11 establishments mishandle contract tracing data, says privacy commission
Eleven establishments were found mishandling and misusing contact tracing data, the National Privacy Commission said on Tuesday.
In a radio interview, NCP chairman Raymund Liboro said they sent compliance letters to 11 establishments after they received reports that they are not protecting data of their customers.
“Our initial report, we called 11 establishments… we also identified some and we will also call them to remind them of their obligation regarding personal data,” Liboro said.
“We received reports and complaints… We sent them compliance letters calling for their data protection officers and from there we will look into their explanation and their system in handling information,” he said.
Liboro reminded establishments that based on the guidelines of the Department of Health (DOH) they only have 30 days to keep the information for contact tracing and it should be securely disposed after that.
“They should only keep it for 30 days and after that they should securely dispose (it), that's why there is no reason for them to keep the data for contact tracing to prevent it from being used for other matters,” he said.
He said some complainants said their information is being used for marketing purposes.
Liboro reminded business owners that logbooks and other materials used for people’s information should not be open to the public so their customers will trust them.
On Monday, NPC said a mall, fast-food and drugstore chains, and supermarkets to a European fast-fashion retailer and a North American coffee shop franchisee have been the subject of reports from citizens over mishandling and misuse of contact-tracing data.
“The concerns were the improper use of logbooks and the lack of appropriate data-protection measures that were left in the open filled-out contact-tracing forms that contain customers’ data, such as names, addresses and contact details, which other people could see,” Liboro said in a statement.
He said other concerns included using personal data for purposes besides contact tracing, absence of a privacy notice, and baseless retention period.
“We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures,” the NPC chairman said.
Because of the incident, NPC will check companies to uphold data protection and privacy rights as pro-consumer and pro-business. The move would enable businesses to gain the trust of customers and support government contact-tracing efforts.
Depending on the violations committed, negligent businesses might be penalized under the Data Privacy Act with imprisonment and fines. With a combination of prohibited acts, a violator could be fined up to P5 million and imprisoned for a maximum of six years.
Liboro said a cease and desist order can also be issued to the establishments proven to be violating. Ella Dionisio/DMS