Cuatela
“Cuatela”
(The Latin Term for
security or caution)
“Computer”
is defined as any device or apparatus which, by electronic, electro-mechanical,
or magnetic impulse, or by other means is capable of receiving, recording,
transmitting, storing, processing, retrieving, or producing information, data,
figures, symbols or other modes of written expression according to mathematical
and logical rules or of performing any one or more of these functions[1].
This is the legal definition which our lawmakers provide for as an emphasis for
the word “computer”.
However,
computer, a term which I first encountered almost two decades ago, back then,
what it was to me was a box type object and its color was white with a little bit of red
and it has two controllers with it. Before I knew that it was called a “family
computer”, to me, that was the only computer I know, along with the machine
which you put in one peso coin every five minutes in order to finish your game.
With this in mind, one may point out in an instance that I didn’t grow up in
urbanized scenery. Well, such statement is true. In the town where I grew up,
Lupon, Davao Oriental, everything that comes out in a machine, most especially
video games, we call them computer. There were even computers in our town which
were apprehended for gambling. These computers were called “video karera”.
These were the concepts I have of what a computer was when I was in grade
school.
When I
was in 5th grade, the first computer shop in our town was opened.
The first time I entered the place, I felt like I was really out of place. As
my friends enthusiastically line up to play “red alert”, I on the other hand
was quick enough to reach for the door and head home. The very thing in my mind
after going out the door was “we’ll be having computer class in high school
anyway”. True enough, for the next two years, I never bothered to learn how to
play games in the computer nor exerted effort to learn how to use one. However,
when Play Station 1 was brought to our town, as far as I can remember, it was
the first computer that my hands held.
Then came
freshman year in high school, finally, I can get my hands on a computer, a
desktop computer. The first exercise that we did was to practice how to type.
We had a lot of notes for that class but I can barely remember. However, there
was one thing that our teacher required for us, his students, to obtain; a
diskette. A diskette which was a storage for the files we made in accordance
with the exercises provided for in our subject. As I recall the words uttered
by my teacher in computer class “the diskette is for safe keeping”. During that
time, our activities were plainly computer subject related and it was only
about 2002 which I first encountered the internet.
The
internet was introduced to me in a very unusual way. I was in the computer
laboratory of the school where my father used to teach in Davao City. The
“internet explorer” was the only browser available back then, and I, coming
from the province, having no idea on what internet was, began clicking on
whatever that was appearing on screen. As I was going on clicking and clicking,
I ended up being on a pornography site. I was caught by the in-charge, and like
what I did when the first computer shop opened in our town, I quickly headed to
the door and went out. However, as the time goes by, I learned how to use the
internet, with proper guidance and managed to create my very first social
networking page in Friendster.
Like
all social networking sites the we have today, from Facebook, Twitter, and
Instagram; Friendster, also require its members to sign up and input all
necessary information about an individual wanting or eager to be a member of
this new thing that people around you can’t stop mumbling about. However, in
every innovation that we make, along with it are risks which when made, were
not foreseeable. Little by little, these risks have started to come out like
mushrooms. The most blatant issue is that, in these social networking sites,
identity fraud is rampant and extensive. Not only this, but hackers are all
over, people you don’t know gets hold of your personal information and
sometimes using such to defraud people. With this, the vulnerability of your personal
information is at stake. The perils which attach to your person in the event
that you sign up in social networking sites are relatively high.
While
it is true that technology makes people’s lives easier and it also provides for
an avenue which gives comfort to the community without the traditional way of
physically interacting with the people. In various instances, people, have by
passed the possibility that there are risks attached in their person in their
dealings in these avenue such as the social media networks. It seems like,
because of the adaptation of all these technological innovation, privacy, a
paramount right that each individual shall enjoy in on the verge of
disturbance.
Despite
all the pessimisms attached to technological innovation, not just in social
networking sites but the advancement of our government, labor, security system
and many more , our Constitution provides that: Science and technology are essential for national development
and progress. The State shall give priority to research and development,
invention, innovation, and their utilization; and to science and technology
education, training, and services. It shall support indigenous, appropriate,
and self-reliant scientific and technological capabilities, and their
application to the country’s productive systems and national life.[2]
It further affords that: The State shall regulate the transfer and promote the
adaptation of technology from all sources for the national benefit. It shall
encourage the widest participation of private groups, local governments, and community-based
organizations in the generation and utilization of science and technology.[3]
As such, technological innovation is one
ingredient that our leaders have lobbied to the people as one of the tools for
development in our country. The need for a centralized electronic database for
national organizations and in government-owned and controlled corporations is a
vision that each Filipino has dreamt of in order to have an organized system
and free from the time consuming queuing in government offices. However, with
this in mind, the issue present in this case is: whether or not people are
secured in their persons in providing these offices or organizations their
personal information which may be detrimental to their life, liberty or
property.
