YOU ARE YOUR DATA

A Crash Course on Data Privacy in the Philippines

Words by Chris Noel Hidalgo

In 2016, the personal data of over 55-million Filipino voters were stolen from the Commission on Elections (COMELEC) database and were published online by a Philippine hacker collective. The breach involved personally identifiable information of the most sensitive nature, including passport numbers and expiry dates, residential addresses, and birthdates. It remains one of the biggest local cybersecurity stories as of writing, both in terms of the scale of the breach, as well as its role in thrusting the topic of data privacy into the public spotlight.

The breach underscores one very important thing—you are your data. Unfortunately, we cannot just decide to stop sharing our information with others. Today’s digital age necessitates that we share our data for most kinds of transactions, transactions that become more efficient and convenient over time. As such, you have to be familiar with your fundamental right to data privacy.

But what exactly are data privacy rights, where should they apply, and why should you care?

DATA PRIVACY RIGHTS IN A NUTSHELL

Republic Act 10173 or the Data Privacy Act of 2012 was enacted “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” RA 10173 also specifies that the country has an “inherent obligation to ensure that personal information in information and communications systems in government and in the private sector are secured and protected”.

Personal information in this sense refers to any data which can give away your identity, whether directly, such as by explicitly saying your name (Juan de la Cruz), or indirectly, such that your identity can be reasonably inferred from other pieces of information. RA 10173 applies to any instance where your personal information is processed, including when it is collected, recorded, organized, stored, modified, retrieved, used, erased, or destroyed, among others.

The Data Privacy Act also extensively defines your various rights, which include your right to (1) be informed when your data is being processed; (2) object and withdraw consent anytime; (3) access and request copies of your data; (4) correct and modify inaccurate data; (5) erase your data; and (6) file a complaint and receive compensation when your data privacy is violated.

At its core, RA 10173 ensures that while the processing of your personal information will remain unhindered, it mandates data processors to first, put in place measures to protect your data

and your data rights, and second, get your consent and inform you when your data is being collected, why your data is being collected, and how your data will be protected, among others. This applies to both digital and analog means of data collection.

WHERE DOES DATA PRIVACY APPLY AND WHY SHOULD YOU CARE?

These rights apply whenever your data is being processed by an individual or an institution in the Philippines. This means that if you are providing information such as your name, email address, or mobile number, the mandates of the Data Privacy Act should automatically be observed.

Big companies, brands, and government agencies are usually compliant with the Data Privacy Act. In many transactions with them, whether online or pen and paper, privacy consent statements are usually already integrated into the forms. While we usually skip them due to their comprehensiveness, miniscule font size, and legalese jargon, they are nevertheless there and contain all the necessary information you need to understand how exactly they use your data, how they protect it, and who you should contact for concerns regarding your data privacy.

This means that if the entity does something that is not covered by the statement, they have breached your data privacy rights. You receive a marketing newsletter when you didn’t agree to? That’s a breach. One of their employees contacted you for non-official business? Breach. They get hacked and your data is leaked online? Terrible breach.

The same ideally extends to small businesses. However, if this past pandemic has proven anything, it is that the practice of ensuring data privacy has not truly made its way into the mainstream. Some COVID-19 tracing forms are haphazardly done for compliance with pandemic guidelines, but not in compliance with data privacy. Other people can freely see our data in these forms, leading to easy cases of identity theft and spam messages.

To sum it up, we need to treat our data more carefully. The Data Privacy Act is a necessary foundation towards this end, but more needs to be done, both by individuals and institutions. Just as the world runs on oil, so too does it run on data. Know your rights and educate others on what must and must not be done to personal data, lest we risk other, more serious data breaches in the future.