NPC emphasizes privacy protection in anti-fraud data sharing initiatives of the financial industry

Anti-fraud data sharing initiatives of the financial services industry must eliminate potential risks on the personal data of data subjects. Advisory Opinion No. 2021-026 issued by the National Privacy Commission (NPC) guides personal information controllers in protecting the privacy of shared databases through strict adherence to the basic data privacy principles of transparency, legitimate purpose, and proportionality, and the conduct of privacy impact assessments (PIA).

The advisory opinion was issued in response to the initiatives of the financial services industry on cybersecurity that aim to thwart fraud incidents and uphold customers’ confidence in digital payments systems. The industry’s shift to digital financial and payment services due to the COVID-19 pandemic brought about cyber attacks and fraudulent schemes on financial institutions and their clients

The NPC Privacy Policy Office said that establishing a shared database calls for fair and lawful processing of personal data. While data sharing for investigation and resolving fraud incidents is allowed under the Data Privacy Act of 2012, the NPC advised the financial services industry to conduct a PIA, which is crucial in “identifying, assessing, evaluating, and managing the risks that originate from a shared database and provide data subjects avenues to exercise their rights.”

The NPC recognizes that a shared database for know-your-customer, enhanced due diligence, and anti-money laundering monitoring purposes may boost the integrity and security of the financial system but may have significant legal effects on the rights and freedoms of data subjects included in the database.

To ensure privacy protection in shared databases, the personal data it contains “must be accurate, relevant, and kept up-to-date. Inaccurate or incomplete data must be rectified, supplemented, destroyed, or their further processing restricted,” the advisory opinion read. In further upholding the rights of data subjects, mechanisms must be provided for the free exercise of these rights.

Read the advisory opinion in full here: Click to Read