The National Privacy Commission (NPC) has called the attention of a top universal bank in the country for a statement on its information sheet that asks customers to give up their rights to data privacy.
鈥淵ou cannot waive a fundamental right,鈥 NPC Chair Raymund Liboro said in a recent briefing with Inquirer editors and staff.
This was the principle behind the red flag given last September to Bank of the Philippine Islands (BPI) by the NPC for letting bank clients sign a statement waiving their rights to data privacy.
A boxed statement, which read, 鈥淚 waive my rights to the Data Privacy Act,鈥 was signed by customers as a form of consent and authorization for the bank to process information provided on the sheet, Liboro said.
Waiving such rights is against Republic Act No. 10173, enacted in 2012, which aims to protect the privacy of personal information in the government and private sectors as well as govern the processing of such data.
The law鈥檚 implementing rules and regulations were approved in August 2016.
A dialogue between NPC representatives and the bank was held after a BPI client raised the issue.
With the waiver, Liboro said BPI could have easily passed on the data it gathered to subsidiaries without first asking for the client鈥檚 consent.
People whose personal information is collected, stored and processed are called 鈥渄ata subjects鈥 and are granted certain rights under the law.
BPI has promised to remove the waiver and make a new customer sheet, according to Liboro.
A downloadable three-page customer information sheet of BPI for a savings account application asks for personal data, such as full name, address, date of birth, contact and employment details, home ownership, car ownership and monthly income.
Other information like nationality, social security and tax identification numbers, educational attainment, marital status and parents鈥 names are also asked, all of which are defined under the law as 鈥渟ensitive personal information.鈥
Sensitive personal information is a 鈥渉igher level of information鈥 than 鈥減ersonal information鈥 because it can lead to 鈥渄iscrimination and profiling,鈥 Liboro said.
Personal information is defined by law as 鈥渁ny information, whether recorded in a material form or not, from which the identity of an individual is apparent 鈥 or when put together with other information would directly and certainly identify an individual.鈥
At the end of the second page of the BPI form, a 鈥渃lient certification and authorization鈥 must be signed by the customer to confirm that the provided data are accurate. No explicit waiving of data privacy rights was asked on the information sheet.
The NPC recently met with bank industry officials to help them comply with the data privacy law and had been in talks with some hospitals and the Commission on Higher Education.
For such organizations that collect personal data, risk management is the name of the game, according to Liboro, since no system is impregnable. 鈥淚f you have more data, you have more responsibilities,鈥 he said.
The Commission on Elections is in the process of implementing security measures after a cyberattack in March last year that resulted in the leaking online of more than 77 million records of voters.
To comply with the law, the Department of Health, National Economic and Development Authority, Philippine Health Insurance Corp. and other agencies have appointed data protection officers.
鈥淚 am not telling them to stop what they do. Just be aware and apply security measures,鈥 as having a business in this digital age is also a question of trust, Liboro said.