Philippines – Data privacy and the proposed national ID system

By | September 12, 2017

SEPTEMBER 9, 2017 fell on a weekend and it went by with nary a whimper. But it was a significant date for the National Privacy Commission (NPC). It was the deadline for organizations, private and public, to inform the NPC that they have designated a data protection officer (DPO). As practice would have it, organizations had until the first working day following the weekend or holiday, to still meet the deadline, which happened to be September 11, 2017. The NPC has been campaigning hard to ensure compliance with Republic Act 10173, or the Data Privacy Act, and in the process generated heightened awareness about the need to protect personal data in information systems, manual or automated.

Compliance with the law is not that complicated but it involves having to write a lot about matters involving personal data protection—the appointment of a (DPO), the organization’s data privacy policy, the privacy impact assessment, the plan about the organization’s capacity development, the plan on the physical, organizational, and technical data protection measures, and a plan on how to respond to a data breach. Tons of documentation indeed!

The DPO’s appointment needs to be formalized with the NPC by submitting a duly notarized letter of appointment naming the DPO supported by a secretary’s certificate, in the case of private organizations, showing that the board of directors has indeed resolved to appoint the DPO. Organizations that made it to the deadline have already accomplished the first step to compliance.

The next date to watch for is March 8, 2017, when organizations need to submit the necessary documentation to show that they have complied with all other requirements of the law and NPC issuances.

Another event happened before the deadline for compliance with the requirement to appoint a DPO and inform the NPC. The House of Representatives approved the proposed bill on the national identification system on third and final reading.

The Philippine Statistics Authority (PSA) is the designated administrator of the Filipino identification system, or FilSys. The proposed law mandates that all Filipino citizens at least 18 years of age secure a national ID. A unique common reference number, or CRN, will be assigned by the PSA to each Filipino citizen who applies for a national ID.

The proposed law appears to provide for the collection of at least 25 pieces of data about an individual, which includes: 1) the full name 2) date of birth, 3) place of birth, 4) sex, 5) permanent address, 6) blood type, 7) fingerprints, 8) iris scan,(9) facial image, 10) height, 11) weight, 12) mobile number, 13) mother’s name, 14) father’s names, 15) tax identification number, 16) voter’s identification number, 17) PhilHealth membership number, 18) Professional Regulation Commission ID number, 19) Government Service Insurance System ID number or 20) Social Security System ID number, 21) PAG-IBIG number, 22) Philippine passport number, 23) marriage certificate reference number, 24) parent’s CRN, and 25) parent’s marriage certificate number.

Also to be recorded in the FilSys database are sensitive information, including a person’s health information, a person’s filiation, or if a child is legitimate or illegitimate.

The expressed purpose of the national ID is to serve as a single identification document which can be used by an individual transacting with any government agency or private organization. When presented, no other identification documents will be required. However, the data to be collected and stored in the FilSys appears not to be simple identification data about a Filipino individual but is beyond simple identification. The data to be collected goes against the proportionality principle of personal data protection. Proportionality requires that data be adequate and relevant for the purpose for which personally identifiable information and/or sensitive personal information is collected.

How necessary are all the 25 pieces of data? In applying for a passport, for instance, a passport applicant would only be required to present his national ID. When issued, is it necessary that the passport number be collected and stored in the FilSys? Is it necessary as a piece of identifying data for purposes of the national ID?

Are the individual’s marriage certificate reference number, parent’s CRN, parent’s marriage certificate number, and sensitive personal information necessary as identification data?

The proposed law, certified as urgent by the President, does not provide for what documents will be required when a Filipino citizen applies for a national ID. Will two government-issued IDs be sufficient? Or, will the Filipino citizen’s birth certificate be required? For instance, some LGUs require only a printout of voter’s registration record issued by the Commission on Elections when one applies for a Senior Citizen Card. Will this be sufficient for purposes of the national ID?

While the proposed law prohibits the disclosure of data collected and stored in the FilSys to any third party except in certain circumstances, there exists the potential for abuse. When a breach happens, it is easy to abuse or misuse any, a combination, or all of the data collected and stored in the FilSys. It is scary to think that the FilSys will contain all the ID numbers issued by various government agencies. With technology today, it is easy to link all those pieces of data with the systems of other government agencies. Worse, with the use of data analytics applications, the data collected in the FilSys is linked with data available in cyberspace, including those that indicate netizens’ activities in cyberspace. Individual Filipino citizen dossiers in the offing!

Source: The Manila Times