Data Privacy and HR: A proposed framework for compliance (Part 2)

In the previous installment, we outlined the potential entry points where personal information or sensitive personal information (PI and SPI, respectively) as defined by the Data Privacy Act of 2012 may enter the organization. We drew up a hypothetical list of processes that an employee will go through, as well as an inventory of the data elements necessary for the processing of every step in the employee life cycle.

This time, I will share my proposed project management approach towards data privacy compliance, and this proposed project management approach will be applied to the pre-employment stage in the hypothetical employment scenario outlined for this series.

Step 1. Create an Inventory of Processes, Documents, and Policies

The following aspects for each HR process must be mapped out into a matrix:

1. HR Function
2. Subprocess
3. Documentary requirements for each subprocess
4. Originator
5. Recipient
6. Rationale for the submission
7. Data elements contained in the document
8. Type of Data

By mapping each HR function’s process in this way, the organization will be able to determine the following:

1. Whether or not such documentary requirement is an absolute necessity for the function;
2. Whether such documentary requirements require additional safeguards such as waivers or undertakings from an employee;
3. Whether or not the policy that necessitates such submission may be adjusted given the new law; and lastly,
4. Whether or not the form containing such data elements need to be revised given the new law

The organization, of course, may find some processes, documentary requirements, and policies no longer germane or relevant for the purposes that they wish to achieve, so this would be the most opportune time for a process review.
Further, this would ensure that the organization has complied with the general data privacy principles set forth in Section 11 of the Data Privacy Law. It is highly recommended that the organization keep records of such an exercise, in the event that the Data Privacy Commission requires that employers submit proof of compliance thereof.

Step 2. Assess and refine, if necessary, existing controls in the processes

This is where a robust business controls and information security support organization comes in handy. What must be assessed at this point? Section 20 of the Data Privacy Law requires that organizations employ three levels of protection over data in its custody- organizational, physical, and technical. Organizational measures would entail separation of duties between and among participants in handling PI and SPI; physical measures would refer to access restrictions to areas where PI and SPI are stored; technical measures would refer to data security measures such as encryption and secure messaging for communications with PI and SPI. Each process, each transaction, would need to be traced for specific security measures in place to ensure that each time PI and SPI changes hands in connection with a legitimate transaction, the integrity and security of data is not compromised.

Further, the Data Privacy Law requires that organizations report data security breaches. This means that security measures in place must not only be preventive in nature, but there must also be a detective component. In other words, the processes and security measures should be built in such a way that it is readily apparent to key stakeholders if and when a data breach occurs.

I applied the proposed framework above and came up with this hypothetical example in assessing the Pre-employment stage, specifically the Pre-employment Kit:

I purposely left out an assessment over the security measures over each kind of data to leave the reader with the flexibility to do a separate assessment, or to assess it side-by-side with the process side.

My recommendation would be to have a separate assessment over the security measures once all the data privacy process assessments have been completed.

For the next installment we’ll apply the same methodology to other HR processes to illustrate further that there is a real need for organizations to review HR processes and bring them up to speed with the requirements of the Data Privacy Law.

UP CLOSE AND PERSONAL: RA 10173 and Human Communication

Does the disclosure of a person of another’s mobile number without securing prior consent make one a criminal? Sharing of mobile numbers used to be such an innocent way of getting to know another and expanding one’s circle of contacts, but given the recent advances in technology and the Data Privacy Act, should one now be extra-careful in sharing contact information to another?

This paper aims to identify elements that would constitute a violation of the Data Privacy Act in such an innocuous scenario.

The approach used in this paper is to dissect pertinent sections of the Data Privacy Act, as well as other laws, jurisprudence, and issuances that may be insightful and germane to the question.

To intelligently discourse on the topic, we must first understand the following:

1. What was the milieu when the Data Privacy Act was enacted into law?
2. What is the relationship that binds the persons in such a hypothetical scenario?
3. How does the Data Privacy Act consider information?
4. What is the purpose for which the mobile number was collected?
5. What are the prohibited acts whereby criminal and/or civil liability may be incurred for violating the Data Privacy Act?
6. Does the Data Privacy Act of 2012 apply in the scenario?

