main metrics which are RPO and RTO. RPO – recovery point objective is our effectiveness to do go back in time to up our backups and RTO is your response to that incident
In order for us to be have a normal operation again. We need to have a maximum targeted period in which data might be lost from an IT service due to a major incident. Simply put how much data can you afford to lose? What data would be very costly and difficult to recreate? What it will tell you is how often you need to backup. Again, do not be tempted to say everything is vital and you need everything back. All data is not equal and put a value so you can prioritise it.
Your Disaster Recovery must be able to recover your data every time and on time. When a disaster like Ransomware hits, you want to be 100% confident that you can recover your data and get on with the job!
Some questions you should ask when doing a Disaster Recovery solution:
Will this Solution deliver my RTO / RPO?
Will this Solution work every time?
If my physical server fails, can I recover this to a virtual environment? Or vice versa?
Do I need to restore to the same hardware?
You MUST be able to test your Disaster Recovery plan. Do not let a disaster be your first test!