The solution that our lawmakers provide for in
this kind of dilemma is the enactment of Republic Act No. 10173 otherwise known
as the “Data Privacy Act of 2012”. Under this law which provides that: It is
the policy of the State to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote innovation and
growth. The State recognizes the vital role of information and communications
technology in nation-building and its inherent obligation to ensure that
personal information in information and communications systems in the
government and in the private sector are secured and protected.[4]
While such is in accordance with the Article III, section 3 of the 1987
Philippine Constitution which provides that: (1)The privacy of communication
and correspondence shall be inviolable except upon lawful order of the court,
or when public safety and security or order requires otherwise, as prescribed
by law. (2) Any evidence obtained in violation of this or the preceding section
shall be inadmissible for any purpose in any proceeding.[5]
As mentioned above, that privacy is a paramount right that each individual enjoy
and exhaust. And with respect to the combined efforts and power invested by the
executive department and the legislative department for privacy to be enjoyed
by the citizens to the fullest, the precautions set forth are not free from any
loop holes.
The Republic Act No. 10173 or the “Data Privacy
Act of 2012” provides that: This Act applies to the processing of all types of
personal information and to any natural and juridical person involved in
personal information processing including those personal information
controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines, or those who
maintain an office, branch or agency in the Philippines subject to the
immediately succeeding paragraph: Provided, That the requirements of
Section 5 are complied with.[6]
With this, it is evident to state that the scope wherein which the area of responsibility
of this law plays, although it has undergone a thorough study, may still cause
damage to an individual.
For instance, under section. 11. General Data Privacy Principles. – The processing of personal
information shall be allowed, subject to compliance with the requirements of
this Act and other laws allowing disclosure of information to the public and
adherence to the principles of transparency, legitimate purpose and
proportionality.
Personal information must, be:
xxxxxx
(e) Retained only for as long as
necessary for the fulfillment of the purposes for which the data was obtained
or for the establishment, exercise or defense of legal claims, or for
legitimate business purposes, or as provided by law; and
(f) Kept in a form which permits identification
of data subjects for no longer than is necessary for the purposes for which the
data were collected and processed: Provided, That personal information
collected for other purposes may lie processed for historical, statistical or
scientific purposes, and in cases laid down in law may be stored for longer
periods: Provided, further, That adequate safeguards are
guaranteed by said laws authorizing their processing.
The personal information controller must
ensure implementation of personal information processing principles set out
herein.[7]
Now, the problem herein as one may
point out is the use of the word “necessary”. The use of the word “necessary”
may be subject to abuse. Although in the legal point of view,” as used in jurisprudence, the word “necessary” does not always
import an absolute physical necessity, so strong that one thing, to which another
may be termed “necessary” cannot exist without that other. It frequently
imports no more than that one thing is convenient or useful or essential to
another. To employ the means necessary to an end is generally understood as
employing any means calculated to produce the end, and not as being confined to
those single means without which the end would be entirely unattainable.[8]
However, in a cultural point of view, wherein which delaying tactics or the
practice of deferring is so rampant, the employment of means calculated to produce
the end is somewhat vague.
In my opinion, to mix vagueness when
a person’s life, liberty or property is at stake may be construed as a peril to
one’s right to privacy. Indicating a specific timeline for holding personal
information in achieving or fulfilling a specific end or purpose will not
defeat the entire logic of establishing a point or defense, as the case may be.
The absence of a specific timeline for retention of data may prejudice the
individual that is subject of that precise action. To reiterate, privacy, is a
paramount right that each individual must enjoy or exhaust. And having a law
which provides vagueness or general and not specific, especially when personal
information relating to one’s privacy is at stake must be given attention.
Another part of the Republic Act No.
10173 or the “Data Privacy Act of 2012” which may be subject to misuse and
manipulation can be seen under section 14 which provides that: SEC. 14. Subcontract of Personal
Information. – A personal information controller may subcontract the
processing of personal information: Provided, That
the personal information controller shall be responsible for ensuring that
proper safeguards are in place to ensure the confidentiality of the personal
information processed, prevent its use for unauthorized purposes, and
generally, comply with the requirements of this Act and other laws for
processing of personal information. The personal information processor shall
comply with all the requirements of this Act and other applicable laws.[9]
Although this law provides for the proper guidelines on
how to properly operate as a personal information controller or a person or organization who controls
the collection, holding, processing or use of personal information, including a
person or organization who instructs another person or organization to collect,
hold, process, use, transfer or disclose personal information on his or her
behalf. The term excludes: (1) A person or organization who performs such
functions as instructed by another person or organization; and (2) An
individual who collects, holds, processes or uses personal information in
connection with the individual’s personal, family or household affairs.[10] Subcontracting is an area
wherein which violation to one’s privacy may be neglected.
