The buck stops with the PIC: Understanding the Data Privacy Act
The rapid growth of digital technology has led to significant increase in the generation, storage, and transmission of personal information. As a result, safeguarding personal information from unauthorized access, use, and disclosure has become crucial.
In response to these concerns, the Data Privacy Act of 2012 (Republic Act No. 10173) was enacted to promote the right to privacy and establish a legal framework for the processing of personal information. One of the key aspects of the Act is the designation of the Personal Information Controller (PIC), who is ultimately responsible for ensuring the protection of personal information.
The Data Privacy Act defines a Personal Information Controller as a person or organization who controls the collection, holding, processing or use of personal information, including those who instruct others to collect, hold, process, use, transfer or disclose such information on their behalf.
The PIC is primarily responsible for ensuring that personal information is processed in accordance with the principles of transparency, legitimate purpose, and proportionality. Additionally, the PIC must also implement reasonably appropriate organizational, physical and technical measures to protect personal information from unauthorized access, use and disclosure.
There is also the Personal Information Processor (PIP), a person or entity to whom a PIC may outsource or instruct the processing of personal data. Some examples of PIC and PIP interactions include:
- 1. Facebook (PIC) provides user data to a third-party app developer (PIP) for the purpose of creating personalized experiences for users
2. Google (PIC) shares user data with a marketing agency (PIP) for targeted advertising campaigns
3. A hospital (PIC) which shares patient data with an Electronic Health Record provider (PIP) for the purpose of securely storing and managing medical records
4. A school (PIC) which subscribes to an online learning platform (PIP) where lessons are uploaded and played for students and where students upload and submit assignments to their teachers
5. A real estate developer (PIC) which engages the services of a contact center provider (PIP) to handle aspects of the marketing of its project
6. A company (PIC) which engages the services of a third-party agency (PIP) to screen and provide background check services of employee applicants
7. A lender of money (PIC) which engages the services of a debt collector (PIP) to follow up and collect an unpaid debt
8. An online retailer (PIC) which sells its goods and has it delivered through a third-party courier service (PIP) where the PIC provides buyer data to the PIP to complete the delivery of items purchased
Even when a client emails their lawyer, they would hand over information, thus very possibly making the lawyer a PIC as the lawyer would be storing this information in their email or cloud drive, thereby making their email service provider, whether it be Google, Microsoft or Apple, the PIP.
The Data Privacy Act distinguishes between two types of personal information: Personal Information and Sensitive Personal Information.
Personal Information refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual. Examples of which are first, middle and last name, address, whether physical or email, cellphone numbers, place of birth, and family background.
On the other hand, there are the Sensitive Personal Information which refers to information which relate to:
a. race, ethnic origin, marital status, color, religious, philosophical or political affiliation
b. health, education, genetic or sexual life, proceedings or offences committed
c. social security numbers, health records, licenses, tax returns and other information or documents issued by government agencies peculiar to the individual
d. matters which are classified by an executive order or an act of Congress
The Data Privacy Act mandates obtaining proper consent from data subjects, with set parameters for processing Personal Information and Sensitive Personal Information. Violations may lead to administrative, civil and criminal penalties. Even when a PIC enters into a contract with another entity for information processing, the PIC remains responsible for any violations committed by the PIP or its personnel under the Principle of Accountability.
The Principle of Accountability, outlined in Section 21 of the Data Privacy Act, states that the PIC bears responsibility for any personal information under its control or custody, even when this information has been transferred to a third party for processing. In essence the law and the National Privacy Commission (Privacy Commission) hold the PIC accountable for the actions of the PIP, regardless of any contractual arrangements that may suggest otherwise.
This principle was affirmed by the Privacy Commission in two recent decisions.
There is the case of In Re: FLI Operating ABC Online Lending Application (FLI) which engaged the services of the CSA collection agency to collect payment on loans issued by FLI. After numerous complaints of violation of the Data Privacy Act by debtors and of abusive collection practices, the Privacy Commission commenced an investigation of FLI.
In its defense, FLI claimed that if the collection agents who reach out to the borrowers’ contacts damage the reputation of data subjects, harass, threaten, or coerce them to settle their loans, these acts are not only unauthorized by the data subjects but were also not authorized by FLI such that CSA should bear the responsibility. FLI further pointed out that the Master Service Agreement between it and CSA provides that CSA shall be responsible for the work performed by it.
The Privacy Commission rejected the defense of FLI, reiterated the principle of accountability and recommended to the Department of Justice the criminal prosecution of the board of directors of FLI for unauthorized processing of information which is a violation of the Data Privacy Act. (NPC Case 19-910)
In a more recent case, MAF vs. Shopee Philippines Inc, Shopee faced accusations from a customer who purchased an item through their platform of violating the Data Privacy Act. The customer claimed that the delivery rider contracted by Shopee took a photo of their son as proof of delivery without consent. The complainant argued that the rider should have taken a photo of her son’s arm and package or should have done geotagging, as stipulated in Shopee’s guidelines. (NPC Case No. 21-167) (Shopee Case).
The Privacy Commission determined that Shopee’s action of photographing the son as proof of delivery was disproportionate to the stated purpose and that less intrusive methods were available to confirm delivery. Despite outsourcing the delivery and proof of delivery tasks to its PIP, Shopee, as the PIC, remains responsible for the PIP’s actions in line with the principle of accountability.
In the Shopee Case, the NPC ordered Shopee to pay the complainant P15,000.
Accordingly, in the gathering, storing, handling and processing of information covered by the Data Privacy Act, it is not an exaggeration to state that the buck stops with the Personal Information Controller.
(The author, Atty. John Philip C. Siao, is a practicing lawyer and founding Partner of Tiongco Siao Bello & Associates Law Offices, teaches law at the MLQU School of Law, and an Arbitrator of the Construction Industry Arbitration Commission of the Philippines. He may be contacted at [email protected]. The views expressed in this article belong to the author alone.)
