Lenders operating online apps that can be installed in smartphones are prohibited from harvesting personal information, such as phone and social media contact lists, for harassing delinquent borrowers, the National Privacy Commission (NPC) said.
NPC issued Circular No. 20-01 published October 19, in response to numerous complaints that online lenders were illegally using personal data of clients and those of others on their contact lists, causing damage to their reputation and violating their rights as data subjects. The circular takes effect 15 days after its publication in the official Gazette or two newspapers of general circulation.
This means all lending and financing companies in possession of their borrowers’ contact lists in whatever form in violation of the guidelines shall dispose of the information in a secure manner that would prevent further unauthorized processing, access, or disclosure to any other party or the public, the NPC said.
Privacy Commissioner Raymund Liboro said the circular was issued after harassment and shaming of delinquent borrowers before relatives, friends and colleagues persist despite separate orders last year from the NPC and the Securities and Exchange Commission (SEC) to shut down errant online creditors.
“The National Privacy Commission is issuing this circular for the appropriate and respectable treatment of borrower’s personal information,’’ said Liboro.
He said online lending applications should design their business processes with privacy by design and default, and with complete adherence with the principles of the Data Privacy Act (DPA).
“Once again we remind online lending operators and businesses to take their customers’ data privacy seriously and deploy adequate security measures. For the public, we hope this circular will help them keep an eye out for red flags while they are in the process of borrowing money from online lenders,’’ Liboro added.
He further said that “the circular lays out what online lending operators can and cannot do with borrowers’ personal information to avoid instances of abuse.”
Under the circular, unnecessary permissions include accessing phone contact or e-mail list, harvesting social media contacts, copying or otherwise saving these for use in debt collection, or to harass the borrower or his/her contacts.
Access to the phone camera of the borrower is allowed only for the purpose of know-your-customer (KYC) policies. In no way shall the borrower’s photo be used, the circular said, to harass or embarrass him or her in order to collect a delinquent loan.
App permissions are allowed only under suitable, necessary and not excessive purpose of KYC for determining creditworthiness, preventing fraud and collecting debt.
“When such purpose has already been achieved, such online apps shall prompt the data subject to turn off or disallow these permissions,’’ the circular said. Read the circular in full here.
The circular also stipulates the following that personal information controllers, lending and financing companies in this case, must implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data.
Details concerning the loan must be written in a clear language and in the most appropriate format. Borrowers must be informed if the loan processing activity involves the use of profiling, automated processing, automated decision-making, or credit rating or scoring.
A separate lawful criterion must be in place pursuant to Sections 12 and/or 13 of the Data Privacy Act, should information be used for marketing, cross-selling, or sharing with third parties for purposes of offering other products or services not related to loans.
Reasonable policies on retention of data must be adopted and implemented for those with denied loan applications and borrowers who have fully settled their loans.
The circular said lending or financing companies and persons acting like these entities were at all times accountable for personal data under their control or custody.
“They shall not use any personal data to engage in unfair collection practices as defined under SEC Memorandum Circular No. 18 series of 2019,’’ read part of the circular’s Section 3E.
The section added that any lender found in violation of the circular shall be liable under the applicable provisions of the DPA, which impose fines and imprisonment.
The NPC observed that a month after it ordered the shutdown of 26 online lending companies in October last year, the complaints it received from the public declined 90 percent.