Data privacy 101: What businesses should know about systems registration

We live in an era when personal data is so valuable that many business models and economies are now actually built around its collection and use. To prevent or at least discourage abuse, governments develop laws that aim to regulate this phenomenon. The Philippines has Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), with the National Privacy Commission (NPC) overseeing its proper implementation.

To many, understanding many of the law’s provisions and translating DPA compliance into an organization’s day-to-day operations is a daunting but necessary task. 

To remedy this, we’ve gone straight to the source, and signed up two experts – Jam Jacob, the data protection officer of the Ateneo de Manila University and former head of the Privacy Policy Office of the NPC; and Ivy Patdu, Deputy Privacy Commissioner for Policies and Planning of the NPC.

The two will be authoring a series of articles that take up the various compliance elements of the law, as seen from two vantage points, and presented in FAQ form. In this issue, they talk about the NPC’s registration platform for data processing systems.

Q: What is the reason for the registration system?

Ivy: The registration of data processing systems is one of the compliance requirements of the NPC. It is the counterpart of the “notification” requirement of the European Union’s (EU) Data Protection Directive, which has since been replaced by the General Data Protection Regulation (GDPR).

The NPC retained this requirement in line with the strategies it will implement pursuant to its compliance monitoring function. It considers the system a means to administer and implement the DPA, particularly in promoting transparency and public accountability in the processing of personal data.

For registered entities, it is an acknowledgment of their personal data processing activities, and a means to provide their contact information for any data privacy-related matters. It also shows their commitment to comply with the law and provides a venue for better engagements with the NPC.

It should be seen as part of the compliance journey insofar as it allows personal information controllers (PICs) and personal information processors (PIPs)  to comply with requirements of maintaining a record of their processing activities, and to have an initial basis for their risk assessment activities.

In the future, the NPC may maintain a registry that is subject to reasonable public access. This is helpful to those who may have concerns against big corporations, especially those operating across borders.

Q: What do you think of this compliance requirement?

Jam: I think it has lost its place in the ideal regulatory framework for data protection. The EU, which arguably has the most mature data protection regime today, did not retain this requirement when it updated its legal regime this 2016, with the enactment of the GDPR. That ought to say a lot.

At best, it provides a data protection authority a baseline upon which it can begin its assessment or investigation of a particular company. If the registry is accessible to the public, the system also lends itself to the transparency principle espoused by data protection laws. With that, given the effort a company will have to expend to meet its obligations under a system like this, I just don’t see a fair tradeoff. 

In the meantime, though, I hope that references and other resources from the NPC are forthcoming since there are still plenty of matters to clarify about this compliance requirement.

Q: What are some common questions about the system that you want to address?

Ivy: One common issue is how to interpret “data processing systems.” There is ambiguity, for example, on whether each and every process will be registered, whether to include systems like the registration of guests in a condominium lobby in a logbook, or whether storing data in one data server qualifies as one system.     

Organizations are advised to group related processes together under one system for purposes of registration. Factors that may be considered include their having a common or related purpose, having the same system inputs or outputs, and similar processes using a common system.

For instance, the Human Resource Department can define systems based on its strategic functions such as Hiring and Staffing Data Processing System, Performance Management Data Processing System, or Training and Development Data Processing System. When processes are grouped together, the organization should be prepared to justify or show the relationship of the processes with each other.

Q: What will happen if a company doesn’t register?

Ivy: The NPC can issue compliance orders, and file court processes to require compliance. At the same time, non-registration is one of the considerations in identifying the organizations to be subjected to a compliance check. Taking into account due process considerations and a proper investigation, the Commission may issue stop processing orders and other enforcement actions.

With that, organizations should be mindful that registration is only one aspect of compliance. It does not exempt anyone from an investigation, nor does it protect the PIC or PIP from breach. Accordingly, organizations would do well to prioritize embedding privacy and data protection measures in their day-to-day operations.

Q: What are some of the issues or challenges encountered in its implementation? 

Ivy: One of the challenges is perhaps the requirement of registration imposed on individual professionals, particularly registration of physicians. There was a lot of confusion because some physicians were unsure whether they were required to register or not. At the moment, physicians account for about a third of those registered with the NPC. The registration should have a more even distribution across sectors.

The submission of paper-based registration forms is also a challenge. In those cases where registration was done offline, forms had to be separately encoded, which entailed both manpower and budget costs. For early registrants, NPC accepted submissions of paper-based forms in order to avoid imposing undue burden those who opted not to use the online platform.

Jam: Based on the experience of our organization and those I’ve assisted in this area, there were quite a number of problems with the system. I’ll just name four:

• Identifying systems. Singling out processes that qualify as a data processing system requiring registration is difficult, especially for large organizations and/or complex systems. An organization can have hundreds of units or offices, and each one is bound to have its own set of “systems”.
  
  Which ones do you register? How about those who maintain similar systems (e.g., registration systems for events)? Sometimes, a system is used by multiple units or offices. Sometimes a system forms part of or connects to a much larger one. If a program, software, or application is being used, it is common for people to assume that that’s the system that require registration. It’s not always the case.

• Technical glitches in the online registration system. We experienced a lot of technical difficulties. A couple of times, after having put in all the entries for a particular system, we’d find out later on that nothing was saved or recorded. Activation took a while, too. There was an issue with the link we were provided with. It turned out it had already expired. 

• Late launch of the online platform.  The online registration system came out just a couple of weeks before the deadline set by the NPC, leaving a very narrow window for organizations to meet it. Obviously, this was unfair to bigger companies who had more systems to register compared to their peers.

• Registration of individuals. Suffice to say, I don’t believe it was the intention of the law to cover individuals who process personal data. If this is to be upheld, then a comprehensive guide should be in the works since there is a long list of questions waiting to be answered in this respect.

Q: Do you have any tips for those working to register their data processing systems? 

Jam: Pending further guidance from the NPC, I recommend that organizations decide early on how they intend to interpret the definition given for “data processing system.” Using that interpretation, they should do a quick in-house survey/study of all their existing systems, from the simple ones to the complex.

It is important to secure all the information required by the NPC in its online registration platform. Then they should register. As long as there is no intention to commit fraud, they shouldn’t be afraid to get some things wrong at first. Anyway, subsequently revising one’s registration information is permitted. 

The key is to show that you are willing to comply by making a genuine effort to do so. After you’ve done this initial but important step, carry out a comprehensive Privacy Impact Assessment (PIA) on your organization. It’s going to take quite a while, especially if you’re a large organization, but only a proper enterprise-level PIA will provide the accurate information necessary to comply with this registration requirement.

Q: How do you see this system moving forward?

Ivy: It is acknowledged that the trend in other countries has been to move away from notification (registration) requirements. This may be because of the increasing importance of the role of data protection officers (DPOs), and the view that registration requirements are just an administrative burden.

In many ways, the DPO is seen as addressing the need for transparency and public accountability in data processing. In the Philippines, DPOs are those persons designated to ensure an organization’s compliance with the DPA. They are supposed to be accessible to both internal and external stakeholders. This may be explored by the NPC in the future.

Should the registration system continue, the challenge for the NPC is to be able to limit the focus of the registration requirement to the critical few – those companies and businesses that have large-scale processing activities for their core activity, and those with complex data processing systems. Further to that, the system has to be both cost-effective and risk-based if it’s going to be sustainable.

Jam: Perhaps it’s because of my admitted bias towards this issue that I think the registration system will not last long. Sooner or later, we’ll get to appreciate what the EU learned from their nearly two decades’ worth of experience with their registration system. Today, the regulators there seem to think that organizations should focus more on developing internal data protection measures.

That’s where they should be spending their attention and resources on. I agree. Transparency can be achieved in so many other ways, and a data protection authority can simply ask an organization for baseline data if and when it will conduct an inspection or investigation of that particular organization.

I should also mention that decommissioning the system will free up precious resources for the NPC, too. Monitoring is bound to be a time-consuming task and is expensive to undertake. With that, the demise of this system will actually be a win-win for everyone concerned. – Rappler.com

Ivy Patdu is a member of the National Privacy Commission, sitting as its deputy privacy commissioner responsible for policies and planning. She is also a member of the e-Health Privacy Expert’s Group and faculty member of the Ateneo de Manila Law School and San Beda College of Law-Alabang. She has worked on data privacy since 2011.

Jam Jacob (@jamjacob) is the data protection officer of the Ateneo de Manila University. He is also the coordinator for the Privacy and Surveillance Program of the Foundation for Media Alternatives, a civil society organization, and is a consultant to several organizations both in government and the private sector. He previously served as head of the Privacy Policy Office of the National Privacy Commission, and has worked on data privacy since 2011.

Statements of the individuals here are not official positions of their respective affiliations.