The National Privacy Commission has warned against the repurposing of collected personal data in client/visitor contact-tracing forms and employee health-declaration forms for direct marketing, profiling or any other use or purpose beyond what is required for COVID-19 prevention and control.
Repurposing personal data is punishable under the Data Privacy Act, the NPC said in an advisory issued on Oct. 23, 2020 in response to complaints from citizens against business establishments over mishandling and misuse of contact-tracing data, such as a customer’s name, address, age, cellphone number and e-mail.
“Since the Covid-19 pandemic hit, we are seeing an unprecedented manner of data collection and processing, which proportionally also increased its associated privacy risks. Data privacy is crucial to the survival of businesses and therefore must be embedded into processes or policies that involve the personal data of employees and customers,” NPC Commissioner Raymund Liboro said.
Advisory No. 2020-03 details guidelines for workplaces and establishments in processing personal data for Covid-19 response, such as the use of privacy notices to exhibit transparency, and the proper handling of paper-based and digital contact-tracing forms.
The advisory, crafted with recommendations and inputs provided by data protection officers from the privacy council for the retail and manufacturing sector, was issued to build public trust in businesses and how they handle sensitive personal data amid the pandemic.
Establishments need to consider privacy and security in each stage of the data life cycle, from collection to use, storage and disposal.
“As personal information controllers, establishments play a big role in the implementation of contact tracing. For this reason, they are expected to guarantee the protection of personal data under their safekeeping. Companies and businesses need to exhibit transparency about the data they collect and for what and how it will be used,” Liboro said.