Data protection officer
Breaches in the confidentiality of personal information gathered in the regular course of commercial or business activities have been in the news lately.
After the reported unavailability of the personal data of holders of Philippine passports collected by a contractor of the Department of Foreign Affairs (which was subsequently denied), came the news that the database of Cebuana Lhuillier, a popular pawnshop and money remittance company, has been breached.
Whoever did that has a wealth of information on the names, addresses and mobile phone numbers of the people in the D and E sectors of our society who constitute the bulk of Cebuana’s clientele.
In the hands of a company engaged in the retail of consumer goods, that database is worth its weight in gold. It can be utilized to inexpensively reach its target market through direct small message (or text) advertising.
Last year, Facebook, Cathay Pacific and ABS-CBN online stores suffered the same fate. Sensitive personal information about their subscribers, customers and clients were illegally accessed by still unidentified parties.
With the enactment in 2012 of the Data Privacy Act, which imposes strict rules on the collection and disposition of important personal information, it is reasonable to expect that the people or organizations in possession of such data would be more circumspect in handling them.
Under the law, this responsibility particularly rests on (a) the personal information controller (PIC), or the person or organization that controls the collection, holding, processing or use of personal information; and (b) the personal information processor (PIP), or person or body to whom the PIC has outsourced or instructed to process such information relating to a data subject.
Personal information refers to any information “from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”
To accomplish the objective of confidentiality, PICs and PIPs are required to designate a person, or group of persons, who shall act as data protection officer (DPO).
The DPO (or its equivalent compliance officer for privacy) is tasked with ensuring compliance by the PIC or PIP of the law and its implementing rules and regulations relating to privacy and data protection.
In its Advisory No. 2017-01, the National Privacy Commission (NPC) said the DPO should, among others, have expertise in relevant privacy or data protection policies and practices, and has sufficient understanding of the PIC’s or PIP’s processing operations.
To underscore the significance of the DPO’s position, the NPC requires that he or she must be a regular or permanent employee of the PIC or PIP. If the DPO is a contractual employee, the period of employment should at least be two years to ensure stability.
In the case of government offices or the public sector, e.g., local government units, the DPO should hold a career or appointive position.
A DPO may concurrently perform or be assigned other functions in the PIC or PIC as long as it will not give rise to a conflict of interest. The latter arises when those functions may be opposed to or could affect the integrity of his or her performance as DPO.
The importance of maintaining the confidentiality of personal information collated by private companies cannot be underestimated. It could spell the difference between financial viability and business losses.
If the customers or clients think a company they do business with cannot be trusted to keep confidential sensitive personal data given to it, they will bring their business to those that can ensure their confidentiality.
Losing the business is bad enough. Worse, failure to safeguard personal information may result in stiff administrative, civil and criminal penalties.
