I don’t usually expose the failure of the Philippine government, as I do not want to dabble into politics. However, there is another incident that involves Filipinos’ personal information needs to be highlighted. The public should know — as I am sure that this is being buried by some external powers in order to preserve their names.
Over the weekend, I found out about the Department of Foreign Affairs (DFA) passport data being held hostage by their previous service provider as leverage over a contract dispute. Whilst I am not privy to the details of the contract dispute, the issue is why did DFA allow this to happen. There is clearly a failure in IT project management — DFA should at least have a back-up of the data. Whilst holding the passport data hostage may be a leverage, albeit unethical, I am hoping that the service provider will not share it with any other entity. Clearly, the DFA failed in protecting the citizens’ personal information.
There are two other government agencies that failed big time when this DFA scandal was brought to light. First, the National Privacy Commission (NPC, ). When they required all agencies to comply with their privacy impact assessments, why weren’t they able to detect this? Surely the DFA identified their data protection officer (DPO) already — and if my basis for the DPO’s activities within the agency is UP System’s DPO — then all IT systems should have been checked, even on paper, and that the CIO, if DFA has one, should have disclosed this early on. Unless the DFA did not comply with the NPC, or someone did not disclose.
Second is the Department of Information and Communications Technology (DICT, ). The DICT should be the one doing IT security audit for these government agencies that keep citizens’ personal information. At the very least, they should have made a courtesy call and asked questions on how the data are being secured. Remember, DFA’s core competency is not IT, so they need all the assistance they can get, specially in light of the COMELEAK. If I remember correctly, the DOST-ICTO, predecessor of the DICT, planned on deploying qualified CIOs to key government agencies — I don’t know what happened to it. Regardless, who is the CIO of DFA?
Statements from the National Privacy Commission and the Department of Information and Communications Technology
These two shortcomings from NPC and DICT was even compounded by the fact that they issued separate statements to assure the public that they are doing their government mandate tasks to investigate the DFA scandal on… wait for it… you guessed it, Facebook! Yes, the US company that has been neck deep in data privacy related scandals that affected all its users, including millions of Filipinos addicted to it (with the two telcos, Smart and Globe, enabling Facebook by providing free access on their networks, in exchange for something they are not disclosing).
These two government agencies are so tone-deaf that they themselves contribute to having the Filipinos’ personal data collected by Facebook! Remember, you do not have to be logged in, or even have an account, for Facebook to collect your data.
Yes, we know that Filipinos are addicted to Facebook, and that it is a good medium to disseminate your information. However, they should have posted a URL leading to their own official websites! How can we trust NPC and DICT to protect our data, when they enable our data to be collected by a foreign entity? Just so you know, DICT is also in charge of identifying the technology that will be used for the Philippine National ID system — who knows, they might use Facebook to send you your credentials.
I am furious that DFA did not value our personal information — did not value it enough to secure it. I am ashamed of NPC and DICT, too. I have friends in both agencies, but c’mon, I know you guys can do better. And you, dear readers, should be furious, too.