The milieu of RA 10173

With various advances in technology, conceptions of privacy are changing rapidly. During the mainframe or pre-internet era, data about a person which public and private entities need for daily transactions, flows in a very controlled and limited manner, usually within a single jurisdiction. Data warehouses were large and bulky and difficult to access for members of the general public, therefore only physical access restrictions (i.e. locks, keys, actual security guards and sentries) or process restrictions (need for manual authorizations, etc) were in place. During the early days of the internet, or web 1.0, web-enabled businesses, which IBM dubbed “e-business,” took off, and with new business models, new modes of payment, new modes of transacting with people halfway across the world, there is instantaneous publication of new data generated from such transaction. Eventually, states and international organizations took cognizance of the potential for this mass of data generated to be used for malicious purposes, hence the beginning of data privacy legislation. Sweden’s Data Act of 1973 was the first comprehensive national data privacy law, and the first national law to implement a set of basic data privacy principles. Two international instruments, the OECD Privacy Guidelines of 1981 and the Council of Europe Data Protection Convention 108 of 1981[1], also provided a framework with which member-states can craft their own data privacy legislation.

In the age of Web 2.0, or the age of social media and cloud computing, concerns over data privacy have come to the forefront given the numerous cross-border transactions that happen virtually every other second, as well as the increasing complexity of cross-border crimes wherein technology plays a huge role, such as human trafficking and money laundering. These transactions all generate, handle, or process data in one form or another.

RA 10173 or the Data Privacy Act of 2012 was enacted in compliance with the APEC Information Privacy Framework standards, which in turn, was based on the Directive 95/46/EC of the European Parliament and Council. [2] The Data Privacy Act was signed into law by Pres. Benigno Aquino III on August 15, 2012, to take effect fifteen days after publication in two newspapers of general circulation. [3] In other words, The Philippines has entered the Age of Digital Data Protection.

The Statute itself

RA 10173, in its declaration of policy, states privacy is a “fundamental human right,” echoing the UN Declaration of Human Rights, which guarantees freedom from arbitrary interference with privacy. [4] This is also consistent with Article 26 of the Civil Code of the Philippines, as well as addressing an existing gap in the E-Commerce Law, which given the milieu when it was passed, merely envisaged web 1.0 technology in its defined scope.

It can be seen that the State’s obligation is to secure personal information in information and communications systems in both public and private sectors. This is in contrast to certain jurisdictions, like the United States, wherein data privacy legislation is specific to particular industries, such as the HIPAA[5] which provides the framework for data security in healthcare industries. In this regard, the Philippine law is more pervasive in its intended effect, and has more in common with the European Union’s standards of data privacy, which provides for applicability to both private and government entities handling personal information.

Relationships between Persons holding Data on others

The Data Privacy Act defines parties who may be subject to its provisions. The concepts “data subject,” “personal information controller,” and “personal information processor” are introduced.  The law states [6]any individual whose personal information is processed, in one way or another, by another, is a data subject. Anent the term “processing,” it can be seen that the law failed to provide a technical definition for the terms used to define processing, hence the terms used to describe acts of processing are to be used in the generic sense. Of interest is the term “USE”, applying the Latin maxim “Generalia verba sunt generaliter intelligenda,” simply means that anything done to data- be it collection, recording, organization, storage, updating, modification, retrieval, consultation, consolidation, blocking, erasure, destruction- is covered by the statute. It is interesting to note that there is a provision regarding “anonymized” data, or data that is useful only to a statistician for research or development purposes. Section 19 [7]of the law provides that scientific and statistical research is specifically exempted, provided that strict protocols in confidentiality and security of data are observed.

