Employers and businesses who take pictures of personal identification cards put the privacy of their owners in danger of security incidents.
The National Privacy Commission (NPC) said this in a statement about business practices and activities that pose security risks to the public’s personal data.
In the post on August 8, NPC addressed “businesses and associations” that are considered as personal information controllers and personal information processors under the Data Privacy Act of 2012.
Under the law, a personal information controller (PIC) is “a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.”
A personal information processor (PIP), meanwhile, refers to any “natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.”
NPC listed common business policies and practices where people’s personal data are processed without consent and “appropriate safeguards.”
These are:
- Hotel receptionists taking photos of guest IDs using their personal smartphones instead of company-issued phones
- Car sales agents taking photocopies of the ID of a potential customer for verification purposes
- Agents of telecommunication companies requesting a potential customer to send a photo of the customer’s ID via private communication such as Viber, WhatsApp, or Facebook Messenger
- Homeowners and condominium associations taking copies and requiring the deposit of physical IDs with sensitive personal information without appropriate policies and security measures for their PIP security agency to implement
NPC pointed out that these activities, albeit prevalent, “carry a great risk.”
“The Commission emphasizes that these types of activities carry a great risk of causing security incidents, data breaches, unauthorized uses, inadequate disposal, lack of informed consent, and profiling or discrimination, among others,” it said.
“PICs and PIPs shall obtain the consent of the data subjects prior to the collection and processing of their personal data, subject to exemptions provided by the DPA and other applicable laws and regulations. It is the duty of the PICs, as well as their employees, agents, or representatives, to uphold the confidentiality and privacy of the personal data that they process,” it added.
The mandate for data safety
NPC emphasized the responsibility of business entities, organizations, and their employers in the handling of personal data of their clients, customers and guests.
The commission listed the following directives to ensure data safety in their regular operations:
- Explicit consent from individuals to capture and process their ID photos and details
- A “clear, understandable, and transparent” privacy notice before taking photos of IDs
- Craft and implement policies that ensure proper storage of personal data, thus conforming to provisions of the privacy law
- Craft and implement policies to ensure proper disposal and deletion of photos and other sensitive information after their purposes are fulfilled.
Violations of provisions of the privacy law are subject to penalties and administrative fines, the commission said.
“We reiterate that processing personal data violative of the Data Privacy Act of 2012 and related issuances of the Commission is subject to penalties and administrative fines,” NPC said.