The Data Privacy Act and Its Implications for a New National I.D. System

Introduction: Orwellian Governments and the Welfare of a Free Society

Many authors of science fiction, from George Orwell’s 1984 to today’s Hunger Games series by Suzanne Collins, are set in dystopian futures where there is a totalitarian government running the nation. The word Dystopia, as opposed to Utopia’s “perfect world”, means that it is a world in fear or oppression, usually subject to a totalitarian regime or society. In these futures, the state monitors everything their citizens do, a “Big Brother” on a national scale. Every movement, every transaction, every potty break, every coffee break is observed by the state. Minority Report, with Tom Cruise, showed that their biometric scanning for identification is omniscient in their society, from their personalized billboard advertisements that automatically scan retinas, to government offices requiring it just to enter the building. These dystopian totalitarian governments were always built with the good motives of society at heart, with these monitoring systems in place for the “greater good”, intended to positively influence the society. The problem lies with the political principles they were based on, being too oppressive and resulted in a negative view of these dystopian governments.

One of these flawed political principles is that these future governments think that more surveillance means a better, safer society. Many of these dystopian governments have implement a form of a unified transactional system, wherein one retinal scan or some other biometric action can withdraw all related data on that person, and where no one can transact without being subject to a scan of some sort. This method allows the government to track every movement, every action, of an individual without him knowing. The government then has a very unconstitutional means of surveillance that goes against every democratic principle of a free nation.

Well, it can be said these fears are only found in science fiction. But in reality, many governments are moving towards this political state. In the United Kingdom, their citizens are under constant surveillance by ubiquitous CCTV cameras[1], in the United States of America, the National Security Agency has tabs on their citizens’ phone calls and emails[2], and many European states are starting to do the same. These signs foretell that many of the world’s nations are edging close to mimicking George Orwell’s dystopian vision.

Administrative Order 308 and its Potential for Misuse

Currently, the Philippines lacks the resources to constantly monitor Filipinos through CCTVs but there was an attempt by President Fidel Ramos to initiate a National Computerized Identification Reference System or NCIRS during his administration through Administrative Order 308[3]. This was purportedly to address the Filipinos’ need to transact with the government easily through the use of a unified card system that contains all the necessary data of the cardholder to create a more convenient transactional experience. Senator Blas Ople assailed the order based among others, that A.O. 308 is a violation of the constitutional right to privacy[4]. This case delved deep into how the government should approach any attempt at a collective effort to compile data on its citizens, and the issues of misuse that may arise with such an endeavor. As quoted by Professor Emerson, and used in the present case, “The concept of limited government has always included the idea that governmental powers stop short of certain intrusions into the personal life of the citizen. This is indeed one of the basic distinctions between absolute and limited government. Ultimate and pervasive control of the individual, in all aspects of his life, is the hallmark of the absolute state. In contrast, a system of limited government safeguards a private sector, which belongs to the individual, firmly distinguishing it from the public sector, which the state can control. Protection of this private sector– protection, in other words, of the dignity and integrity of the individual–has become increasingly important as modern society has developed. All the forces of a technological age –industrialization, urbanization, and organization– operate to narrow the area of privacy and facilitate intrusion into it. In modern terms, the capacity to maintain and support this enclave of private life marks the difference between a democratic and a totalitarian society.[5]This means that the government has a fine line to tread between being an Absolute “police state” such as those shown in the aforementioned dystopian governments, and the ideal democratic government which sets limits on their control over their citizens. Zones of privacy, as touched upon in American jurisprudence such as Roe v. Wade[6] enumerated the amendments where these zones of privacy were attached, and explained the broadness of the right to privacy that even covers a woman’s choice to abortion.

Now that being said, the government has failed to safeguard the citizen’s zone of privacy in A.O. 308, being overbroad and vague on its methods of managing these very personal data that the NCIRS seeks to compile. There is no safeguard against the misuse of data. There are no defining categories on the type of data to be collected nor are there set methods on the type of biometrics to be used through the Personal Reference Number or PRN. Basically, it is a roving commission that allows government officials to misuse the information gathered through the PRN.  As succinctly put by Justice Puno in the case, “It does not provide who shall control and access the data, under what circumstances and for what purpose. These factors are essential to safeguard the privacy and guaranty the integrity of the information. Well to note, the computer linkage gives other government agencies access to the information.  Yet, there are no controls to guard against leakage of information.[7]

This abject disregard for the safety of the Filipinos’ private information does not bode well for the attitude of the administration and the State towards the handling of these sensitive data. Since there was no express provision addressing the type of data to be collected, the government may obtain any sort of data they feel is necessary, without the knowledge of the PRN holders. Furthermore, since every transaction is recorded, the government can build a “huge and formidable information base” that can be misused by unscrupulous persons in power. There is also no clear accountability for the management of information, which can easily lead to finger-pointing and bickering without a solution from the bureaucrats in power. The situation feared by the Supreme Court in A.O. 308 is a fear well grounded, since the people in power have proved to easily succumb to the temptations presented by power in office. Case in point is the situation in the U.K. where a law was passed requiring British citizens to obtain a National ID Card, which contained their biometrics data and other personal information, and which was required for government and business transactions, similar to that envisioned by A.O. 308, and was scrapped for violating civil liberties.[8]These ID card systems, although on paper sound beneficial to the society, are highly susceptible to the abuses of human rights by the government, whether deliberately or negligently, and thus might be the stepping stones to the feared Orwellian governments in science fiction futures, unless these systems are strictly constrained by strong safeguards.

