While the right to privacy and invasion of privacy have been the topics of national conversations involving data leaks from celebrities or politicians, the idea of privacy itself remains abstract among many. In fact, words like “private” or “privatization” have loose Filipino translations, and there seems to be no exact term for “privacy” in our native language. Instead, we have vague impressions of privacy or its absence as we deal with the loss of personal space in cramped jeepneys, with gossiping neighbors or when oversharing in social media.
The Act and its Commission
In fact, when asked whether privacy has attained the status of being a household term, Deputy Commissioner Dino Aguirre of the National Privacy Commission says that appreciation of the concept of privacy is still largely limited to the academe, or those of a particular educational background or exposure. From his experience in interfacing with various stakeholders, Aguirre observes that the level of public awareness still needs a lot of work, which can be attributed mainly to culture. Even jurisprudence (e.g., Vivares v. St. Theresa’s College, GR No. 202666) has constantly confused types of privacy, often switching decisional privacy (i.e., the right to keep behavior on sensitive issues private, such as sexual preference, political activities, and religious practices) with locational or situational privacy (i.e., the right to move in spaces without being identified, tracked, or monitored) and informational privacy.
The work of the National Privacy Commission as the country’s privacy watchdog deals primarily with informational privacy, i.e., the right to secure personal data and information from individuals or organizations that are not authorized to access, handle, or distribute such information. The Commission’s central mandate is to implement and ensure compliance with the Data Privacy Act of 2012 (Republic Act 10173). This important legislation aims to protect individuals by regulating the handling of data, and guarantees that the Philippines meets international standards on data protection.
Since the Data Privacy Act (DPA) was enacted into law with its corresponding implementing rules and regulations (IRR), the common notion of privacy being traditionally tied to location (private or public spaces) has evolved to become one of the fundamental human rights of the individual. Privacy now revolves around the individual’s level of control over his or her personal data or information. However, one of the more common misconceptions of the coverage of the DPA needs to be dispelled: it does not only apply to digital or online data, as it applies to data on paper as well. Compliance does not merely depend on investing on the latest technology on data security. Compliance actually takes into account the installation of proper policies, procedures, and processes in handling data. In relation to the coverage of the law, Aguirre emphasized, “It would help tremendously if we would be able to properly characterize the scope of the DPA to be limited to personal information.” Personal information pertains to any data that could directly or indirectly identify a person.
This year, the Commission saw a significant increase in the complaints that they received compared to last year, with complaints for the first half of 2019 surpassing the 2018 aggregate total. A huge number of complaints were classified as informal and were never followed up. To address this issue, the Commission employed an institutional approach by coming up with resource materials that make compliance easier to private companies, government agencies, and organizations so that they understand what the law requires. Sectoral associations were also tapped to gather issues that are unique to each sector. Before 2018 ended, a campaign focusing on data subjects was launched to emphasize the rights of individuals.
Data privacy in the academe
In an academic setting, there was an initial perception that data privacy and the freedom of information (FOI) would give rise to potential conflicts. “I don’t see them as two opposing concepts. People have to understand the policy behind them, which is open government,” says Aguirre. However, he also recognizes that an inaccurate understanding of the DPA could hamper efforts in implementing the FOI policy of the government, which is enshrined in Executive Order No. 2 of 2016.
The DPA lists personal information classified as sensitive and lays down obvious exceptions, such as information on salaries and positions of government officials, which are vital to public interest. One key feature of the DPA is that it focuses only on personal information, which means that documents that do not bear such information, such as government contracts, are not protected by the DPA. The Commission is constantly working with the Presidential Communications Operations Office, which is tasked with implementing the FOI policy of the administration, to clarify issues arising from the implementation of these two principles.
One of the more typical requests that the University receives involves the validation of educational records of its alumni by third parties for various reasons, ranging from employment to public office. The DPA lists educational records as sensitive personal information, along with race, ethnic origin, marital status, age, religious or political affiliation, as well as health records, genetic or sexual life, and social security numbers.
This means that as a general rule, the University cannot disclose information to persons other than the data subject, unless he or she gives consent, or if the disclosure meets journalistic, artistic, literary, or research exceptions. Under the DPA, there are other criteria for lawful processing of sensitive personal information, which includes fulfilment of a contract, legal obligation, vitally important interests such as life and health, public order and safety, and other legitimate interests that do not go against fundamental rights and freedoms guaranteed by the Philippine Constitution.
Another issue that touches on data privacy is the release of personal information, such as names, degree programs, and respective campuses of successful qualifiers in the UP College Admissions Test (UPCAT). When the Office of Admissions posted the full list of thousands of successful qualifiers, some camps raised concerns about a possible breach of data privacy. Aguirre does not agree that releasing the results en masse is a privacy violation per se, and posits that to a certain extent, a legitimate public interest to inform the successful qualifiers and their families overrides individual apprehension. “UP is a public institution supported by public funds, and a certain level of transparency is expected of the University,” he says.
Prospective students can expect that their submitted UPCAT applications may be further processed, including being published, as they are made aware of the manner by which the University has published the results. However, UP must re-examine this method in light of student organizations using the list of passers to create groups in social media platforms to promote their organization and recruit new members.
For the University and other academic institutions, Aguirre stresses the importance of paying special attention to concerns of particular members of its community, such as minors in the UP Integrated School, the UP Rural High School, the UP High Schools in Cebu and Iloilo, and other similar segments of the University System where students availing of scholarship agreements may become vulnerable to potential data privacy issues. Protocols must also be put in place for sensitive situations; for example, confidential disclosures made by students to their guidance counselors may expose them to possible health and safety risks.
“UP has to understand what sets it apart from all other firms and organizations. The prescriptions in the law apply to all data controllers and processors. UP must come up with this distinction to truly appreciate the uniqueness of the situation of academic institutions,” Aguirre concludes. He believes that these nuances will necessitate various approaches for UP to comply with the DPA.
The Commission’s website (privacy.gov.ph) characterizes a “digital evolution” where the “need for data is inevitable.” It also underlines the import of safeguarding the rights of data subjects while “ensuring the free flow of information, growth, and national development,” a context and environment where UP plays a critical role as the national and premier state university.
Get your FREE copy of the UP Forum magazine now. Please send an email to firstname.lastname@example.org or visit the UP Media and Public Relations Office at Room 6B, Fonacier Hall, Magsaysay Avenue, UP Diliman, Quezon City.
You may access the digital copy here.