The National Privacy Commission (NPC) is mandating operating businesses to apply due measures when handling clients’ sensitive data, fearing great risks to them, like getting breaches.

The agency is invoking the attention of associations and enterprises via their personal information controllers (PICs) and personal information processors (PIPs), authorities that enable their personnel and employees to gather an image copy of their guests, customers, or other person’s ID using their privately-owned devices, sans the prudent security measures and/or the essential privacy notice.

Scenarios where sensitive information could be compromised, according to the NPC, include hotel receptionists taking photos of customers’ IDs using their personal devices rather than company-issued devices; telco agents asking clients for the copy of their IDs via common instant messengers platforms, like Viber or WhatsApp; real estate associations requesting for the physical ID; and car sales agents generating photocopies of buyers’ IDs for “verification purposes.”

See also: NPC administrative fines for data privacy infractions

Among other things, the NPC claims that said practices are at great risk for data breaches, unauthorized access, security incidents, insufficient disposal, profiling or discrimination, and lack of informed consent.

As such, the Commission is pushing for the following practices:

  • Consent: The PIC must be explicit in asking for the capturing and processing of the clients’ photos and details, based on Section 13 of the Data Privacy Act (DPA).
  • Guarded Storage and Transmission: Storage of data must be done in adherence to company guidelines and the DPA. With safety in mind, it should prohibit agents, personnel, and employees from using the photos for other purposes other than what’s intended.
  • Privacy Notice: Before capturing the IDs, a “clear, understandable, and transparent” privacy notice must be provided, declaring pertinent measures involved in the process.
  • Proper Disposal: There must be policies and procedures in place that guarantee the proper eradication of the photos once they have served their purpose, authenticated by the PIC.

Leave a comment

Your email address will not be published. Required fields are marked *