Tuesday, May 6, 2014


(The Latin Term for security or caution)

            “Computer” is defined as any device or apparatus which, by electronic, electro-mechanical, or magnetic impulse, or by other means is capable of receiving, recording, transmitting, storing, processing, retrieving, or producing information, data, figures, symbols or other modes of written expression according to mathematical and logical rules or of performing any one or more of these functions[1]. This is the legal definition which our lawmakers provide for as an emphasis for the word “computer”.
However, computer, a term which I first encountered almost two decades ago, back then, what it was to me was a box type object and  its color was white with a little bit of red and it has two controllers with it. Before I knew that it was called a “family computer”, to me, that was the only computer I know, along with the machine which you put in one peso coin every five minutes in order to finish your game. With this in mind, one may point out in an instance that I didn’t grow up in urbanized scenery. Well, such statement is true. In the town where I grew up, Lupon, Davao Oriental, everything that comes out in a machine, most especially video games, we call them computer. There were even computers in our town which were apprehended for gambling. These computers were called “video karera”. These were the concepts I have of what a computer was when I was in grade school.
When I was in 5th grade, the first computer shop in our town was opened. The first time I entered the place, I felt like I was really out of place. As my friends enthusiastically line up to play “red alert”, I on the other hand was quick enough to reach for the door and head home. The very thing in my mind after going out the door was “we’ll be having computer class in high school anyway”. True enough, for the next two years, I never bothered to learn how to play games in the computer nor exerted effort to learn how to use one. However, when Play Station 1 was brought to our town, as far as I can remember, it was the first computer that my hands held.
Then came freshman year in high school, finally, I can get my hands on a computer, a desktop computer. The first exercise that we did was to practice how to type. We had a lot of notes for that class but I can barely remember. However, there was one thing that our teacher required for us, his students, to obtain; a diskette. A diskette which was a storage for the files we made in accordance with the exercises provided for in our subject. As I recall the words uttered by my teacher in computer class “the diskette is for safe keeping”. During that time, our activities were plainly computer subject related and it was only about 2002 which I first encountered the internet.
The internet was introduced to me in a very unusual way. I was in the computer laboratory of the school where my father used to teach in Davao City. The “internet explorer” was the only browser available back then, and I, coming from the province, having no idea on what internet was, began clicking on whatever that was appearing on screen. As I was going on clicking and clicking, I ended up being on a pornography site. I was caught by the in-charge, and like what I did when the first computer shop opened in our town, I quickly headed to the door and went out. However, as the time goes by, I learned how to use the internet, with proper guidance and managed to create my very first social networking page in Friendster.
Like all social networking sites the we have today, from Facebook, Twitter, and Instagram; Friendster, also require its members to sign up and input all necessary information about an individual wanting or eager to be a member of this new thing that people around you can’t stop mumbling about. However, in every innovation that we make, along with it are risks which when made, were not foreseeable. Little by little, these risks have started to come out like mushrooms. The most blatant issue is that, in these social networking sites, identity fraud is rampant and extensive. Not only this, but hackers are all over, people you don’t know gets hold of your personal information and sometimes using such to defraud people. With this, the vulnerability of your personal information is at stake. The perils which attach to your person in the event that you sign up in social networking sites are relatively high.