In my own personal point of view, the
abuse in this case may come from the personnel tasked to determine a specific
function of gathering personal information into the system. These personnel may
obtain the technical formula of generating personal information on a database
and presumably they’re the ones providing for its generation and security. With
this in mind, one must be mindful of the risks and perils that are attached to
it. One thing that comes in to mind with regard to this topic is that, in
subcontracting, the personnel’s employed by the subcontractor are not in the
reach of power that the principal has once these personnel are released from
being under the subcontractor or in instances of termination of contract or the
severity of relationship between the subcontractor and its personnel. Meanings,
when they are no longer have ties with the subcontractor; it is easy for them
to disseminate information regarding the storage of data, its functions and
security. While it is true that Republic Act No. 10173 or the “Data Privacy Act
of 2012” provides for penalties in case of breach, it is however an inadequate
precaution for one’s privacy.
In my personal opinion, each the office
or organization which provides or gathers personal information into a database
must have adequate number of people that are knowledgeable and capable to
operate as personal information controller. To remove the subcontractor in the
picture and to make the dealings between the person subject of the data
information and the office or organization in need of such data processing
direct, it would somehow minimize the chances of abuse, misuse and manipulation
which may affect a person’s privacy, life, liberty or property as the case may
be.
Lastly, under section 20 of this Act
which provides that: SEC. 20. Security
of Personal Information. –
(a) The personal information controller must implement reasonable and
appropriate organizational, physical and technical measures intended for the
protection of personal information against any accidental or unlawful
destruction, alteration and disclosure, as well as against any other unlawful
processing.
(b) The personal information controller
shall implement reasonable and appropriate measures to protect personal
information against natural dangers such as accidental loss or destruction, and
human dangers such as unlawful access, fraudulent misuse, unlawful destruction,
alteration and contamination.
(c) The determination of the appropriate
level of security under this section must take into account the nature of the
personal information to be protected, the risks represented by the processing,
the size of the organization and complexity of its operations, current data
privacy best practices and the cost of security implementation. Subject to
guidelines as the Commission may issue from time to time, the measures
implemented must include:
(1) Safeguards to protect its computer
network against accidental, unlawful or unauthorized usage or interference with
or hindering of their functioning or availability; (2) A security policy with
respect to the processing of personal information; (3) A process for
identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach; and (4) Regular
monitoring for security breaches and a process for taking preventive,
corrective and mitigating action against security incidents that can lead to a
security breach.
(d) The personal information controller
must further ensure that third parties processing personal information on its
behalf shall implement the security measures required by this provision.
(e) The employees, agents or
representatives of a personal information controller who are involved in the
processing of personal information shall operate and hold personal information
under strict confidentiality if the personal information are not intended for
public disclosure. This obligation shall continue even after leaving the public
service, transfer to another position or upon termination of employment or
contractual relations.
(f) The personal information controller
shall promptly notify the Commission and affected data subjects when sensitive
personal information or other information that may, under the circumstances, be
used to enable identity fraud are reasonably believed to have been acquired by
an unauthorized person, and the personal information controller or the
Commission believes (bat such unauthorized acquisition is likely to give rise
to a real risk of serious harm to any affected data subject. The notification
shall at least describe the nature of the breach, the sensitive personal
information possibly involved, and the measures taken by the entity to address
the breach. Notification may be delayed only to the extent necessary to
determine the scope of the breach, to prevent further disclosures, or to
restore reasonable integrity to the information and communications system.(1)
In evaluating if notification is unwarranted, the Commission may take into
account compliance by the personal information controller with this section and
existence of good faith in the acquisition of personal information.(2) The
Commission may exempt a personal information controller from notification
where, in its reasonable judgment, such notification would not be in the public
interest or in the interests of the affected data subjects.(3) The Commission
may authorize postponement of notification where it may hinder the progress of
a criminal investigation related to a serious breach.[11]
The problem in this area is somewhat
similar to that of the loop hole discussed under section 14. However, what must
be focused on under this is the determination of setting up appropriate levels
of security to defeat the evil minds of those who felt that they have been
unlawfully separated. Unlike, in section 14, where the problem is on the part
of the subcontractor, herein, the issue is with regard to the knowledge of the
personnel tasked to become a personal information controller in the instance of
unlawful termination. The issue here is whether or not the security set up for
such data is sufficient as to defeat the minds of the people who set them up.
In my opinion, it is important to create a general system for all which
protects the database gathered with a daily updated security system to avoid
conflicts against those personnel who have bid goodbye to their job either in a
lawful or unlawful way. With all of these issues pointed out, in my own
personal judgement, the data information system, along with the strengthened
“Data Privacy Act”, privacy, as one of the paramount rights which an individual
is ought to enjoy and exhaust, may be properly afforded.
Rufino Samuel R. Mantos III
2012-0596
Atty. Berne Guerrero
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home