Resuscitating the economy is one of the country’s key priorities now. Hence, the government is currently implementing measures to allow the operations of specific business sectors, subject to guidelines on contact tracing and other government interventions against COVID-19.
Recently, the Department of Trade and Industry (DTI) released Memorandum Circular (MC) 20-28 s. 2020, which provides the minimum health protocols for barber shops and salons, as well as MC 20-37 s. 2020, which provides the minimum health protocols for dine-in restaurants and fast-food establishments. In both circulars, establishments have to collect and retain data from customers and visitors for contact tracing purposes.
As a rule, processing all types of personal information comes within the purview of the Data Privacy Act. Hence, establishments should always follow the general principles of transparency, legitimate purpose, proportionality and other vital provisions in law when collecting personal information.
Here are some reminders and best practices that establishments may adopt to ensure the proper handling and protection of the data of their customers and visitors.
Collect the minimum necessary
Establishments should ensure that the processing of personal data is proportional to the purpose of contact tracing. Collect only such information as required under existing government issuances.
Establishments may adopt sample health checklist forms issued by government agencies, but should not collect beyond what is needed and necessary.
Establishments should inform their customers and visitors that their data will be collected and the reasons for such collection. They may post a privacy notice that is readily visible within the premises, such as entry points and other conspicuous areas. If the establishment opts to use electronic means, the notification must be posted on the platform before collection.
Establishments may direct their customers and visitors to their official websites or social media pages and official websites of appropriate government agencies to provide them with information on the possible uses of their data for contact tracing purposes.
Establishments must ensure that the privacy notice is easy to access, understandable and uses clear and plain language.
Use the information only for the declared purpose
All establishments should only use the personal data collected through health checklists or other similar forms for contact tracing measures. Repurposing the use of data other than contact tracing and storing data for speculative use is not allowed.
Establishments are responsible for reminding their staff or employees, as well as third-party service providers, i.e., security staff, etc. Using the collected personal data of customers or visitors for any other purpose is punishable under the Data Privacy Act of 2012.
Implement security measures
All establishments that collect personal information, whether through physical or electronic means, should implement reasonable and appropriate safeguards to protect their customers’ data to prevent accidents or unlawful processing, alteration, disclosure and destruction.
Data should be kept only for a limited period
All personal data collected for contact tracing shall be retained for a limited period allowed by existing government issuances. After this, all personal data should be disposed of securely to prevent further processing or unauthorized access or disclosure.
Check the National Privacy Commission website at www.privacy.gov.ph. for the complete guidance.