WHICH would you choose, if you had to? Which is the right choice?
In our data privacy seminars, the speakers would often answer, "Data." For me, it depends -- on how much money I'm getting, and what data they're taking.
If you were to offer me P1 million for my contact details -- my phone number and email address -- I'd give it to you in a heartbeat.
But if you were to ask for my biometrics-my fingerprints or a drop of my blood -- or a video of me -- I wouldn't give it to you no matter the price.
It would cost me less than a million pesos to change my phone number and my email address, but I can't change my fingerprints, my blood type, or my eyes. You can take these, and pretend to be me -- some locks can be programmed to open with a person's fingerprints or their retina scan. A few drops of my blood will tell you more about me than I know about myself. Even if you knew my mobile number I can block you from calling me; but if you have my fingerprints or a copy of my government-issued ID, you can pretend to be me.
This is why the law classifies personal data into two: personal information, and sensitive personal information. Both need to be protected, but the penalties are higher for failure to protect sensitive personal information.
Personal information is any information that can be used to identify a person: "Any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual." (IRR, Sec. 3 (l)).
It can be anything that can be used to identify a person -- a phone number, a credit card account number, or in the story of Cinderella, the shoe that she wore to the ball.
Sensitive personal information is information that is, well, more "sensitive" -- information that can be used to harass a person, or discriminate against him/her, or to impersonate a person. These include information about a person's race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; information about an individual's health, education, genetic or sexual life; court records, and government-issued IDs.
For establishments that collect personal data, though, the question "Pera o Data" should always be answered with, "Data."
There are different penalties for the misuse and failure to protect personal data, and those unfamiliar with data privacy laws might end up bankrupt with all the fines they might have to pay. Not to mention the jail term that goes with the fine.
A simple membership form for a loyalty card, for example, contains a mix of personal and sensitive personal information. The minimum would usually be a person's full name, contact number, email and residence addresses, civil status, and age. Name, contact number, and address are personal information; civil status and age are sensitive personal information.
What if an overeager marketing consultant sees the membership form and calls up the applicant, offering new products, and the person complains to the National Privacy Commission (NPC)?
The first thing that the NPC will look for is the consent -- was the person asked if he/she was okay with receiving marketing calls/promo information? If not, that can be unauthorized processing, which is punishable with a P500,000 to P2 million fine and a one-year to three-year jail term, if we're talking about personal information. But no, the membership form includes civil status and age. Well then, that's a possible fine of between P500,000 to P4 million, for every member the overeager marketing consultant called up.
What if, shocked at the response and the threat to file a complaint, the marketing consultant threw the membership form into the garbage can, and the form was later found and taken by someone else? Said marketing consultant could be fined P100,000 to P500,000 for improper disposal of personal information.
What if that membership form wasn't thrown away but was misplaced instead, and the information was leaked to someone else?
That would be a personal data breach -- or allowing someone access due to negligence, which could mean a fine of P500,000 to P2 million fine and a jail term of between one year to three years, if the information leaked was only personal information. If that form contained sensitive personal information -- civil status and age, for example -- the penalty would be a fine of P500,000 to P4 million, and a jail term of between three to six years. For one membership form.
But this is the employee we're talking about. What about the company? The law requires those who process personal data to have a Data Protection Officer (DPO) (IRR, Section 26), and to put in place organizational, physical, and technical security measures to protect the personal data the company collected and processed.
Can you imagine what would happen to all those establishments that get personal data for contact tracing for Covid-19 in case of a data breach? Though some of the forms contain only the barest minimum personal data -- name, phone number, and address -- they all contain sensitive personal data, because they have health information -- at the very least, information on the person's body temperature, and on when and where this was taken.
A single data breach -- say, someone taking the box where all those paper forms were dropped into -- could mean millions of pesos in fine for a company.
***
Dana Batnag heads the policy and risk management section in the data privacy office of a private company. She may be contacted at yourdataprotectionofficer@protonmail.com