StaySafe app

Citizens’ data collected by StaySafe app still in hands of private firm

Pia Ranada
(UPDATED) The contact tracing app's developer fails to comply with the government's own ultimatum but the government itself promotes a more aggressive roll-out

The data of Filipinos collected by the government’s contact tracing app remains in the hands of a private technology firm, an official of the Department of Information and Communications Technology (DICT) confirmed.

Assistant Secretary Manny Caintic, on Thursday, January 21, said in a Malacañang press briefing that a deed of donation of the data is yet to be signed by the Department of Health.

This means the health department, the government agency with a mandate to hold the data as part of its role in curbing the pandemic, has not yet received users’ information from Multisys Technologies Corp, the developer of StaySafe.

“The deed of donation is pinapa-sign pa namin sa DOH (we are still having the DOH sign it), but I think that’s forthcoming,” said Caintic when asked by Rappler.

Wala pa rin trinansfer pa na data (No data has been transferred yet),” he added.

Violation

This is a violation of the pandemic task force’s own rule.

In June 2020, or 7 months ago, the Inter-agency Task Force on Emerging Infectious Diseases said it would withdraw its endorsement of the StaySafe app if Multisys fails to donate citizens’ data to the health department.

“A Memorandum of Agreement (MOA) or such other deed or agreement as shall be necessary shall be entered into between Multisys Technology Corporation (Multisys) and DOH regarding the donation and use of StaySafe.PH application which shall include the source code, all data, data ownership, and intellectual property involved of the former to the latter,” reads IATF’s Resolution No 45.

The resolution also ordered Multisys to comply with the directive 30 days from the resolution or else it would revoke its endorsement of StaySafe as the country’s official contact tracing app.

Multisys would also then be required to “migrate the data collected and stored in StaySafe.PH to the DICT.”

Late by 6 months and counting

Based on the resolution, the MOA and turnover of data should have been done on July 10, 2020 at the latest. But 6 months later, these conditions have not been complied with.

Asked how the government would then protect citizens’ data if they remain with a private company, Caintic said, “Right now, I think the NPC (National Privacy Commission) has already been doing ongoing and continuous privacy assistance to StaySafe.”

NPC is the government agency tasked with ensuring compliance to the Data Privacy Act. NPC Commissioner Reymund Liboro is yet to respond to Rappler’s request for comment.

Multisys CEO David Almirol Jr confirmed that users’ data is still with them. But he said it’s not because they don’t want to turn it over.

“Still with Multisys. It seems DICT is not ready [to receive it], it seems they don’t have funds to pay for the cloud services,” he told Rappler on Thursday.

Meanwhile, the DOH had denied Rappler’s December 22 request for a copy of a MOA with Multisys on StaySafePH.

The DOH, through its FOI officer, said it does not have [some of]* the information” requested. Yet in the next line, they said the request was denied because of the Data Privacy Act.

“We regret to inform you that we cannot provide the data being requested as this is classified as a sensitive personal information and privileged information and violation of Data Privacy Act,” said the DOH in an email to Rappler.

Full roll-out despite non-compliance

Despite Multysis’ non-compliance to the IATF ultimatum, the IATF and Malacañang itself has been promoting StaySafe, together with Almirol.

In September, they attended a public launch of StaySafe in a major mall. This was after the deadline for turnover of users’ data had already passed without Multisys fulfilling the requirement.

Must Read

Gov’t goes full-throttle on StaySafe app, but user data concerns remain

Gov’t goes full-throttle on StaySafe app, but user data concerns remain

Two months later, the task force made the use of StaySafe required for anyone who wishes to enter national and local government offices.

Soon after, it made StaySafe mandatory for even private companies, hotels, and business establishments, as well as public transportation.

Under IATF Resolution No. 87, these establishments are now required to implement the “Safety Seal Certification Program” which entails “the adoption of the StaySafe application and generation of its QR Code to be displayed in all entrances.” – Rappler.com