THE Data Privacy Act of 2012 protects your data, but how do you know? Can you check? Who can you ask?
Yes, you can check. As a data subject, you have the right to ask those who collect your data why they need it, what they do with it, and how they're protecting it. And, unless the collection was required by law, you can say no.
Take the case of contact tracing required by law for Covid-19.
National and local laws require that establishments collect contact details of their visitors so that in case a visitor later turns out positive for Covid, health authorities can find out who they were in contact with and trace the spread of the virus. People are informed of the reason for collection-contact tracing-through notices posted near the entrance, or printed on the contact tracing forms itself. The notices cite the specific law and say the personal data will be kept only for a certain number of days.
The Privacy Notice is connected to an exercise of the data subject's right -- the right to information. Found in Section 34 of the Implementing Rules and Regulations (IRR) of the Data Privacy Act, the right to information details the information that a data subject may ask for when his/her personal data is collected and/or processed. These include the reasons for the processing, when processing is done without the data subject's consent; the scope and method of the processing; the recipients, or the kinds of recipients, with whom the data will be shared; the period for which the data will be stored, the identity and contact details of the one doing the processing, or that of a representative; and the data subject's rights, including the right to file a complaint.
Can you ask this of anyone who takes your data? Yes, with certain limitations. The law says data subjects have limited rights when their data is collected and processed for criminal, tax, and administrative investigations. Still, the law says that "any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation."
Take note as well of the exemptions to the Data Privacy Act of 2012 -- among these are personal information processed for journalistic, artistic, literary, or research purposes and information needed to carry out functions of public authority, such as the information required by law from banks and financial institutions. These are not sweeping exemptions: the same law says that those exempted are still required to protect the data.
The second right of the data subject is the right to access -- to find out which of his/her personal data were collected and processed, the sources of these data, the names and addresses of the recipients of his/her personal data; the manner by which the data was processed, and the reason for sharing it with others; when the data was last accessed; and contact details of the personal information controller (PIC). The other six rights are the right to object, to correct, and to erase, the data that was collected and processed, within limits and for valid reasons; to get an electronic copy of the personal data that was processed; to damages, in case of negligence or breach; and to pass on these rights to his/her heirs.
But let's focus here on data protection.
What questions should you ask the personal information controller -- the one who controls the processing of your personal data -- if you want to ensure that your data is protected?
Here's a quick checklist of what to look for:
1. DPO - The law requires companies processing personal data to appoint a Data Protection Officer (DPO) (IRR, Section 26).
2. Data Privacy Policy - Aside from the Privacy Notice, each company should have a Data Privacy Policy, which gives an overview of not only how they process personal data, but how long such data is stored and how it is deleted. The Privacy Policy also gives more details on the processing involved and tells data subjects how to exercise their rights with regards to the personal data that was taken from them.
3. PIA - The Privacy Impact Assessment. The law also requires the conduct of a privacy impact assessment before a project is launched, to see the possible risks to personal data and to data subjects that the project entails. The PIA traces the personal data from collection to deletion, checking for risks at every stage of the process. Since it often involves internal processes, likely, the complete PIA report will not be released publicly. Instead, the Data Privacy Office might release a report on the data privacy risk assessment done and the recommendations.
4. Security breach procedures - Each company should have established procedures on what to do in case of a personal data breach. Depending on the kind of personal data involved and the extent of the breach, the NPC might require the company to notify and file a report within 72 hours.
So how do you know your data is protected? As a data subject, you have the right to ask these four questions of those who collect and process your personal data; they may not give you all the details, since some would understandably be confidential, but they'll have to explain to you what they do with the data they collect from you. Try asking when someone asks for your personal data, see what answer you'll get.
Have fun!
***
Dana Batnag heads the policy and risk management section in the data privacy office of a private company. She may be contacted at yourdataprotectionofficer@protonmail.com