What must your organization or business observe for data privacy protection? Guidelines for privacy
Last 08 July 2020, The National Privacy Commission (NPC), in demonstrating its commitment to protect privacy rights of individuals, included under its legal mandate, published another bulletin for guidance of establishments for the proper handling and protection of personal data collected from their customers and visitors. First among the list of guidelines highlighted by NPC is "Collect only what is necessary." This basic guideline clearly gives emphasis on NPC's regular statement in its awareness campaigns that every Personal Information Controller (PIC) must collect only what it can protect. Otherwise stated, establishments or businesses, as PICs, must always incorporate in their privacy policies the principle of proportionality in their collection, use, disclosure, storage or any kind of processing of personal data of their data subjects. Next in the list, NPC also highlighted the need for establishments to "Be transparent". Again, the principle of Transparency under the Data Privacy Act of 2012 is given as a constant reminder for businesses who acts as PICs either of their clients/customers or employees must be clear in their privacy notices or policies as to fairly "inform their customers and visitors of the collection of their personal data and the reasons for such collection." NPC further gives guidance that "[f]or further information on the processing activity [by PICs], establishments may direct their customers and visitors to their official websites or social media pages, as well as official websites of pertinent government agencies to provide them with information on the possible uses of their personal data for contact-tracing purposes.Establishments must ensure that the privacy notice is easy to access, understandable, and uses clear and plain language."
Third, NPC reminded the general public to "Use information only for the declared purpose". This is a clear statement of the principle of Legitimate Purpose which also has to be part of every business or establishment's data protection policies. In strictly adhering to this principle under the Data Privacy Act of 2012, clients and customers get to have a concrete basis for their expected experience of confidence that the personal data they give to their service/goods provider are well taken care of. Trust in business partners and vendors of goods and services has once again been highlighted as a very valuable commodity.
From NPC's latest bulletin,establishments and businesses are again reminded of the continued implementation by NPC of the Data Privacy Act of 2012 and its implementing rules and regulations. In this midst of the national health crisis our country is facing, data privacy, as well as rights of data subjects, have become more relevant especially in the adjustments which have to be made in relation to distance/online learning, contact tracing efforts, and work from home arrangements. As observed in most of the online media platforms doing business, it is very timely for every business to establish, if not update, their data privacy policies and strictly adhere to their respective data privacy and protection management programs.
#DataPrivacyUpdates for Friday @dataprivacyadvisor
Source: NPC PHE Bulletin No. 15: Guidelines for Establishments on the Proper Handling of Customer and Visitor Information for Contact Tracing