Posted on

Will RA 10173 provide sufficient mechanism to the introduction of a National ID System in the Philippines without constitutional issues that have arisen in the case of Ople vs Torres?

 

Introduction

In passing upon the matter, we ought to understand the meaning of right to privacy. The word privacy denotes the quality or state of being apart from company or observation.[1] In other words, it means secrecy or seclusion. In simple words, it is doing things without others watching or observing or intercepting. There are things you want to do alone although not necessarily illicit. Doing private affairs at home without someone peeping; keeping your private records without someone spying; and making private phone calls without interception are examples of them.

As a right, it is the freedom of unauthorized intrusion.[2] As enunciated in a settled jurisprudence, right to privacy is a right protected by the Constitution and other laws. Indeed, if we extend our judicial gaze we will find that the right of privacy is recognized and enshrined in several provisions of our Constitution. It is expressly recognized in Section 3(1) of the Bill of Rights:

Sec. 3. (1) The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law.”

Other facets of the right to privacy are protected in various provisions of the Bill of Rights, viz

Sec. 1. No person shall be deprived of life, liberty, or property without due process of law, nor shall any person be denied the equal protection of the laws.

Sec. 2. The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.

x                                       x                                       x.

Sec. 6. The liberty of abode and of changing the same within the limits prescribed by law shall not be impaired except upon lawful order of the court. Neither shall the right to travel be impaired except in the interest of national security, public safety, or public health, as may be provided by law.

x                                       x                                       x.

Sec. 8. The right of the people, including those employed in the public and private sectors, to form unions, associations, or societies for purposes not contrary to law shall not be abridged.

Sec. 17. No person shall be compelled to be a witness against himself.”

Zones of privacy are likewise recognized and protected in our laws. The Civil Code provides that “[e]very person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons” and punishes as actionable torts several acts by a person of meddling and prying into the privacy of another. It also holds a public officer or employee or any private individual liable for damages for any violation of the rights and liberties of another person, and recognizes the privacy of letters and other private communications. The Revised Penal Code makes a crime the violation of secrets by an officer, the revelation of trade and industrial secrets, and trespass to dwelling. Invasion of privacy is an offense in special laws like the Anti-Wiretapping Law, the Secrecy of Bank Deposit Act and the Intellectual Property Code. The Rules of Court on privileged communication likewise recognize the privacy of certain information. [Emphasisprovided][3]

As shown by the aforementioned laws, it cannot be denied that right to privacy is well recognized and protected in the Philippines. However, right to privacy is not absolute. There are certain incursions and intrusions in the said right in circumstances where the greater good of the public takes precedence. As discussed in a settled jurisprudence, the right of privacy or “the right to be let alone,” like the right of free expression, is not an absolute right. A limited intrusion into a person’s privacy has long been regarded as permissible where that person is a public figure and the information sought to be elicited from him or to be published about him constitute of a public character. Succinctly put, the right of privacy cannot be invoked resist publication and dissemination of matters of public interest. The interest sought to be protected by the right of privacy is the right to be free from unwarranted publicity, from the wrongful publicizing of the private affairs and activities of an individual which are outside the realm of legitimate public concern. [4]

The National Identification System and Its Constitutional Infirmity

Having understood the intricacies of the right of the privacy, we now look at the constitutional issue undertaken in the case of Ople v. Torres which is relevant in the discussion. In the said case, A.O. No. 308, otherwise known as the Adoption of a National Computerized Identification Reference System, was struck down for being intrusive of the right to privacy. Firstly, the administrative order is widely drawn because A.O. No. 308 does not state what specific biological characteristics and what particular biometrics technology shall be used to identify people who will seek its coverage. Moreover, it does not state whether encoding of data is limited to biological information alone for identification purposes. In short, it does not define the scope to what extent the retrieval, storage or encoding of information will be; it does not provide for the person who has the right to access them; and it is vague and indefinite as to what purposes the information will be used or processed.  Secondly, the compelling interests provided in said order do not justify the intrusion. The objects of the law are to foster efficiency in using the basic services provided by the government and to prevent fraudulent transactions and misrepresentations by persons seeking services. But notwithstanding the good intentions of the said order, there arise a potential for misuse of data or information gathered from the public which greatly threatens their right to privacy. And finally, there are no proper safeguards and well defined standards to prevent unconstitutional invasions. It does not provide for control measures to prevent manipulation, lost or leakage of information. Also, there are no penalties or sanctions for unlawful use or access or unauthorized disclosure of information gathered.

Data Privacy Act of 2012

In answering the standing issue, it is also necessary to understand the subtleties of RA 10173 otherwise known as Data Privacy Act of 2012. The act was signed into law by President Benigno Aquino, Jr. on August 15, 2012. The very purpose of which is data protection. In line with this purpose, the National Privacy was established to administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection. Protection is not only extended to the personal information the individual has or possesses but also to the legitimate interests of third parties who will be adversely affected by concealment or nondisclosure of that information.

According to RA 10173, personal information is defined as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. Chapter III of the said law provides for the guidelines in processing the personal information. Some of the important sections of the chapter are as follows:

SEC. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

Personal information must, be:

(a) Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;

(b) Processed fairly and lawfully;

(c) Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;

(d) Adequate and not excessive in relation to the purposes for which they are collected and processed;

(e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and

(f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

The personal information controller must ensure implementation of personal information processing principles set out herein.

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;

(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided,That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further,That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.[5]

From the abovementioned provisions, we can infer that the gathering and processing of information will not be arbitrary because the law itself provides for the proper manner how the information will be collected, handled and used taking into consideration the fundamental rights and freedom of an individual under the Constitution. Aside from that, information will not be gathered unless an individual consents to it or if it for legitimate purpose only. Hence, these particular sections define the limits when the law shall apply, a problem not so addressed by A.O. 308.

