NPC warns against repurposing of collected COVID-19 data

The National Privacy Commission (NPC) has warned against the repurposing of collected personal data in client/visitor contact-tracing forms and employee health-declaration forms for direct marketing, profiling, or any other use or purpose beyond what is required for Covid-19 prevention and control.

In a statement, NPC Commissioner Raymund Liboro said that repurposing personal data is punishable under the Data Privacy Act (DPA).

The Commission issued an Advisory No. 2020-03 on October 23 in response to complaints from citizens against business establishments over mishandling and misuse of contact-tracing data, such as a customer’s name, address, age, cellphone number and e-mail.

“Since the Covid-19 pandemic hit, we are seeing an unprecedented manner of data collection and processing, which proportionally also increased its associated privacy risks. Data privacy is crucial to the survival of businesses and therefore must be embedded into processes or policies that involve the personal data of employees and customers,” Liboro said.

Advisory No. 2020-03 details guidelines for workplaces and establishments in processing personal data for Covid-19 response, such as the use of privacy notices to exhibit transparency, and the proper handling of paper-based and digital contact-tracing forms.

The advisory, crafted with recommendations and inputs provided by data protection officers (DPOs) from the privacy council for the retail and manufacturing sector, was issued to build public trust in businesses and how they handle sensitive personal data amid the pandemic.

Establishments need to consider privacy and security in each stage of the data life cycle, from collection to use, storage and disposal.

“As personal information controllers, establishments play a big role in the implementation of contact tracing. For this reason, they are expected to guarantee the protection of personal data under their safekeeping,” Liboro said. “Companies and businesses need to exhibit transparency about the data they

collect and for what and how it will be used.’’

Under the new advisory, employees, clients/customers, and visitors must be informed through a privacy notice of the details of the processing of their personal data, according to the advisory. Businesses must also create a privacy notice that is easy to understand, noticeable, and accessible or situated in points of entry and other conspicuous areas in the establishment.

When using QR codes, the privacy notice should be located beside the QR code with the contact number of the DPO of the establishment.

Security personnel or other authorized staff of the establishment must ensure that the data collected in the paper-based and digital client/visitor contact-tracing forms and employee health-declaration forms are accurate and readable, with all required fields filled out.

The advisory prohibits identity checks or other intrusive means when collecting employees or customers’ personal data, unless it is part of a documented regular procedure (e.g. presentation of company ID for employees or asking for proof of identity for visitors).

Dos and don’ts in handling forms

Establishments must provide a designated area where employees and clients/visitors can accomplish the forms while observing physical distancing. The latter provides additional privacy by eliminating the risk of shoulder surfing or data exposure.

Where QR codes are used, establishments should assign a unique QR code to each employee. For clients/visitors, QR codes should be posted at the entrance of the establishment.

Protect paper-based systems, such as logbooks, folders, individual forms, notepads, from data breaches by eliminating open access, where personal information is visible and accessible to others. Accomplished forms must be physically segregated to prevent unintended disclosure of personal data.

Likewise, digital forms must be equipped with adequate safeguards, such as encryption, for protection from accidental and intentional data breach.

The advisory further states that establishments allowing their electronic devices (smartphones, tablets, etc.) to be used by employees or customers in data entry must ensure that their operating system and security patches are up to date and regularly scanned for viruses. Web browser’s autofill feature must

be disabled to prevent other users from seeing information previously entered in the digital form.

As added protection, deploy the electronic device with an automatic lock feature, password, and a remote wipe functionality, whenever practical, so that data are securely deleted if the devices gets lost or stolen.

Under Joint Memorandum Circular No. 20-04-A Series of 2020 issued by the Department of Trade and Industry and Department of Labor and Employment, personal data collected through the health-declaration form or the visitor contact-tracing form must be disposed of properly after 30 days from date of accomplishment.

Shred paper-based records properly and electronically wipe storage media or digital devices, including backup data, to ensure that stored information is beyond recovery.

Disclosure of the personal data is limited to the Department of Health and its partner agencies, local government units, and authorized entities, officers, or personnel.