Let’s explore the term “Personal information controller.” Any person, natural or juridical, who controls collection, holding, processing, or use of personal information, is considered a PIC in the eyes of the statute. Is this a blanket provision applicable to all? The law itself provides for two exclusions, specifically, a person or organization who performs such functions as instructed by another, and, a person who collects, stores, processes, or uses personal information in connection with personal, family, or household affairs.

The statute further establishes a concept called “personal information processor,” which the law defines as an entity whom a personal information controller outsources processing of information. However, the law goes no further than that. The law fails to provide what sort of legal relation binds the PIC and the PIP- is it one of agency under the Civil Code, or one of employment under the Labor Code? It is therefore submitted that the contract between the PIC and the PIP will control what sort of legal relation binds both parties.

Definition and Nomenclature of Data in RA 10173

TRUSTe, a leading online data privacy vendor, classifies data by defining only what it calls “PII” or personally-identifiable information. PII is defined as “any information or combination of information that can be used to identify, contact, or locate a discrete Individual.”[8]

The Data Privacy Act divides information into three groups- personal information (PI, for brevity) which refers to data that may reveal the identity of a person, or data that can be used to reasonably ascertain the identity of an individual; sensitive personal information (SPI), which refers to personal information regarding ethnicity, marital status, age, religious and political affiliations, medical history, education, history of offenses, government-issued data such as social security, licenses, tax number, or one specifically established by executive or legislative acts as confidential; and privileged information, or any and all forms of data that the Rules of Court or any other pertinent law defines as privileged information. [9]

The statute defines SPI by an enumeration, therefore following the maxim expressio unius est exclusio alterius, such enumeration is exclusive. What then is the substantial distinction for classifying PI and SPI? SPI, if used incorrectly has a higher probability of causing undue harm to the data subject. To illustrate, a person’s Social Security Number may be maliciously obtained by an unauthorized person to fraudulently avail of SSS benefits. On the other hand, the email address of a person, not being part of the enumeration of SPI, can be used to reasonably ascertain the identity of an individual, but other than the possibility of SPAM, will not be very useful towards malicious purposes.

Purposes of Data Collection

Chapter III of the Data Privacy Act provides general principles that must be observed in the handling of personal information. It further defines criteria that must be satisfied for processing of personal information to be permitted and goes further by prohibiting processing of sensitive personal information and privileged information unless specifically excepted by the law. A table contrasting PI from SPI and Privileged Information, as well as showing the different criteria for lawful processing, is provided at the end of this paper.

Prohibited Acts

Chapter VIII, Sections 25 to 32 of the statute provides for eight modalities with which a Data Privacy violation is committed. Let us briefly examine the eight ways by which criminal liability may be incurred under the Data Privacy Act.

Unauthorized processing of PI and SPI would refer to processing of PI and SPI outside the parameters provided for by law. To determine whether or not processing of PI and SPI is authorized, one must comply with the general data privacy principles defined by the statute.

Accessing PI/SPI due to negligence is committed by a person who, due to negligence, provided access to PI or SPI without being authorized under the statute or any existing law. This provision entails that personal information controllers, personal information processors and their contractors and employees are required to observe due diligence in their handling of PI/SPI. Chapter V of the statute provides for the standards that must be observed for proper security of PI/SPI. Failure to implement reasonable safeguards that substantially comply with the general data privacy principles may result to such a violation.

Improper disposal of PI or SPI is committed by a person who knowingly or negligently disposes, discards or abandons the PI/SPI of an individual in an area accessible to the public or has otherwise placed the PI/SPI of an individual in its container for trash collection. It is interesting to note that other than the general statement which mandates PICs and PIPs to “keep data for no longer than the period necessary,” the law fails to provide a specific legislative mandate as to how PI or SPI is to be disposed of. This is a worrisome gap in the law, as in the age of Web 2.0, complete destruction of data is virtually impossible. Add the complexity of cloud computing, the concept of “metadata,” or data about data[10], as well as participation of middleware in information transmission and processing, and the legal mandate of destruction of data seems like a technological impossibility. It is therefore respectfully suggested that the Data Privacy Commissioner must, in his promulgation of Implementing Rules, fill in the gap and define destruction of data as envisaged in this statute.

