NPC PHE Bulletin No. 15: Guidelines for Establishments on the Proper Handling of Customer and Visitor Information for Contact Tracing

Pursuant to DTI Memorandum Circular 20-28, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons) and DTI Memorandum Circular 20-37, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Dine-in Restaurants and Fastfood Establishments), establishments are required to implement contact tracing measures as one of the mandatory minimum requirements for operation. The National Privacy Commission (NPC) issues this Bulletin to guide establishments on the proper handling and protection of personal data collected from their customers and visitors.

Collect only what is necessary

Establishments should ensure that the processing of personal data is proportional to the purpose of contact tracing. Collect only such information as required under existing government issuances. Establishments may adopt sample health checklist forms issued by government agencies but should not collect beyond what is required and necessary.

Be transparent

Establishments should inform their customers and visitors of the collection of their personal data and the reasons for such collection. This can be done by posting a privacy notice which is readily visible within the establishment’s premises, such as points of entry, and other conspicuous areas. If the establishment opts to use electronic means, the notice must be posted in the platform prior to collection.

For further information on the processing activity, establishments may direct their customers and visitors to their official websites or social media pages, as well as official websites of pertinent government agencies to provide them with information on the possible uses of their personal data for contact-tracing purposes.

Establishments must ensure that the privacy notice is easy to access, understandable, and uses clear and plain language.

Use information only for the declared purpose

All establishments should use only the personal data collected through health checklists or other similar forms for the purpose of contact-tracing measures. Repurposing the use of data other than contact tracing and storing data for speculative use is not allowed.

Establishments are responsible for reminding their employees and third-party service providers, such as security personnel, that using the collected personal data of customers or visitors for any other purpose is punishable under the Data Privacy Act of 2012 (DPA).

Implement security measures

All establishments that collect personal information, whether through physical or electronic means, have the obligation to implement reasonable and appropriate safeguards (organizational, physical, and/or technical security measures) to protect the personal data of their customers and visitors against any accidental or unlawful processing, alteration, disclosure, and destruction.

Keep the data only for a limited period

All personal data collected for the purpose of contact tracing shall be retained only for a period allowed by existing government issuances. After which, all personal data should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or disclosure.

For further information, we may be reached at [email protected].

# # #