We willingly give out our personal information every day, whether it’s to social networking sites when we post about our vacations, to supermarkets when we fill out forms to claim prizes, or those sales agents at the mall when we want to check out a certain real estate for sale or apply for a credit card. More often than not, we give too much information.
Under the Data Privacy Act, we have certain rights as “data subjects,” or individuals whose personal information is processed by “personal information controllers,” or persons or organizations who control the collection, holding, processing, or use of personal information. Personal information controllers include government agencies, hospitals, and companies.
Rodaiza Nonoy, a legal assistant at the National Privacy Commission’s Policy Review Division, enumerated these rights during a recent “Countdown to Data Privacy” conference at the Crowne Plaza in Quezon City.
1. Right to be informed. Personal information controllers must explain to data subjects what their rights are. The latter must first be informed before their data is entered into a processing system.
2. Right to object. If data subjects do not want to have their personal information processed, they have the right to object to the processing of their data.
3. Right to access. Data subjects must have a way to access their personal information. Personal information controllers must tell them what personal information was processed, is being processed, or will be processed. Personal information controllers must also tell the data subjects what the scope, method, and purpose of the processing the data are. According to Nonoy, this right is often ignored by personal information controllers, and are not exercised by data subjects properly.
4. Right to correct. If data subjects’ personal information needs to be corrected, personal information controllers must find a way to do so. The information must also be corrected all the way to recipients of the previously given information.
5. Right to erase. Data subjects have the right to blockage or removal of their personal data from the processing system of personal information controllers.
6. Right to file a complaint with the National Privacy Commission. Data subjects may do this if they feel that their personal information has been unlawfully used.
7. Right to damages. This is related to the right to complain with the National Privacy Commission. Data subjects have the right to be awarded with damages. According to Nonoy, this is another right which is often ignored.
8. Right to data portability. This is related to right to access. If information is in electronic format, personal information controllers must provide data subjects their personal data in electronic format, too.
Based on the complaints received by the National Privacy Commission – 145 so far as of August 31 – the most frequent complaint is the unauthorized processing of data, meaning a person’s data is processed without his or her consent, or without the authority of the law. The top two complaint is lack of security of personal data.
“Usually today, we don’t know how our personal data is processed,” Nonoy said.
She added that companies or personal information controllers have no policies or guidelines on how data subjects can access their personal data.
National Privacy Commission Deputy Commissioner Ivy Patdu reported that there were many data subjects who complained that they were unable to access their personal data from personal information controllers.
While the Data Privacy Act declares the rights of data subjects, she reminded the public that it also imposes obligations on personal information controllers. This means that if these obligations are not fulfilled, there are penalties and sanctions. This makes personal information controllers accountable, and requires them to show that there are safeguards in place when they process data.
“If you’re processing personal data, then you’re covered by the Data Privacy Act,” Patdu stressed.
The following are the main obligations under the Data Privacy Act:
1. Personal information controllers must adhere to data privacy principles.
Data privacy principles refer to transparency (data subjects must know and not be unfairly surprised about processing of personal data; there must be informed consent from them when their data is collected; they must be given clear information); legitimate purpose (the purpose for data collection should be the only purpose for which that data is used, and the purpose should not be contrary to law, morals, or public policy); and proportionality (personal information controllers should only process personal data in accordance with a purpose, do not overcollect data, and do not don’t store data longer than needed).
2. Personal information controllers must implement security measures.
These include policies and procedures, appointing a data security officer, prevention of theft, preparedness for natural disasters, encryption and firewalls, and other ways to prevent unauthorized access of data.
The goal of these security measures is to maintain the confidentiality (no one who is not authorized to have access to personal data should be able to view it); integrity (there should be no unauthorized changes in the data, and quality must be maintained); and availability of personal data (ensuring that data does not get lost).