“When information of a privileged character finds its way into the computer, it can be extracted together with other data on the subject. Once extracted, the information is putty in the hands of any person. The end of privacy begins.”
In a time when most transactions being dealt with are technology operated, it gets harder to protect an individual’s right to privacy. The right to privacy, as stated in the case of Ople vs Torres, is the right to be let alone. But with technology highly progressing time after time, most people have no clue on how it can be detrimental to their persona in such a way that others can have access to their personal information and thus use it against them.
The right to privacy is not expressly written in the Philippine Constitution. However, Justice Harlan II, explained in the case of Poe vs Ullman that “the full scope of the liberty guaranteed by the Due Process Clause cannot be found in or limited by the precise terms of the specific guarantees elsewhere provided in the Constitution. This ‘liberty’ is not a series of isolated points pricked out in terms of the taking of property; the freedom of speech, press, and religion; the right to keep and bear arms; the freedom from unreasonable searches and seizures; and so on. It is a rational continuum which, broadly speaking, includes a freedom from all substantial arbitrary impositions and purposeless restraints.” On the basis of Harlan II’s conclusion, the Right to Privacy is recognized and enshrined in several provisions of the Philippine Constitution, specifically in the Bill of Rights which provides for the privacy of communication and correspondence, the right to life, liberty and property, the right against unreasonable searches and seizures, the liberty of abode, etc. That being stated, the Right to privacy is accorded full protection and respect. Any violation thereof has corresponding punishment under the law.
In 1996, Administrative Order No. 308 entitled “Adoption of a National Computerized Identification Reference System” was issued by the then President Fidel Ramos. It was however declared unconstitutional by the High Court on the ground that it would violate one constitutionally guaranteed right, that is, the right to privacy. Last year Congress enacted RA No. 10173, otherwise known as the “Data Privacy Act of 2012”, which is principally intended to afford protection to personal information of individuals thereby upholding their right to privacy. With the enactment of said law a question arises: Is it now possible to adopt a National ID System in the Philippines without violating the right to privacy? For a better understanding of the topic at hand, a discussion of the following is necessary:
- What is the constitutional defect of AO no. 308 as held in the case of Ople vs Torres?
- What is Republic Act No. 10173 all about?
- What is the relevance of RA No. 10173 to the introduction of a National ID System?
AO No. 308 is unconstitutional for being an infringement of the right to privacy
As contained in its whereas provisions, AO no. 308 sought (1) to provide citizens and foreigners with the facility to conveniently transact business with the basic service and social security providers and other government instrumentalities and (2) to reduce, if not totally eradicate, fraudulent transactions and misrepresentations by persons seeking basic services. Notwithstanding such worthy aims, it did not pass the test of constitutionality because if implemented the right to privacy will be clearly jeopardized.
The Supreme Court in the case of Ople vs Torres explained that the problem with AO no. 308 was its lack of proper safeguards with respect to the information to be given by individuals to the concerned government agencies which, in the long run, would necessarily result in violation of their right to privacy. For one, it does not lay down a definite purpose most especially as regard to the use of the information that will be gathered. The title of the said administrative order shows that it was intended for an identification reference but nowhere in its provisions would confirm that the information to be gathered will be used solely for that purpose, leaving open the possibility for the said information to be used for other purposes. What the said administrative order actually has is a broad and vague purpose which can be the subject of different interpretations. Consequently, it can be implemented in many different ways. If that will be the case, then the reason for which it was issued may not necessarily be fulfilled.
AO no. 308 also does not spell out the kinds of information that ought to be given and/or to be withheld. If what is being intended is to establish a national computerized identification reference system, then it would be enough to require individuals to simply give their personal or biological information. But the problem with AO no. 308 is that it does not specify if the information that will be asked will only be limited to personal information. Since the administrative order is not clear, it may happen that other kinds of information, say financial or medical or educational, will be asked of them even if not needed.
