Part Two
BY providing personal data like name, address, birthday, e-mail and telephone number, a guest, in effect, gives an implied consent to the organizers of an event, according to Philippine Computer Emergency Response Team (PhCERT) President Lito Averia.
However, there’s a caveat.
“The disclosure of the purpose of the collection of personally identifiable information must be explicit,” Averia explained.
Such is the spirit of Republic Act 10173, or the Data Privacy Act (DPA) of 2012, he said.
The data-privacy law compels organizations, both public and private, to put in place the necessary physical, organizational and technical measures to secure their systems in safeguarding personal data in their storage, Averia said.
Under the law, the systems cover both automated and manual, he added. The organizations are mandated to put in place the necessary protective measures.
Averia pointed out an organization has to take the necessary cybersecurity measures if it stores personal information in an automated database system.
Security solutions alone do not guarantee data protection, he revealed. “Data may get compromised by the organization’s people who lack technical know-how in terms of information security.”
Weakness
ISAAC S. Sabas, founder and CEO of managed security service provider PandoraLabs Inc., said an information and communications technology (ICT) infrastructure usually gets compromised due to inadequate technical understanding and skill among an organization’s people.
Averia agrees: “The weakest link is still people.”
No technology, however advanced, is capable of securing data when the people in an organization have not the technical literacy and capability to secure data, said Angel Redoble, ePLDT Inc. chief information security officer.
Both Redoble and Averia are vocal and strong proponents of the integration of data security in the curriculum for primary school students. Both agree knowledge on identity protection should be taught in the early educational formation of students since the age that has access to the Internet, for both male and female, becomes younger and younger.
BPOs
AVERIA was one of the proponents who campaigned for the original purpose of the data-privacy law back in 2001.
“Right after we completed the rules on electronic evidence, we started working on the Data Privacy Act,” he said. “The active lobbying was around 2006 and 2007.”
Averia added progress on the law was at the same slow pace of growth of the business-process outsourcing (BPO) sector. The growth of the BPO industry was slow since there was no legal framework that could have boosted the industry players’ progress, he explained.
At the time, there was no data- privacy law yet and the BPO operators in the country and their clients were in contractual commitments, Averia said.
The BPO operators during those years saw the absence of data-privacy law hindered the growth of the industry, he explained.
“The BPO industry began to sail smoothly after the data privacy became a law in 2012,” he said. “The BPO is a direct beneficiary of the law, which became a preventive measure to identify theft.”
Absence
ACCORDING to Averia, the data- privacy law should not be considered a cybersecurity magic bullet.
Currently there is no law devoted to resolving cybersecurity in the country, he said.
“There’s no legal framework that specifically addresses cybersecurity,” Averia added. “Cybersecurity as a matter of concern is tucked in the Cybercrime Prevention Act.”
Redoble, who advocates legislation of a cybersecurity law, agrees. He added the government should craft a policy as a law has yet to be enacted.
That onus falls on the shoulders of the Cybercrime Investigation Coordinating Council (CICC). The CICC was created upon the approval of Republic Act (RA) 10175, or the Cybercrime Prevention Act of 2012.
And while the CICC was able to formulate a cybersecurity plan early this year, Averia said “a lot of details have to be put in place.”
Still, he noted government’s efforts in the last decade to address cybersecurity.
Subterfuge
THE DPA is not a scheme to prevent the processing or disclosure or both of personal information sanctioned under law, according to Raymundo Liboro, chief of the National Privacy Commission.
In a statement on data privacy and the issue on the Statement of Assets, Liabilities and Net Worth (SALN) redaction, Liboro said the DPA was not enacted to “prevent access to personal information under any circumstances.”
The DPA encourages “responsible and lawful use of personal information,” he clarified.
Section 11 of the DPA states that “the processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and opportunity.”
RA 6713, otherwise known as the Code of Ethics and Ethical Standards, serves as the legal basis of the DPA for the SALN, he pointed out.
Section 8 of the law states that, “Public officials and employees have an obligation to accomplish and submit declarations under oath of, and the public has the right to know, their assets, liabilities, net worth and financial business interest, including those of their spouses and of unmarried children under eighteen years of age living in their households.”
It includes real property, its improvement, acquisition costs, assessed value and current fair market value; personal property and acquisition cost; all other assets, such as investments, cash on hand or in banks, stocks, bonds and the like; liabilities; and all business interests and financial connections.
“The SALN must also identify and disclose a public official’s relatives in the government in the form, manner and frequency prescribed by the Civil Service Commission,” Liboro said. As required by law, the SALN should be publicly available and accessible, he added. Under this law, the right of the public to know is guaranteed.
Personal data that RA 6713 requires with regards to assets, liabilities and net worth of public official’s spouse and unmarried children under the age of 18 years could not be redacted, Liboro explained. To be concluded
Image credits: Nonie Reyes