The DFA Mess and Data Privacy, Explained
It was a confusing issue for all, but data privacy shouldn't be taken lightly.
(SPOT.ph) Now that the dust has settled, it’s a good time to take stock of what happened with the Department of Foreign Affairs. According to initial reports, Department of Foreign Affairs (DFA) Secretary Teodoro "Teddyboy" Locsin Jr. said that people renewing their older and non-electronic passports needed to present their birth certificates as a requirement after a French contractor, Oberthur Technologies, supposedly ran off with everyone’s data. This caused an uproar that, while it turned out to be premature, is justified. The part about an outside contractor having possession of everyone’s data was especially concerning, and one can’t get too worried or concerned when our personal information is out there.
Locsin has since backtracked on his first statement, saying that the data was merely made inaccessible, and signed an order that ends the birth certificate requirement for passport renewals. Michael Dalumpines, chairman of APO Production Unit, Inc., the printer of Philippine electronic passports, belied the DFA secretary’s original claim as well, stating that the data remains intact and accessible.
With the different accounts that have been given about this issue, it would be helpful to take a look at what happened, who was responsible, what we could have done, and how the government should better handle our data.
In an interview with SPOT.ph, Atty. Jamael Jacob, a lawyer specializing in Information and Communications Technology, law, and human rights; and data protection officer of the Ateneo de Manila University, he says: proper documentation of transactions, starting with well-crafted outsourcing of the subcontracting contract, could have helped the DFA avoid the problem. Given the sensitivity of the data being handled, the DFA needs to exercise due diligence when safeguarding personal data under its care. “This responsibility becomes all the more important if it will outsource or subcontract the data processing to another entity; in which case, it must avail of all means—contractual means, more than anything else—to ensure that the data will enjoy the same or a better degree of data protection once it is shared or transferred to that other entity,” Jacob says.
The DFA and other government agencies also need to review existing guidelines about data sharing agreements and outsourcing or subcontracting agreements, and the National Privacy Commission can assist in this regard.
What kind of information did the outsourced entity handle?
The DFA secretary initially stated that “all data” was taken by the contractor, without clarifying exactly what data was transmitted to and handled by the contractor. While he later retracted this claim, we’re left to make assumptions as to the nature of this data.
Jacob says, “What we can assume for now would be that the DFA’s third-party contractor—prior and current—handles the data we see in our individual passports (e.g., full name, photo, birthday, passport number, date of issuance of passport, et cetera.). These are considered personal data. More specifically, they consist of both personal information and sensitive personal information. Passport number and birthday are considered sensitive personal information. The rest are personal information. The distinction is significant because, under the Data Privacy Act, the legal bases for their processing differ, for the most part. The law also requires a higher degree of protection for sensitive personal information, and imposes higher penalties for crimes that involve them.”
How can we protect ourselves during such incidents?
Jacob says that it’s difficult to anticipate exactly how our personal data will be misused, thus making it hard to implement any measures to prevent each specific threat. That said, there are some basic security steps we can all take, even without the threat of a data breach. Jacob recommends the following:
- Avoid using any of the information we usually provide to others as passwords or answers to security questions asked when our identity is being verified.
- Monitor your accounts and finances closely to detect as early as possible any irregular or anomalous transactions, which could indicate that our compromised data is already being used by criminals or fraudsters to commit all sorts of crimes using our identity.
Jacob says that we all need to be assertive when invoking our rights as data subjects. We have the right to ask for a copy of our data, have errors corrected, and learn more about how our personal data is being used. “We need to hold the companies and government agencies handling our personal data accountable, if it turns out they have been reckless or careless with our information. If filing a complaint against them is necessary, we should pursue such action. For some entities, this is the only way to compel them to take seriously their responsibility to secure our personal data.”
How can the government do better?
Given the data breach issues faced so far by the government, changes and improvements are clearly needed. The government has a history of working with private contractors, which is not wrong in itself, but shows that it’s not able to maintain its own information management systems, according to Jacob. “(The government) must maintain a high bar insofar as choosing which companies to contract with in order to ensure the protection of the data it will be sharing with or collecting through these third-party entities. It also has to do a better job of preparing the contracts involved in such outsourcing or subcontracting arrangements.” And even if the data was handled by other entities, the Philippine government is the one who’s primarily responsible for protecting the data entrusted to them by Filipinos.