Analyzing Data Breaches: Data Retention Policies

Published April 8, 2021, 2:29 PM

by Robert D. Reyes

It has been more than a month ago when the alleged data breach at Cashalo, operated by Oriente Express Techsystem Corporation, surfaced online. It was Valentine’s Day this year when several posts were made in forum websites on the “dark web” selling the personal information of some 3.3 million Cashalo users. Personal information such as usernames, passwords, email addresses, phone numbers, and even device identifications are being sold online at a bargain price. The same data resurfaced in the “dark web” this week.

This was posted April 4, 2021. Karun Arya, vice president for Corporate Affairs of Oriente, parent firm of Cashalo, said that “As before, the database in question was taken offline in Feb itself. All Cashalo user accounts and passwords are secure and cannot be accessed by anyone other than the account holder. We also continue to work closely with NPC and global cybersecurity experts to review and strengthen our cybersecurity posture. We should have a formal update to share in the coming weeks once the full investigations are complete.”

According to the National Privacy Commission (NPC) as of 19 March 2021, they are continuously monitoring and investigating the case in coordination with the parties involved.

Responsible Data Retention is Key

Under Section 19 of Republic Act 10173’s (Data Privacy Act of 2012 or DPA) Implementing Rules and Regulations (IRR), it is stated that “Personal Data shall not be retained longer than necessary.” In most cases, I highly doubt that this is even followed, most especially by numerous lending apps.

For the sake of discussion, let’s take a look at the Privacy Policy of Cashalo, under “Retention of Your Personal Data” where it is stated:

“Your Personal Data will be retained by the Company for the duration of your activities and transactions in connection with the products and services availed of in this Cashalo Facility and/or for such period of time required for legal and regulatory and/or other legitimate business purposes, and will be disposed of in a secure manner that would prevent further processing, unauthorized access or disclosure to any other party or the public or prejudice your interest, provided that the Company may retain copies of your Personal Data in the Company’s archives for the purpose of determining its continuing obligations or pursuant to its bona fide record retention or data back-up policies, access to which shall be restricted on a need-to-know basis, as may be required under applicable laws and regulations.”

Granted that companies, like Cashalo, are retaining archived personal information of their clients on a “need-to-know” basis, what is the assurance that these data will only be “safe kept” for purposes other than stated on their Privacy Policies? As individuals, what steps can we take to ensure the protection of our personal information?

Exercise Your Right to be Forgotten

Despite several information campaigns spearheaded by the NPC, it seems that a majority of Filipinos are still not aware of their Right to be Forgotten. Under the DPA, each individual has the right to suspend, withdraw or order the blocking, removal, or destruction of his/her data. Among the basis for one to exercise this right under the DPA are:

1. Your personal data is incomplete, outdated, false, or unlawfully obtained.
2. Your personal data is being used for purposes you did not authorize.
3. Your personal data is no longer necessary for the purposes for which they were collected.
4. You decided to withdraw consent, or you object to its processing and there is no overriding legal ground for its processing.
5. Unless justified by freedom of speech, of expression, or of the press, the personal data concerns information prejudicial to the data subject.
6. If the processing of personal data is unlawful.
7. If the personal information controller or the personal information processor violated your rights as a data subject.

Based on my personal experience, exercising your right to be forgotten is as simple as sending the Data Privacy Officer (DPO) an email message requesting the deletion of your data from their database or system.

Be a fully informed and responsible Filipino netizen; know your privacy rights by visiting