Contact Tracing Forms Must Collect Only What is Necessary

The National Privacy Commission (NPC) is discouraging the collection of signatures and other unnecessary personal information for contact-tracing forms and has called on businesses to work toward complying with data privacy standards.

The statement comes in light of inquiries and information communicated to NPC that private establishments as well as some government agencies collect signatures and other personal data that are immaterial in moving contact-tracing efforts forward.

“In every aspect of the data processing cycle, activities must observe the basic principles of transparency, legitimate purpose and proportionality,” said lawyer Stephen John Duma of the NPC Compliance and Monitoring Division.

The NPC reminded data protection officers (DPOs) of their ever-evolving duties in a fast-changing landscape, highlighting the need to update their privacy notice and manual, and re-do a privacy impact assessment against the backdrop of the health crisis.

Duma cited DPOs’ responsibility in providing a clear and accessible privacy notice that gives data subjects sufficient information on data collection, processing, storage and disposal activities to weigh out risks in giving their personal data.

“Detailed information on the relevant personal data flows must be provided. You should have a clear way of employing these activities and show in your privacy notices that they have adequate organizational, physical and technical capacity to protect data from collection to disposal,” Duma said.

The retention period and the legal or technical basis for it, where applicable, must also be disclosed.

Privacy notices must also specify the parties and authorities to whom the data will be disclosed to or shared with and for what purposes.

Duma also stressed the importance of including the DPO’s name and contact information in privacy notices in order to enlighten prospective data subjects of the establishment’s data protection measures.

“The Commission is more than willing to provide businesses and agencies the required guidance in formulating policies and implementing measures that capture the privacy and protection needs of their data subjects,” he said.

# # #