 

 

 

 

Republic Act 10173 or the Data Privacy Act.

In light of this, an actual law was recently passed in July 25, 2011 called the “Data Privacy Act of 2012” (Republic Act 10173)[9]. This new statute seems to rectify some, if not all, of the failings of A.O. 308 including the necessary safeguards to the privacy of personal information in concise and unambiguous terms, proper accountability, proper standards for the usage and management of private data, and the rights of data subjects, thus laying the foundation for a constitutionally compliant and safe law for a national identification card system.

Its declaration of policy[10] provides for the protection of personal information not just from the government but also against abuses in the private sector as well. This express statement to protect private information is an auspicious start to the law, considering the complete lack of protection in A.O. 308. The declaration of policy is the light that guides the interpretation of this statue, and it seems to illuminate the way towards a safe and secure national identification card system.

As defined by the law, personal information “refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”[11] This would be the biodata of the “data subject” or the person owning the personal information processed. Attributes include the ethnicity, marital status, physical characteristics such as eye color, height, weight, basically everything relevant to the data subject’s life. The scope of RA 10173 applies to all personal information being processed and those processing them, with exceptions to personal information of government employees and those covered by the Secrecy of Bank Deposits Act[12], Foreign Currency Deposits Act[13], and Credit Information System Act[14]. The personal information contemplated in RA 10173 coincides with the information necessary to implement a national identification card system. This allows any future statute the leeway to choose their biometric technology, since any information regarding biometrics is already covered by RA 10173 as sensitive personal information. This bypasses the issue in the Ople v. Torres case wherein they tackled A.O. 308’s absence of a preferred biometrics technology for its implementation.Thus, a person’s physical attributes needed for a biometrics system, such as his palm prints, retina scans, voice records, and others are clearly covered by the Data Privacy Act and gives legislators a freer hand in choosing their method of biometrics for a national identification card scheme, whether they find their answer in current biometrics technology or they want to wait for more advanced systems.

The Principles and Criteria of R.A. 10173

In the Ople v. Torres case, the issue of A.O. 308 being a “roving authority” for the government to collect information on individuals not for the purpose of identification[15] but some other nefarious purpose is also remedied in the new law. In the above case, the solicitor general, stated that the data obtained under A.O. 308 will not only be used for identification but also for “development planning”, which was one of the main causes for invalidating the administrative order, due to its “indefiniteness” and broadness. They did not clearly define the parameters for what development planning is, and it actually gives a very liberal interpretation of that order. By requiring all data processors to declare the purpose of the collection of personal information before or as soon as reasonable after[16], this gives the data subject a cause for litigation if the data processors deviate from the specified purpose. Furthermore, the individual always knows where his personal information is being used, and is never unknown to him.For example, when filling up an information sheet with personal information for a national ID scheme, the government has to expressly declare before giving the data sheet that this information will only be used for identification purposes of the individual, to ascertain that it is really him or her, and not a fake. And if the government did utilize their data for other purposes, then the data subject can litigate against them for deviating from the stated purpose of the data collection.Thus, this law requires that the information collectors follow narrow and strictly defined parameters on data collection, ensuring transparency and legitimacy in every action for the preservation of the individual’s human rights.

Furthermore, an interesting principle now required by the law is that the data collected may only be retained for as long as necessary for the “fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law”[17] This creates the situation wherein once the purpose of the data collection has been achieved, then the data processors and collectors must then properly dispose of the data, unless they keep a historical record in a form only necessary for identification of the individuals.This may be used for the national ID system implementation when other necessary information such as documents are required to initially verify a person’s identity such as SSS or TIN or other data and that upon verification, is properly discarded.This is an additional safety feature of the new law that reinforces their principle to make data collectors keep to their purpose for information gathering, thus also addressing the lack of safeguards present in A.O. 308.

The criteria established for the processing of these information requires the data subject’s consent, or without their consent, if it is required by a legal obligation to do so, or for the vital interest of the data subject himself, or for national emergencies, to comply with the requirements of public safety and order. These requirements,especially the express consent of the data subject, comply with the Supreme Court’s complaints found in Ople v. Torres.This eliminates the possibility of abuse, or at the worst, limits the abuse, attainable by government agencies.