Finally, AO no. 308 is silent as to who shall have access to and control of the information to be collected. On the matter as to who shall have access to the information, it is important to note that section 4 thereof seeks to create a linkage among government agencies. As such, one government agency will have access to the information given to the other agencies and vice versa. This kind of scenario, at first glance, will cause convenience because if any information given by an individual to one agency is also needed to be given by the same individual to another agency, time and work will be saved and said information will be processed faster since what the latter agency needs to do is just to access the system of the former agency. In other words, the implementation of government services to the public will be sped up. However, this kind of scenario will also present a danger. It would create a situation wherein an information that is given to be used only for a specific purpose by one agency may be used for other purposes by those agencies who can have access thereto and worse, the consent of the individual to whom the information pertains to need not be obtained. This will be the clear end result of AO no. 308 because it does not prohibit the other government agencies from gaining access to information that is given to and to be used only by one particular agency. It could have been better if it provided that government agencies can have access to the information gathered only when needed or under certain circumstances. Furthermore, the absence of a body that will be charged with the control of the information to be taken from the public is another concern that AO no. 308 falls short of dealing with. Section 2 thereof which pertains to the creation of an Inter-Agency Coordinating Committee (IACC) does not provide a solution to this problem because the committee being referred thereto is one that will be charged with drawing-up the implementing rules and regulations and overseeing the implementation of the National Computerized Identification Reference System. It does not speak of a committee that will be entrusted with the power to control the information to be gathered. The existence of a committee that will function as the controlling body is very crucial because abuses as to the access, disclosure and misuse of information, which will likely happen, will be prevented, or if not, minimized.
The implementation of AO no. 308 would threaten the sanctity of the right to privacy. This is predicated on two premises. Firstly, government agencies usually require an individual to give information about himself before offering their services. Because of this, an individual has no choice but to comply with the said requirement otherwise he cannot avail of the service he is in need of. Also, the more frequent the individual avails of these services the more information will be extracted from him. Secondly, taking into consideration the abovementioned insufficiencies of AO no. 308, there is no reasonable expectation that proper standards are set to guaranty the privacy of the individual’s personal information. He is not given the assurance that the confidentiality of whatever he shares will be protected. This is because any information taken from him, as already said earlier, can be known and used, even without his consent, by other government agencies having access thereto. Hence, there will be a violation of the right to privacy.
The Data Privacy Act of 2012
RA no. 10173 was enacted by Congress in recognition of the inviolability of the people’s fundamental right to privacy and the State’s duty to afford protection to it. This is manifested from the policy laid down by Congress to the effect that the State recognizes its inherent obligation of ensuring the protection and security of personal information in information and communications system not only in the government but also in the private sector. It can also be supposed that said law was intended to provide solutions for the problems and dangers that could have transpired had AO no. 308 been implemented.
How is the right to privacy affirmed by RA no. 10173?
One feature of RA no. 10173 that is quite significant is that the data subject is given certain rights to be exercised by him in order to protect his right to privacy. For instance, there is a need for the data subject to give his consent before any information relating to him will be collected and processed which means that he cannot be forced to furnish any information about himself. If such consent has been obtained, he will still be entitled to be informed of the purpose for which the information is to be processed, the recipients to whom the information is to be disclosed as well as the reason for its disclosure, and the extent of the access to and disclosure of the information. In line with these rights, the data subject is entitled to cause the removal or destruction from the personal information controller’s system of any information unlawfully obtained from him or those used for unauthorized purposes. He may also institute a complaint before the National Privacy Commission.
The establishment of the National Privacy Commission is another reason why the protection of the right to privacy can be expected. The Commission shall function as the monitoring body responsible for ensuring that personal information controllers will comply with the requirements of RA no. 10173, specifically on the security and technical measures to be undertaken by them for the protection of the confidentiality of personal information. Corollary to this function, the Commission has the power to compel any agency, government or otherwise, to abide by its orders relating to matters affecting data privacy. It is also tasked with coordinating with other entities regarding the formulation and implementation of plans and policies to strengthen the protection of personal information. Most importantly, it has the power to recommend to the Department of Justice the prosecution and imposition of penalties for violations of the provisions of the Data Privacy Act. This last-mentioned function of the Commission will be very helpful in assuring that personal information controllers, including personal information processors, exercise the highest degree of care in protecting the privacy of the information under their control because failure to perform such will be place them under pain of sanctions.
