WHEN visiting a building or establishment, don’t let the security guard keep your ID containing sensitive personal information.
The National Privacy Commission has issued a circular to ensure that people’s sensitive personal information remain protected when put in the hands of security personnel.
Authorities constantly warn people to protect their personal data as these sensitive information could be used to defraud them.
But these data are easily found in their ID cards, such as driver’s licenses, that they sometimes have to hand over to security guards when entering a facility.
Keep your ID with you
In the December 2022 circular, the NPC said private security agencies and security guards cannot be directed to keep “ID cards containing sensitive personal information.”
The security agencies and guards also cannot record, copy, or otherwise collect sensitive information to determine the identity of an individual. These include the date of birth, the numbers of government-issued IDs, and images of government-issued IDs, the NPC said.
But personal information controllers (PIC), or those hiring the security agencies and security guards, may instruct them to “visually examine a government-issued ID within a reasonable time.” But they must explain to the owner the need to process sensitive personal information.
The security personnel cannot keep the government-issued IDs as well.
In some instances, customers and visitors provide their personal information in logbooks and other forms. The NPC said the security agencies and security guards should ensure that unauthorized persons cannot see or access these to prevent the unlawful processing of these data.
The security agencies and security guards must implement measures to maintain the integrity and confidentiality of any personal data they process, it said.
They must likewise protect these data against accidental or unlawful disclosure, alteration, access, and fraudulent misuse, it added.
Privacy notice, protection
The NPC said private information controllers should come up with a privacy notice in clear and plain language. They must explain the purpose of any collection of personal data.
They must also explain how they protect these data, it said.
The PICs must enter into contracts or other means to guarantee the confidentiality and integrity of personal data and to prevent their use for unauthorized purposes, it added.
“PICs shall ensure that a Subcontracting Agreement or Service Agreement is executed with [private security agencies] prior to any personal data processing activity,” it said.
Violation of the NPC circular will be penalized pursuant to the provisions of the Data Privacy Act and related issuances.
What is the NPC?
The NPC serves as the privacy watchdog of the country. It is an independent body mandated to administer and implement the Data Privacy Act of 2012.
It is also in charge of ensuring the country’s compliance with international standards set for data protection.
Data Privacy Act
Republic Act 10173, or the Data Privacy Act, makes it the policy of the state to protect the fundamental human right of privacy and of communication while ensuring free flow of information to promote innovation and growth.
It states that personal information in information and communications systems in the government and in the private sector must be secured and protected.