Likewise, Chapter IV RA 10173 provides for the rights of the data subject. Primarily, he would be able to know the personal information gathered pertaining to him before entry or next practical opportunity. He has the right to access them upon demand and correct it in case of error or inaccuracy. He also has the right  to suspend, withdraw or order the removal of personal information pertaining to him if they are incomplete, false, used for unauthorized purposes or no longer necessary for purposes they are obtained. Lastly, he has the right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

By providing these set of rights, a data subject has been given assurance that the information gathered will be transparent. He would not be ignorant as to what personal information pertaining to him was gathered, how his personal information will be used and for what purpose. He could also verify the correctness of data encoded and be able to rectify it in case erroneous. In case of false, incomplete or unlawful processing of personal information, he can ask for its removal or destruction. And when damage was sustained, he has the recourse to the courts for indemnification.

Chapter V, VI, VII and VIII of the said law provides for the protection and control of personal information collected and penalties in case of violation.  These chapters aim to secure and safeguard personal information that has already been gathered to prevent them from being unlawfully destroyed, modified, disclosed or used for purposes other than those authorized. Another purpose is to easily pinpoint who will be responsible for them in case of unlawful destruction, alteration, disclosure or other unlawful processing that is the personal information controller. As an added protection, penalties were provided to punish persons who violate the protection afforded by the same law. These things guarantee the privacy and integrity of personal information, the kind of protection not afforded by A.O. 308.

Conclusion

Having addressed the problems that had arisen in A.O. 308 by R.A. 10173, particularly its being overly broad and its lack of security, the big question now is whether or not this is enough to pave way to the introduction of a National ID System in the Philippines?

Ideally, yes it would provide sufficient mechanism to the introduction of a National ID System without constitutional infirmity. Firstly, personal information will only be collected and processed for unequivocally specified purposes and/or for a certain period only. Secondly, there are certain conditions before processing of personal information. Thirdly, only authorized persons are allowed to access the personal information. Fourthly, there are security measures to protect personal information from natural and human dangers. Lastly, penalties are provided to deter those attempting to violate the act and punish those who violated its provisions. If the foregoing is implemented effectively, transparency, integrity and security of personal information will be maintained. Hence, the National ID System contemplated in A.O. 308 could be very well effected as intrusion to right to privacy is justified.

However, practically speaking, I believe that there will be some problems regarding the implementation of RA 10173. This may be the reason why the release of its implementing rules and regulations was delayed. Considering the system and measures needed to protect the vast amount of personal information collected and will be collected nationwide, not only by the government but also by the private sector, it would be difficult to carry out.

Aside from the possible problems on implementation, there are also certain provisions in RA 10173 that needs refining. One of those is the penalty provided for accessing personal information or sensitive personal information due to negligence. In case of personal information, the penalty is imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00). In case sensitive personal information, the penalty is imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00).

I think the punishment provided is not commensurate to the violation. For example, an employee A was designated by his employer as the personal information controller. Hence, he is the only employee allowed to access the personal information of their clients. However, employee B, a colleague of employee A, was allowed by the latter to use his computer as the former wasn’t able to access the internet and send an email to a certain client using the computer issued to him. Due to carelessness, employee B inadvertently clicked the tab function which contains personal information of a client. As a consequence, he was able to see the personal information of a certain client although not authorized to access it. Would employee B be penalized for accessing personal information due to negligence? Would he be imprisoned for 1 to 3 years and pay a fine ranging from Php500,000 to P4,000,000? I think he should not be so penalized. It will be too harsh for punishing him in doing just that. Maybe reduction of penalty provided for by the law for accessing personal or sensitive personal information due to negligence is warranted.

Other than that, I also have questions regarding the scope and extent of the law. Some of them are the following:

  1. Would the social networking sites like twitter, facebook, instagram, tumbler etc. be considered personal information controllers upon the registration of an internet user?
  2. Is putting personal information in these social networking sites be considered implied consent? If yes, are third persons allowed to use the said information for their personal interests?
  3. Would the personal information stored and transferred through mobile phones, tablets and other similar devices covered by the law?
  4. Would the companies that advertise through unsolicited emails, calls and/or text messaging, be punished under the said law?

Assuming that RA 10173 will have some problems, to a greater degree that the introduction of a National ID System will be difficult. Further, we cannot be so sure whether the information gathered from the public, through the National ID System, will be used by the government for “legitimate purposes only”. Considering how vital the personal information to be gathered, there is still a big potential for misuse of data.

Irrefutably, I have so many questions and doubts on the law but I still have high hopes for it. Maybe the Implementing Rules and Regulations of R.A. 10173 would make it clear how the whole concept would be successfully put into practical application. Not until the release of the IRR can we actually conclude if RA 10173 would be a perfect complement for the introduction of a National ID System.

Bibliography

Ayer Productions vs. Capulong, G.R. No. 82380 (Supreme Court of the Philippines April 29, 1988).

Webster’s Ninth New Collegiate Dictionary. (1988). Springfield, Massachusetts, U.S.A.: Merriam-Webster Inc.

Ople vs. Torres, G.R. No. 127685 (Supreme Court of the Philippines July 23, 1998).

R.A. 10173, Section 11-13, August 15, 2012

Disclaimer: I am neither a lawyer nor pretending to be one. This article is created because it is one of the requirements in my Technology and the Law course.


[1] (Webster’s Ninth New Collegiate Dictionary, 1988)
[2] Ibid.
[3] (Ople vs. Torres, 1998)
[4] (Ayer Productions vs. Capulong, 1988)
[5]  Section 11-13, R.A. 10173, 2012

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s