Privacy Commission probing reports against establishments over mishandling of contact tracing data

Several business establishments – from a mall, fast-food and drugstore chains, and supermarkets to a European fast-fashion retailer and a North American coffee shop franchisee – have been the subject of reports from citizens over mishandling and misuse of contact-tracing data, prompting the National Privacy Commission (NPC) to take steps in checking their compliance with the Data Privacy Act (DPA) and the guidelines issued by the Commission and other government agencies.

The chief concerns were the improper use of logbooks and the lack of appropriate data-protection measures that left in the open filled-out contact-tracing forms that contain customers' data, such as names, addresses and contact details, which other people could see.

Other concerns included using personal data for purposes besides contact tracing, absence of a privacy notice, and baseless retention period.

"We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures," Privacy Commissioner Raymund E. Liboro said.

Building trust

The Privacy Commissioner emphasized that NPC’s move to check on companies to uphold data protection and privacy rights was pro-consumer and pro-business. The move would enable businesses to gain the trust of customers and support government contact-tracing efforts.

"Building trust is especially crucial now as we begin to open the economy gradually.'' Liboro said.

He added that “building trust is possible if we have cleared citizens’ doubts over potential misuse and abuse of their data. Kapag ma-ingat sa datos ng mga tao, aangat ang negosyo.

Helping the retail sector comply

The NPC met on Oct. 9 with data protection officers (DPOs) from the Privacy Council for the retail and manufacturing sector to guide their contact-tracing practices.

NPC Director Olivia Khane S. Raza of the Compliance and Monitoring Division (CMD) advised business establishments to devise a reasonable way to collect data to prevent accidental and unauthorized viewing.

“As you are in the best position to anticipate and manage risks based on your store setup, you should be able to identify points of possible risks for you to develop the security measures appropriate for your operations," Raza said.

Best practices, early warning

To address public concerns, she called on companies to adopt best data-privacy practices, such as collecting what is minimum necessary; providing a transparent data privacy notice; having proper disposal mechanism; imposing a limited period for storage; and training employees on data privacy protocols and urging them to observe the protocols strictly.

According to Raza, compliance checks are early warning mechanisms to help businesses prevent more complaints that could lead to legal action.

The CMD chief added that if a company received a notice of deficiency, it should "act and address deficiencies within the prescribed time. Otherwise, this can lead to orders, such as a cease and desist order.’’


Depending on the violations committed, negligent businesses might be penalized under the DPA with imprisonment and fines. With a combination of prohibited acts, a violator could be fined up to P5 million and imprisoned for a maximum of six years.

Gela Boquiren, head of the Privacy Council for the retail and manufacturing sector, said retailers must base their contact-tracing efforts on two joint memorandum circulars.

One is from the NPC and the Department of Health ("Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response”) and the other from the Department of Trade and Industry, and Department of Labor and Employment ("Supplemental Guidelines on Workplace Prevention and Control of COVID-19”).

Only for contact tracing

Boquiren, also the DPO of San Miguel Corp., advised retailers to ensure that the rest of the processing cycle (storage, use, transfer, and destruction) of customers' data was always protected.

“As we start to support our favorite stores physically, we need to accomplish contact-tracing forms with correct information so authorities can contact us, just in case," she said.

She added that establishments ``have to assure customers that personal information collected will be secured and used only for the primary purpose of contact tracing.”

Boquiren also appealed for support from owners of malls, which house many retailers, in ensuring ``that businesses use proper contact-tracing forms and prevent the unauthorized use of customers’ contact details.”