(SPOT.ph) Every time we give out our information to any entity—the government, ride-sharing services, food delivery apps, shops—we do so with the hope that they have a very good reason for asking for our information and that they won’t use it for any nefarious purposes. Or maybe most of us don’t think much about it at all, because handing out your personal details seems like a very basic step if you want to use any service, get updates, and complete any forms.
And so we disclose our details dutifully. However, the people to whom we entrust our information don’t always hold up their end of the deal in keeping our details safe. In some cases, it’s due to an oversight by the organization itself, such as the data breach at the Commission on Elections in 2016, which exposed sensitive information on 55 million registered voters.
In other cases, there are some individuals in an organization who see nothing wrong with using clients’ information for their personal goals. In January 2018, Japanese actress Maria Ozawa shared that her Uber driver, posing as someone else, had sent her a text message asking her what “things she likes” and that such an incident was not a first for her, saying she has had to change her name when booking rides to ward off any untoward attention. And late last month, a now-deleted tweet by Twitter user natsivyce showed a screencap of a text message sent by a Commission on Elections (COMELEC) employee to a female voter, asking if they could be friends.
Both are creepy situations that show how people overstep their boundaries, and they also reflect a misuse of information disclosed by individuals. It would be nice if the problem could be solved simply by not providing one’s details, but unfortunately, the solution can’t be as cut and dried as that; the former shared her details to use a ride-sharing service, and the latter did so to become a registered voter.
What Can You Do to Protect Yourself?
How can we prevent unwanted communication from anyone who has access to our phone numbers (and even addresses, when you think about it)? Speaking about the COMELEC employee incident in particular, data privacy attorney Cecilia Soria says, “There’s not a lot we can do to prevent people from misusing our personal data once we’ve shared it. Because of this, we need to be extra vigilant in making sure that we share our data only for the right reasons. When organizations ask us for our data, we must always ask them 'why.' On the other hand, organizations need to do a better job not only in putting in place policies that would ensure that people’s privacy is respected but also in informing their employees of these policies and the consequences of privacy violations.”
The information we share with various organizations should be secured and protected according to the Data Privacy Act and the various regulations issued by the National Privacy Commission. The National Privacy Commission (NPC) has issued guidelines on the recommended information security requirements, although no fixed standard has been established. According to Soria, any efforts made by organizations to protect the information they hold depends on the type of personal data being processed, their processing activities, and the resources available to them.
But again, even though entire organizations themselves may have processes and guidelines in place for securing information, there may still be individuals who will access and misuse people’s details, as proven by the Uber and COMELEC incidents. Anyone who has experienced a data privacy violation can file a complaint with the NPC. Soria says that the NPC can impose administrative sanctions against the violator and his/her organization, but other sanctions depend on the HR policies of the organization that employs the data privacy violator in question. Civil or criminal cases may also be filed in such a situation.
Ozawa and the female voter are fairly lucky because they were able to easily identify the people who sent them unwanted messages and thus take action, but the situation may be a little trickier for people who’ve shared their details in other settings (think feedback forms at restaurants and sign-in forms at the front desks of offices).
When to Say No
So, we can’t refuse to disclose our details in some instances (try doing that when filling out your passport application), but we can do so in other situations. Soria says, “For instance, if you want to avail a massage, you are usually asked to sign a card where you are asked to disclose your name, address, contact information, even your birthday. Ask yourself: [Is this] information absolutely necessary in order for the establishment to perform the service? If not, then you can certainly refuse to disclose the information.” She also says establishments should be able to tell their clients how their personal information will be processed, where it will be stored and for how long, and how they will securely delete it when they no longer need the information, or provide these details through a privacy notice.
Soria provides an easy-to-grasp description of the salient points of the Data Privacy Act, namely, our rights as data subjects:
- Right to be informed – The data subject has the right to be informed about what personal data is being processed, for what purpose, and the details of the processing (by whom, how, when, where, etc.)
- Right to object – After being informed of the details of the processing of their personal data, the data subject has a right to object. This right is not absolute as the right depends on the basis for processing of personal data. If personal data is being processed to comply with the law, data subjects may—depending on the circumstances—be unable to raise their right to object.
- Right to access – The data subject has the right to access information on what type of their personal data is being processed by certain individuals/organizations. In some cases, this may also include obtaining a copy of their personal data being processed.
- Right to rectification – The data subject has the right to ask that individuals/organizations processing their personal data correct or update their personal data.
- Right to erasure or blocking – The data subject has the right to suspend, withdraw, or order the blocking, removal, or destruction of their personal data being processed by individuals/organizations. The basis for the exercise of this right may be any of the following: personal data is incomplete, false, unlawfully obtained, no longer necessary, has withdrawn their consent to the processing, etc.
- Right to data portability – The data subject has the right to ask for a copy of their data that is processed by electronic means and in a structured and commonly used format in the same format. This right allows data subjects to easily transfer from one service provider to another.
- Right to damages – The data subject has the right to be paid or made whole for damages sustained from violations of their data privacy rights.
- Right to complain – The data subject has the right to complain to individuals/organizations processing their personal data and/or to the NPC.