Firms told: ensure data privacy compliance in contact-tracing forms

ABS-CBN News

Posted at Oct 12 2020 01:41 PM

Customers provide contact details for contact tracing before being entertained at a shop selling beauty products in Caloocan City on August 19, 2020. Jonathan Cellona, ABS-CBN News/File

MANILA - The National Privacy Commission said Monday it would "take steps" to ensure compliance of the data privacy act after reports of mishandling and misuse of contract-tracing data surged. 

Data is being collected upon entry in most establishments to help authorities conduct contact-tracing if one of the consumers tested positive for COVID-19.

Complaints include the improper use of logbooks and the lack of appropriate data-protection measures in contact-tracing forms that left consumer data including names, addresses and contact details in the open, the NPC said in a statement. 

Some consumers said personal data were used for purposes other than contract tracing in the absence of a privacy notice and baseless retention period, the agency said. 

"We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures," privacy commissioner Raymund Liboro said. 

The NPC said complaints include establishments such as malls, fast-food and drugstore chains, supermarkets, a European fast-fashion retailer and a North American coffee shop franchise.

Liboro added that building trust was crucial especially now that the country was working hard to jumpstart the economy. 

On Oct. 9, the NPC has met with data protection officers from the retail and manufacturing sectors to guide their contact-tracing practices.

The compliance check is an "early warning" mechanism to prevent more complaints that could lead to legal actions, NPC director of the Compliance and Monitoring Division Olivia Khane Raza said.

Raza said firms were encouraged to collect minimum data, provide transparent privacy notice, have a proper disposal mechanism, impose a limited period for storage and train employees on data privacy protocols.

Companies that failed to act after receiving a notice of deficiency may face a cease and desist order or face imprisonment of up to 6 years and fines of up to P5 million, she said. --with a report from Jacque Manabat, ABS-CBN News