Privacy agency wary of Comelec proposal

Privacy agency wary of Comelec proposal

RISK ASSESSMENT Voters look for their names at a voting precinct in Maguindanao during a plebiscite in 2019. —Agence France-Presse

MANILA, Philippines — The National Privacy Commission (NPC) has advised the Commission on Elections (Comelec) to conduct a “thorough risk assessment” of its plan to put pictures of voters on the Posted Computerized Voter’s Lists (PCVLs) found outside polling precincts during Election Day.

“[T]he NPC opines that the Comelec’s proposed initiative to place photos next to the names of registered voters in the PCVL outside of polling precincts should be subjected to a thorough risk assessment,” Privacy Commissioner John Henry Naga said in a June 11 letter to Comelec Chair George Garcia, who released a copy to the media on Friday.

“Comelec shall consider, most of all, the principle of proportionality. Should it be found to be indeed suitable and necessary, the Comelec must then place controls that uphold data subjects’ rights, and implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal data,” Naga added.

READ: Comelec’s Garcia vows to strengthen data privacy measures in elections

Garcia, in an April 11 letter to the NPC, sought legal guidance if the proposal to include photos in the PCVL could potentially violate privacy laws. The Comelec chief said the proposed measure is primarily intended to aid voters in quickly identifying their designated voting locations, thereby streamlining the electoral process.

Proportional to purpose

He said that inside the precinct, there is already the Election Day Computerized Voters List (EDCVL), which includes the voter’s specimen signature and photo, and used by an electoral board for verification.

Naga said that while there may be a lawful basis, any processing of personal information should be proportional to the purpose.

“Comelec shall guarantee that the processing of information is adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose. To do this, the Comelec, as the personal information controller, shall conduct a judicious evaluation of whether the proposed measure is proportional to their declared purpose,” Naga said.

Less intrusive means

“It must also be evaluated if there are other less intrusive means available to them. Personal data shall only be processed if the purpose could not be reasonably fulfilled by any other means. On top of these, the Comelec shall have necessary and appropriate security controls in place,” he added.

The NPC pointed out that Republic Act No. 10173, or the Data Privacy Act (DPA) of 2012, should not be used to hamper or interfere with the performance of the duties and functions of government agencies, including the processing of personal data, for as long as they comply with the law.

“Under the DPA, all agencies processing personal data, whether for law enforcement, regulatory, investigative, or some other mandate, should strictly adhere to the general data privacy principles of transparency, legitimate purpose, and proportionality, and follow all due process requirements as provided by the applicable laws and regulations,” Naga said.