Processing of PI/SPI for unauthorized purposes is committed by a person who processes personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws. This reflects the general data privacy principle that the data subject must, at all times, be fully informed and apprised of the purpose for which his information is to be used.

Unauthorized access or intentional breach is committed by persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored. In this sense, the E-Commerce Law applies suppletorily when it refers to hacking or cracking a system that houses PI or SPI. In the case of Credit Card Information, the Access Devices Regulatory Act may also apply, but both being special penal laws, no complexing of the crime can be done, instead two separate criminal prosecutions may be availed of.

Concealment of Security Breaches involving SPI is committed by persons who, after having knowledge of a security breach, and of the obligation to notify the Commission and the data subject as provided for by law[11], intentionally or by omission, conceals the fact of such security breach. It is interesting to note that the Data Privacy Commissioner is given the discretion to exempt a personal information controller from the notification requirement in the event that such notification is not in the public interest or in the interest of the data subject. It is also interesting to note that as entities who handle PI or SPI are corporations, public or private, there may or may not be communication external to them that such a breach occurred; therefore there is a high probability that the general public will not be privy to such information. The Commissioner is given wide latitude to exercise such exempting power, hence it is submitted that the Implementing Rules provide a more definite set of parameters with which such discretion may be exercised to avoid the possibility of impropriety in the exercise of such exempting power.

Malicious disclosure is committed by those who with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him. This is consistent with the mandate of Articles 19 and 26 of the Civil Code.

Lastly, unauthorized disclosure is committed when a PIC or PIP discloses to third persons personal information without consent of the data subject.

Sections 33 to 37 provides for other provisions pertinent to a criminal prosecution under the law.

Applicability of RA 10173 to the problem

Is the act of a person, A, in disclosing the mobile number of another, B, to a third person, C, without prior consent, a violation of the Data Privacy Act?

While it is submitted that the Data Privacy Act is a special penal law, and therefore, the only requirement is proof beyond reasonable doubt as to its violation, we must first apply the parameters identified and submitted herein to see if the Data Privacy Law is applicable to the scenario outlined above.

The sequence of questions that have to be answered for A to be in violation of the Data Privacy Law, are as follows:

1. Is B, a data subject?

The definition of data subject in the law is generic enough that it is always certain that B, being the owner of the mobile number, is the subject of personal information in this case.

2. Is the mobile number of B considered personal information or sensitive personal information?

The mobile number of B is a piece of data from which his identity as an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify him. Further, it is not part of the exclusive enumeration of data items defined as “sensitive personal information,” hence the mobile number is merely PI.

3. Is A considered a data controller?

How are A and B related? Are they members of the same household? Are they members of the same organization in school? Or, are they colleagues at work? This will determine whether or not A is a data collector. The law provides specific exemptions, and if A is one who collects, holds, processes or uses the mobile number of B in connection with personal, family or household affairs, then A is outside the scope of the law.

If it were otherwise, then we proceed to the next questions in determining liability under the law. But defining “personal use” is broad enough to encompass anything short of explicit intent for profit. The case of St. Louis Realty Corp. vs. CA[12] is pointedly instructive. In this case, St. Louis ran a print ad showing a family residence in a newspaper, and unfortunately for them, the owner of the house recognized this and requested them to desist from using the image further. The Court held that such act was considered a violation of privacy, and adjudged damages against St. Louis on the basis of violation of Article 26 of the Civil Code.

This is the conundrum of the current verbiage of the law. How “personal” really is personal? Does the intent to “become friends” ipso facto translate to legitimate personal use? How about the “intent to initiate a romantic relationship”? Alternatively, what if the only reason that such contact information is requested only for the purpose of getting the contact information of another person, say, D or E?

It is therefore submitted that the Data Privacy Commissioner must restrict the legal effect of the exemption towards “personal” use, without necessarily inciting people to become litigious on account of this particular statute.