Accountability

Another salient feature of the Data Privacy Act is the accountability it confers on personal information controllers who choose to subcontract their processing of personal information[18]. It requires the controllers to ensure that their subcontractors follow strictly to the safeguards placed for the protection of the private information, and that the personal information controllers themselves are responsible for the lapses and mistakes of their subcontractors, preventing them from “washing their hands” of the affair if something goes wrong.The principle of Respondeat Superior comes to mind.

Rights of Data Subjects

The most substantive feature of Republic Act 10173, though, is the drafting of the Rights of the Data Subject[19]. The express provision establishing the rights of individuals who have their personal information processed gives them a definite ground for legal controversy if ever a data controller or processor misuses their information, since they not only have a violation of their constitutional rights, but also substantive rights under the Data Privacy Act as well, enforcing their claim. The first right is the right of the data subject to be informed when their personal information is being processed. This gives them feedback on the status of their information and is very relevant to the future state of the ID scheme, since the data subjects have a right to know whether their information is being processed already. The second right enumerates the system of processing including mainly the purposes for which they are being processed, the recipients of the disclosed information, the contact details of the personal information controller, and the period of storage, among others. This mainly addresses the protocol these processors have to follow, and the details needed for the data subject to gain feedback. The third right gives data subjects the right to dispute inaccuracies or errors in personal information being processed. These rights  give Filipinos a reasonable and legitimate expectation of privacy when it comes to their personal and sensitive information.

The interpretation of this statue will always be in favor of the rights of the data subject.

The National Privacy Commission

            The scope of the National Privacy Commission (NPC) is to implement the provisions of the Data Privacy Act and to ensure compliance of the country with international standards of data protection. Furthermore, they are tasked to be the quasi-judicial body to administer complaints and punishments for violations of RA 10173. One of the requirements is that they police other government agencies so that they will strictly comply with the parameters set herein. Also they can recommend to the legislature amendments or new laws to help enforce data privacy. And lastly, they can recommend to the Department of Justice the imposition of penalties for the violators of the act. There are several violations possible defined in Sections 25 to 33 of the law with fines from P 500,000 to a maximum of P 2,000,000.

            Once there is a national identification card scheme proposal, the NPC will be the watchdog for the personal data controllers who will be contracted to process the sensitive information of the Filipinos. This means there is now a tangible and specific government agency to arbitrate violations of privacy that may arise in the course of the ID scheme implementation.

Conclusion: The National Identification Card System

            The pitfalls of Administrative Order 308, as covered in the Ople v. Torres case, are remedied by the rights and standards defined under Republic Act 10173 or the Data Privacy Act. What this means for the Philippines and the Filipino people is that there can now be a national ID system that does not smack of Orwellian fears but a system that has clear and well-defined parameters for the security and safety of the private information of the Filipinos. There is now a specific government agency that handles violations of private information, and legitimate rights for the privacy of information. Hence, the Philippines can now be ushered into a future wherein their private information is well protected and there is no fear of a National ID system that can be misused by unscrupulous government officials. The Data Privacy Act is the jumping board for a new and well-protected ID system for the country.

 

 

 

           


[1] November 2006, BBC News. “Britain is ‘Surveillance Society’” Available at: http://news.bbc.co.uk/2/hi/uk_news/6108496.stm

[2] May 2006, ABC News. “Government monitoring about 200 M Americans’ Calls” Available at: http://abcnews.go.com/GMA/story?id=1948927&page=1#.UYYEoqIzN_d

[4] Blas F. Ople v. Ruben D. Torres, G.R. 127685, July 23, 1998. http://sc.judiciary.gov.ph/jurisprudence/1998/jul1998/127685.htm

[5] Id.

[6] Roe v. Wade 410 US 113, 35 L Ed 2d 147, 93 S Ct 705 (1973)

[7] Supra

[8] May 2010, BBC News. “Identity cards scheme will be axed ‘within 100 days’” Available at: http://news.bbc.co.uk/2/hi/uk_news/politics/8707355.stm

[9]An Act Protecting Individual Personal Information In Information And Communications Systems In The Government And The Private Sector, Creating For This Purpose A National Privacy Commission, And For Other Purposes,Republic Act No. 10173 (2011)

[10] It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. (Republic Act 10173, Section 2)

[11]RA 10173, Section 3(g)

[12] Republic Act 1405

[13] Republic Act 6426

[14] Republic Act 9510

[15]Ople v. Torres

[16]RA 10173, Section 11 (a)

[17]RA 10173, Section 11 (e)

[18]RA 10173, Section 14

[19] RA 10173, Section 16

 

DISCLAIMER: Law Student’s Opinion ONLY.

Advertisements

One thought on “The Data Privacy Act and Its Implications for a New National I.D. System

  1. Pingback: Students’ Take: RA 10173 viz a National ID system, and Malacanang’s FAQ on the effects of RA 10372 | Berne Guerrero

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s