The most important part of RA no. 10173 is that which pertains to the processing and security of personal information because the proper safeguards guarantying the privacy of information are placed therein. Section 11 emphasizes that personal information must only be collected and processed for specified and legitimate purposes. It also provides for a certain period during which the information can be kept, that is, it can be retained only for as long as necessary for the fulfillment of the purpose for which the data was obtained. Unlike in AO no. 308, Section 12 of RA no. 10173 lays down the circumstances or instances when processing of personal information will be permitted. In other words, any processing of information which is of a different nature with those provided therein will be considered unlawful. The processing of sensitive and privileged information is also prohibited except under certain circumstances. Moreover, RA no. 10173 sees to it that those having control of personal information will truly dedicate themselves in doing their duty of maintaining the confidentiality of the information held by them. Personal information controllers are made responsible for personal information under their control or custody, including those that have been transferred to third parties for processing. As a result, they are obliged to adopt reasonable and appropriate measures intended for the protection of personal information against any destruction, alteration, unlawful disclosure and access, misuse and unauthorized processing.
With all that has been said of RA no. 10173, it is unquestionable that said law safeguards the people’s right to privacy. One can now easily give his personal information, without having second thoughts, if being asked by any government agency or private sector because there is a reasonable expectation that whatever he shares will remain confidential and thus, his privacy will not be endangered. Does this mean that a National ID System can already be adopted?
RA no. 10173 provides sufficient mechanism to the introduction of a National ID System
An Identification System is a form of technology that is used to verify or confirm ones identity. The verification or confirmation usually works through the scanning of the fingertips, retina, hand geometry or facial features although the most common is the use of cards or personal information number. An identification system will be useful on the part of both the public and the government. On the one hand, an individual will no longer be burdened whenever he wants to avail of the basic services offered by the government because all that he needs to do is to present his ID, have his information accessed from the information system and have his identity verified. On the other hand, it will also lessen the work load of the government in requiring an individual to provide it with information for every transaction he makes because once it is verified that the holder of the ID is the legitimate owner thereof it will just be easy to access the information pertaining to the said individual. For security purposes, an identification system will also aid in minimizing unlawful transactions usually done by individuals misrepresenting themselves. With an ID system, any transaction can only be completed if the identity of the person transacting is verified. However, the adoption of an identification system presupposes that the individual must first furnish the government with information about himself. This information will serve as the personal data of the individual which will be used in verifying his identity. On this matter a problem arises because once the information is placed under the control of the government it becomes uncertain whether it will remain private or not.
The dilemma regarding the privacy of the information that will be given to the government that is needed for the identification system is resolved by RA no. 10173 for as already mentioned, said law provides proper safeguards to the privacy of information. With RA no. 10173 in force, individuals can now allow their personal information be taken by the government without fear of putting its confidentiality at risk. The reasons are obvious. Firstly, there is a guaranty that it will be used only for the specific and legitimate purpose of the ID system. It is noteworthy that the Data Privacy Act gives the individual certain rights which he can exercise in case the use of his personal information is contrary to the purpose made known to him. As such, if it will be used other than for identification, then he will have the right to demand that it be retrieved and removed from the system. The same holds true in case of an unauthorized disclosure and/or misuse of the information. Secondly, since the ID system will involve collection and processing of personal information, then it will necessarily be under the control and supervision of the National Privacy Commission. Accordingly, abuses as to the use of the ID system will be prevented because there will be an independent body charged in monitoring and ensuring the proper use thereof. Thirdly, RA no. 10173 will require that the kinds of the information to be taken be specified beforehand and information of privileged and sensitive character will be not included, or if included appropriate measures be set to safeguard their confidentiality. The public cannot be compelled to divulge information that is not of the kind which is needed for identification, much more if that which is required is privileged or sensitive information. Lastly, the ID system will not violate the right to privacy because the provisions of RA no. 10173 impose a strict obligation to those who will have control of the personal information to be gathered and failure in this will warrant the imposition of corresponding penalty. If there is penalty to be expected, those who have control of the information will definitely exercise the diligence needed for affording it protection. The information given for the ID system will then be properly secured.
In the final analysis, it can be argued that RA no. 10173 will provide a sufficient mechanism to the introduction of a National Identification System in the Philippines because said law will serve as basis for defining the extent of the application and implementation of such endeavor. In other words, in order for the National Identification System to be consistent with the right to privacy of information, it is essential that it be confined within the objectives of the Data Privacy Act. Hence, if the idea of the Data Privacy Act will be incorporated with adoption the National Identification System, surely, the right to privacy of information can in no way be violated.
DISCLAIMER: this is only an opinion of a law student.