4. Did A sufficiently inform B as to the reasons for collecting the mobile number?

It would be funny to imagine a future where a standard disclaimer is uttered by everyone whenever they exchange contact information. But the law does not intend to impose the impossible nor the infeasible. It would be sufficient to merely convey why A requested for the mobile number of B- besides, would one really volunteer contact information to another if there is no intent to start a human relationship, be it one for business or one for personal purposes?

5. Does C have no compelling reason with which to procure the personal information of B sufficient to exempt A from any liability?

The law provides that the general rule in processing of PI and SPI is that the data subject must have given his consent thereto. However, Section 12 and 13 provides for other scenarios wherein PI and SPI can be lawfully processed, such as the performance of an obligation, protection of a vital interest such as life and health, response to an emergency, and the like. If C has a compelling reason analogous to those envisaged in the law, then even lacking consent from the data subject, he incurs no liability.

Conclusion

Technology has revolutionalized the way we do business and transact with one another. We have reached the stage wherein the data we use to do our daily transactions generate data of its own. The information we use to login to websites and other ICT-enabled services may be out of our reach and control the moment we hit “enter” and “Sign in”. But despite these, communication is at its most basic core, still done between humans. It is almost surreal to imagine that in the near future, people in their day-to-day conversations would record waivers of their rights to data privacy prior to exchanging contact information. At the end of the day, getting up close and personal is still the best way to remove clouds of doubt on the legitimacy of one’s acquisition of another’s contact information. And isn’t that the way human communication was intended to be?

END NOTES

[1] Sheherezade and the 101 data privacy laws: Origins, significance and global trajectories. Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2280877

[2] http://manilastandardtoday.com/2012/03/20/data-privacy-act-clears-senate-on-final-reading/

[3] http://www.gov.ph/2012/08/15/republic-act-no-10173/

[4] Section 12, UN Declaration of Human Rights, http://www.un.org/en/documents/udhr/

[5] Health Insurance Portability & Accountability Act. http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

[6] SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the respective meanings hereafter set forth: xxx (c) Data subject refers to an individual whose personal information is processed. xxx

[7] SEC. 19. Non-Applicability. – The immediately preceding sections are not applicable if the processed personal information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose. Likewise, the immediately preceding sections are not applicable to processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject. RA 10175, http://www.gov.ph/2012/08/15/republic-act-no-10173/

[8] TRUSTe Program Requirements, II.L., PII. http://www.truste.com/privacy-program-requirements/

[9] RA 10173, Section 3, (g) and (l), http://www.gov.ph/2012/08/15/republic-act-no-10173/

[10] https://en.wikipedia.org/wiki/Metadata

[11] Section 20(f), RA 10173, http://www.gov.ph/2012/08/15/republic-act-no-10173/

[12] 133 SCRA 179, 1984.

Table 1. PI, SPI and Privileged Information, contrasted

	Personal Information	Sensitive Personal Information	Privileged Information
As to nature	Data that can be used to identify and locate an individual	Race, ethnicity, marital status, age, color, and religious/political/philosophical affiliations Health, education, genetic or sexual life, or data about offense committed, disposition, sentence Government-issued and peculiar to an individual Specifically provided for by Executive Act or law	Any and all forms of privileged information provided for by the Rules of Court or other laws
As to consent	Required from the data subject
As to reasons for processing	Necessity due to:a. Contractb. Obligationc. Protection of vital interests, including life and healthd. Emergency response and fulfillment of functions of public authoritye. Legitimate interests pursued by the PIC EXCEPT when overridden by Constitutionally protected rights	Necessity due to:a. Protection of life and health of data subject or another person, and data subject incapable of expressing consent prior to processingb. lawful and noncommercial objectives of public organizations and their associations PROVIDEDi. data subject is a member thereofii. SPI not transferred to third partiesiii. Consent of data subject given prior toprocessing c. medical treatment d. protection of lawful rights and interests of persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority