We live in an era when personal data is so valuable that many business models and economies are now actually built around its collection and use. To prevent or at least discourage abuse, governments develop laws that aim to regulate this phenomenon. The Philippines has Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), with the National Privacy Commission (NPC) overseeing its proper implementation.
To many, understanding many of the law’s provisions and translating DPA compliance into an organization’s day-to-day operations is a daunting but necessary task.
The two will be authoring a series of articles that take up the various compliance elements of the law, as seen from two vantage points, and presented in FAQ form. In this issue, they talk about privacy notices.
Here they discuss the privacy notice, a document that states how an agency or organization collects, uses, and protects user data. At the end of this article, you will find links to the other articles in the data privacy seres.
What is a privacy notice?
Ivy: A privacy notice is a statement on the data processing activities of an agency or organization. It provides, among others, information about the categories of personal data involved, the purpose and extent of their processing, and the safeguards in place to ensure their protection.
On the part of the institution, a privacy notice demonstrates its commitment to transparency and fairness when carrying out data processing. It is also an efficient means to uphold a particular right (i.e., to be informed) of individuals vis-à-vis their personal data.
What is the basis for requiring a privacy notice?
Jam: The use of a privacy notice is in keeping with the transparency and fairness principles in personal data processing. Transparency sits at the core of a robust privacy management program. Except for a handful of circumstances, it is difficult to imagine a proper data protection regime where a person is kept in the dark about the way his or her personal data is collected and used by others.
Similarly, fairness demands that a person is afforded a reasonable amount of information about the data processing system of an entity in possession of his or her personal data. It is with such knowledge that he or she is able to effectively exercise his or her rights as a data subject.
Ivy: Section 11 of the DPA provides for the principle of transparency. The same provision also says personal information should be processed fairly and lawfully. Implicit in these principles is the requirement that an entity’s purpose for processing personal data be declared and specified.
At the same time, the DPA also holds that an individual is entitled to be informed about the fact that his or her personal information is being processed, the extent of such processing, and other relevant information. One way of complying with these provisions in one fell swoop is through a privacy notice.
What should a privacy notice contain?
Jam: Under the DPA, a proper privacy notice answers the following questions in relation to a data processing system: (1) who is the entity in control of the processing (i.e., Personal Information Controller, or PIC); (2) what personal data are being collected or generated; (3) what is the purpose of the processing; (4) who has access to the data; (5) with whom are the data shared, if at all; and (6) how long will the data be retained.
In addition, it should also feature a statement on the rights of data subjects and how these can be exercised. Then, of course, the contact information of the PIC should be right there in the mix, too.
What issues are usually encountered when coming up with a privacy notice?
Ivy: Some companies lose sight of the main purpose of a privacy notice. Coming up with a piece of document and calling it as one is not enough. There must be a genuine desire to properly inform data subjects. This means meticulously choosing the appropriate medium to relay the notice.
In some cases, a colorful poster or a video clip might be more compelling than a very long text that no one reads. Content-wise, a privacy notice should be developed only after the actual data processing operations of an agency or company are made clear. Some of the things to be considered include the data inventory, the documentation of purposes and bases of processing, and the records of processing activities.
Jam: In engaging with different organizations, I can recall two recurring problems:
Copy-paste mentality. Some people think they can simply lift words from another company’s privacy notice and make it their own. They don’t bother to check if it also describes their data processing activities accurately. Not only does this defeat the purpose of transparency, but the copycat could also be accused of intentionally deceiving data subjects.
Privacy notice vs. consent form. Some companies confuse one for the other. They end up asking for consent for processing activities they can lawfully carry out without it. In such instances, a data subject may not mind, but it could pose a big problem to the company if it encounters individuals unwilling to give their consent.
Meanwhile, some companies like to combine the two. This, on the other hand, is not only improper but oftentimes unfair to the data subject. If thrown in together haphazardly, people end up being forced to agree to data processing activities they don’t actually approve of simply because these are commingled with those they only need to be informed of.
Sure, consent forms are practically privacy notices, too. That’s how one obtains informed consent. But, this is not the same as actually combining the two. They have different purposes and are associated with different legal bases for data processing.
Does the DPA and the European Union’s General Data Protection Regulation (GDPR) have the same requirements as to what would qualify as a proper privacy notice?
Jam: The DPA and the GDPR have very similar requirements. A privacy notice does, after all, serve the same purpose under both regimes. A marked difference, though, is that the GDPR distinguishes between a scenario where personal data is collected directly from an individual, and one where it is derived from other sources.
If personal data is obtained directly from the individual, the privacy notice must feature the following: (1) identity and contact information of the PIC; (2) contact details of the data protection officer; (3) purpose of the processing; (4) legal bases for the processing; (5) rights of the data subject; (6) storage period; (7) recipients of the data, if any; (8) existence of an automated decision-making process, if any; (9) cross-border transfer of data, if any; and (10) information on further processing, if any.
Meanwhile, if personal data is collected from other sources, a privacy notice features the same enumerated information and two more, namely: (1) categories or description of the personal data; and (2) sources of the data.
What tips would you give to those developing their own privacy notice?
Ivy: It all begins with maintaining a proper record of one’s processing activities. This demonstrates compliance and allows the development of a privacy notice that is based on actual data processing activities of a particular entity. The privacy notice itself should be complete but concise.
It should allow data subjects to ask for more information, or request for a more comprehensive explanation. The manner of presenting a privacy notice is critical, too. An entity should explore creative ways to present information so that they actually reach their intended audience.
Finally, a privacy notice must be seen as an excellent opportunity to engage data subjects. According to a 2017 survey, more than 90% of Filipinos want to know how their personal data is being processed. A privacy notice addresses this need.
In the end, it’s worth remembering that information privacy is about allowing people to exercise control over their own personal data. It empowers them. In this scheme of things then, an effective privacy notice is a critical tool for people empowerment.
Ivy Patdu is a member of the National Privacy Commission, sitting as its deputy privacy commissioner responsible for policies and planning. She is also a member of the e-Health Privacy Expert’s Group and faculty member of the Ateneo de Manila Law School and San Beda College of Law-Alabang. She has worked on data privacy since 2011.