The National Privacy Commission (NPC) has called the attention of a top universal bank in the country for a statement on its information sheet that asks customers to give up their rights to data privacy.
“You cannot waive a fundamental right,” NPC Chair Raymund Liboro said in a recent briefing with Inquirer editors and staff.
This was the principle behind the red flag given last September to Bank of the Philippine Islands (BPI) by the NPC for letting bank clients sign a statement waiving their rights to data privacy.
A boxed statement, which read, “I waive my rights to the Data Privacy Act,” was signed by customers as a form of consent and authorization for the bank to process information provided on the sheet, Liboro said.
Waiving such rights is against Republic Act No. 10173, enacted in 2012, which aims to protect the privacy of personal information in the government and private sectors as well as govern the processing of such data.
The law’s implementing rules and regulations were approved in August 2016.
A dialogue between NPC representatives and the bank was held after a BPI client raised the issue.
With the waiver, Liboro said BPI could have easily passed on the data it gathered to subsidiaries without first asking for the client’s consent.
People whose personal information is collected, stored and processed are called “data subjects” and are granted certain rights under the law.
BPI has promised to remove the waiver and make a new customer sheet, according to Liboro.
A downloadable three-page customer information sheet of BPI for a savings account application asks for personal data, such as full name, address, date of birth, contact and employment details, home ownership, car ownership and monthly income.
Other information like nationality, social security and tax identification numbers, educational attainment, marital status and parents’ names are also asked, all of which are defined under the law as “sensitive personal information.”
Sensitive personal information is a “higher level of information” than “personal information” because it can lead to “discrimination and profiling,” Liboro said.
Personal information is defined by law as “any information, whether recorded in a material form or not, from which the identity of an individual is apparent … or when put together with other information would directly and certainly identify an individual.”
At the end of the second page of the BPI form, a “client certification and authorization” must be signed by the customer to confirm that the provided data are accurate. No explicit waiving of data privacy rights was asked on the information sheet.
The NPC recently met with bank industry officials to help them comply with the data privacy law and had been in talks with some hospitals and the Commission on Higher Education.
For such organizations that collect personal data, risk management is the name of the game, according to Liboro, since no system is impregnable. “If you have more data, you have more responsibilities,” he said.
The Commission on Elections is in the process of implementing security measures after a cyberattack in March last year that resulted in the leaking online of more than 77 million records of voters.
To comply with the law, the Department of Health, National Economic and Development Authority, Philippine Health Insurance Corp. and other agencies have appointed data protection officers.
“I am not telling them to stop what they do. Just be aware and apply security measures,” as having a business in this digital age is also a question of trust, Liboro said.