            While it is true that technology makes people’s lives easier and it also provides for an avenue which gives comfort to the community without the traditional way of physically interacting with the people. In various instances, people, have by passed the possibility that there are risks attached in their person in their dealings in these avenue such as the social media networks. It seems like, because of the adaptation of all these technological innovation, privacy, a paramount right that each individual shall enjoy in on the verge of disturbance.  
Despite all the pessimisms attached to technological innovation, not just in social networking sites but the advancement of our government, labor, security system and many more , our Constitution provides that: Science and technology are essential for national development and progress. The State shall give priority to research and development, invention, innovation, and their utilization; and to science and technology education, training, and services. It shall support indigenous, appropriate, and self-reliant scientific and technological capabilities, and their application to the country’s productive systems and national life.[2] It further affords that: The State shall regulate the transfer and promote the adaptation of technology from all sources for the national benefit. It shall encourage the widest participation of private groups, local governments, and community-based organizations in the generation and utilization of science and technology.[3]
As such, technological innovation is one ingredient that our leaders have lobbied to the people as one of the tools for development in our country. The need for a centralized electronic database for national organizations and in government-owned and controlled corporations is a vision that each Filipino has dreamt of in order to have an organized system and free from the time consuming queuing in government offices. However, with this in mind, the issue present in this case is: whether or not people are secured in their persons in providing these offices or organizations their personal information which may be detrimental to their life, liberty or property.
The solution that our lawmakers provide for in this kind of dilemma is the enactment of Republic Act No. 10173 otherwise known as the “Data Privacy Act of 2012”. Under this law which provides that: It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.[4] While such is in accordance with the Article III, section 3 of the 1987 Philippine Constitution which provides that: (1)The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety and security or order requires otherwise, as prescribed by law. (2) Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding.[5] As mentioned above, that privacy is a paramount right that each individual enjoy and exhaust. And with respect to the combined efforts and power invested by the executive department and the legislative department for privacy to be enjoyed by the citizens to the fullest, the precautions set forth are not free from any loop holes.           
The Republic Act No. 10173 or the “Data Privacy Act of 2012” provides that: This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.[6] With this, it is evident to state that the scope wherein which the area of responsibility of this law plays, although it has undergone a thorough study, may still cause damage to an individual.
For instance, under section. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.
Personal information must, be:
(e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
(f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.
The personal information controller must ensure implementation of personal information processing principles set out herein.[7]
            Now, the problem herein as one may point out is the use of the word “necessary”. The use of the word “necessary” may be subject to abuse. Although in the legal point of view,” as used in jurisprudence, the word “necessary” does not always import an absolute physical necessity, so strong that one thing, to which another may be termed “necessary” cannot exist without that other. It frequently imports no more than that one thing is convenient or useful or essential to another. To employ the means necessary to an end is generally understood as employing any means calculated to produce the end, and not as being confined to those single means without which the end would be entirely unattainable.[8] However, in a cultural point of view, wherein which delaying tactics or the practice of deferring is so rampant, the employment of means calculated to produce the end is somewhat vague.
            In my opinion, to mix vagueness when a person’s life, liberty or property is at stake may be construed as a peril to one’s right to privacy. Indicating a specific timeline for holding personal information in achieving or fulfilling a specific end or purpose will not defeat the entire logic of establishing a point or defense, as the case may be. The absence of a specific timeline for retention of data may prejudice the individual that is subject of that precise action. To reiterate, privacy, is a paramount right that each individual must enjoy or exhaust. And having a law which provides vagueness or general and not specific, especially when personal information relating to one’s privacy is at stake must be given attention.
            Another part of the Republic Act No. 10173 or the “Data Privacy Act of 2012” which may be subject to misuse and manipulation can be seen under section 14 which provides that: SEC. 14. Subcontract of Personal Information. – A personal information controller may subcontract the processing of personal information: Provided, That the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. The personal information processor shall comply with all the requirements of this Act and other applicable laws.[9]
            Although this law provides for the proper guidelines on how to properly operate as a personal information controller or a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes: (1) A person or organization who performs such functions as instructed by another person or organization; and (2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.[10] Subcontracting is an area wherein which violation to one’s privacy may be neglected.
In my own personal point of view, the abuse in this case may come from the personnel tasked to determine a specific function of gathering personal information into the system. These personnel may obtain the technical formula of generating personal information on a database and presumably they’re the ones providing for its generation and security. With this in mind, one must be mindful of the risks and perils that are attached to it. One thing that comes in to mind with regard to this topic is that, in subcontracting, the personnel’s employed by the subcontractor are not in the reach of power that the principal has once these personnel are released from being under the subcontractor or in instances of termination of contract or the severity of relationship between the subcontractor and its personnel. Meanings, when they are no longer have ties with the subcontractor; it is easy for them to disseminate information regarding the storage of data, its functions and security. While it is true that Republic Act No. 10173 or the “Data Privacy Act of 2012” provides for penalties in case of breach, it is however an inadequate precaution for one’s privacy.  
In my personal opinion, each the office or organization which provides or gathers personal information into a database must have adequate number of people that are knowledgeable and capable to operate as personal information controller. To remove the subcontractor in the picture and to make the dealings between the person subject of the data information and the office or organization in need of such data processing direct, it would somehow minimize the chances of abuse, misuse and manipulation which may affect a person’s privacy, life, liberty or property as the case may be.
Lastly, under section 20 of this Act which provides that: SEC. 20. Security of Personal Information. – (a) The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
(b) The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
(c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:
(1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability; (2) A security policy with respect to the processing of personal information; (3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and (4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.
(d) The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision.
(e) The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations.
(f) The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes (bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.(1) In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information.(2) The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects.(3) The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach.[11]
The problem in this area is somewhat similar to that of the loop hole discussed under section 14. However, what must be focused on under this is the determination of setting up appropriate levels of security to defeat the evil minds of those who felt that they have been unlawfully separated. Unlike, in section 14, where the problem is on the part of the subcontractor, herein, the issue is with regard to the knowledge of the personnel tasked to become a personal information controller in the instance of unlawful termination. The issue here is whether or not the security set up for such data is sufficient as to defeat the minds of the people who set them up. In my opinion, it is important to create a general system for all which protects the database gathered with a daily updated security system to avoid conflicts against those personnel who have bid goodbye to their job either in a lawful or unlawful way. With all of these issues pointed out, in my own personal judgement, the data information system, along with the strengthened “Data Privacy Act”, privacy, as one of the paramount rights which an individual is ought to enjoy and exhaust, may be properly afforded. 

Rufino Samuel R. Mantos III
Atty. Berne Guerrero

[1] Republic Act No. 8792, Section 5, b. June 14, 2000
[2] 1987 Philippine Constitution, Article XIV, Section 10.
[3] Ibid, Section 12.
[4] Republic Act No. 10173, Section 2.
[5] 1987 Philippine Constitution, Article III, Section 3.
[6] Republic Act No. 10173, Section 4.
[7] Ibid, Section 11.
[9] Republic Act No. 10173, Section 14.
[10] Ibid, Section 3, h.
[11] Republic Act No. 10173, Section 20.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home