The flag carrier of the Philippines assured the public it is addressing a reported privacy issue involving the alleged practice of employees using personal phones to take pictures of passports.
Philippine Airlines (PAL) on Monday responded to a series of tweets by Caria Metis, co-founder and chief executive officer of RPSMatrix, who flew to Toronto from Singapore via Manila.
Metis shared she was about to fly back to Canada when a PAL employee told her that he must take a photo of her passport since it was “company’s requirement for passengers (sic) transfer through Manila to Canada,” she narrated on Sunday.
In another tweet, Metis claimed it was how PAL transfers the luggage for passengers who have connecting flights from one stop to another.
“When I questioned this request, the employee showed me his phone with many previous passengers’ passport photo[s] that were sent to [an] unknown receiver through WhatsApp,” she added, referring to the messaging platform.
“They told me they are doing this practice everyday and they have to do it because company asked them to, even though they know this is not right. Please explain why do you have this ridiculous policy @flyPAL,” Metis further said, tagging PAL’s Twitter account.
Can you explain why did you ask your employees to use their personal phone to take pic of passengers passport and send it to you through WhatsApp ? @flyPAL @CanBorder @BBCNewsAsia @BBCBreaking @CNN @ChannelNewsAsia @sgbroadcast pic.twitter.com/pH0roDrx94
— Caria (@Caria_Metis) October 2, 2022
PAL initially responded to her post on Sunday but said it could not send her a DM or a direct message due to her privacy settings.
The next day, it said it had “also forwarded” Metis’ experience “to the concerned offices” so they could look into it.
The incident has also reached Data Ethics PH, a group promoting the ethical use of data and technology.
“Do @flyPAL passengers sign a data privacy agreement that covers this practice?” it said, quote tweeting Metis’ post.
PAL responded that they “have already reached out to the passenger.”
“We assure you that this is already being looked into. Thank you,” the flag carrier added.
A Twitter user on Tuesday hoped that Metis can share what she “finds out in the process” but according to her, she is “as clueless as you and anyone else.”
“They just kept saying they’ve taken note of our feedback and will take action but I have no idea what they have done or communicated,” Metis answered.
The incident has alarmed some Filipinos, who claimed that taking photos of a passport through a personal device was a “violation of data privacy.”
“This may be a grave violation of the data privacy act when you did not sign a waiver for this to be done,” a Twitter user wrote.
“Singapore Airlines and Cathay Pacific did not take a photo of my passport and when I was in Japan, [PAL] did not [take] a photo of my passport because if they did, I will complain to the airport security,” another Pinoy wrote.
“Clearly, it’s an invasion [of] individuals’ privacy, it’s under DPA law,” he added, referring to the Data Privacy Act of the Philippines.
On data privacy
The Data Privacy Act, also known as Republic Act 10173, was created “to protect all forms of information, be it private, personal, or sensitive.”
The law says that personal data must not be collected, processed and stored by any organization without the owner’s explicit consent.
“As a data subject, you have the right to be informed that your personal data will be, are being, or were, collected and processed,” the National Privacy Commission said on its website.
The law also states that the “personal information controller” must implement “reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure.”
A personal information controller refers to “a person or organization who controls the collection, holding, processing or use of personal information.”
The law said that measures must be implemented to protect data being collected, including having “a security policy with respect to the processing of personal information.”
“The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure,” it said.
“This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations,” the law added.