Privacy body warns biz of ‘repurposing’ contact tracing data

FILE: With just 59 days before Christmas, a yuletide decor is displayed at the main entrance of SM East Ortigas in Pasig City on Tuesday (Oct. 27, 2020). (PNA photo by Joey O. Razon)

MANILA – The National Privacy Commission (NPC) has warned businesses and other establishments from using the contact tracing data collected from the public for purposes other than contact tracing.

In a statement on Thursday, the NPC warned that some workplaces and businesses have allegedly been using contact tracing data for their own benefit.

“We’ve been receiving reports that some personal information collected were used for marketing, profiling, and other purposes not related to Covid-19 (coronavirus disease 2019) prevention,” the NPC said.

In response, it released NPC Advisory No. 2020-03 that laid out the guidelines for workplaces and establishments for the processing of personal data as part of its Covid-19 response.

It was released as a supplement to the Joint Memorandum Circular No. 20-04-A series of 2020 of the Department of Trade and Industry and the Department of Labor and Employment, which requires workplaces and businesses to collect employee health declaration forms, client or visitor contact tracing forms, and implement measures to manage Covid-19-positive employees in the workplace.

For their role in the collection and management of personal data, it said these establishments are now personal information controllers (PIC) and as such, are required to comply with the Data Privacy Act of 2012 (DPA), its implementing rules and regulations, and other issuances of the NPC on upholding data.

To ensure the protection of personal data, it said these establishments are required to adhere to the “general data privacy principles” of transparency, legitimate purpose, proportionality, implement “reasonable and appropriate” security measures at each stage of the personal data lifecycle, and uphold data subject rights.

When collecting personal data for purposes of Covid-19 prevention and control, it said establishments shall limit its collection to only those required; inform employees, clients/customers, and visitors of the establishments with a privacy notice; ensure data quality and accuracy through authorized personnel; prohibit repurposing of data for other purposes, whether commercial or non-commercial; and establishments are responsible for reminding its employees and third-party personnel that using private data is punishable under the DPA.

“The rights and redresses under the DPA are available to the employees, clients/customers, visitors, and their close contacts. Establishments and workplaces are bound to uphold data subject rights,” the advisory read.