[ad_1]
NPC warns companies against data reuse
MANILA, Philippines – The National Privacy Commission (NPC) has warned business establishments against using personal data collected through contact tracing forms and employee health statement forms for direct marketing, profiling, or any other other purpose not required for the prevention and control of coronavirus. disease 2019 (COVID-19).
In a notice covering guidelines for workplaces and establishments that process personal data for the COVID-19 response, the NPC said that the reuse of personal data is punishable under the Data Privacy Act.
The NPC issued the notice amid citizen complaints against business establishments for mishandling and misuse of contact tracing data such as customer name, address, age, cell phone number and email.
“Since the COVID-19 pandemic hit, we are seeing an unprecedented form of data collection and processing, which proportionally also increased its associated privacy risks. Data privacy is crucial for the survival of companies and, therefore, must be integrated into processes or policies involving personal data of employees and customers, ”said Privacy Commissioner Raymund Liboro.
According to the notice, establishments must consider privacy and security at all stages of the data life cycle, from collection to use, storage and disposal.
“As controllers of personal information, establishments play an important role in implementing contact tracing. For this reason, they are expected to guarantee the protection of the personal data in their custody, ”said Liboro.
He said companies and businesses must also show transparency about the data that is collected and its purpose.
As part of the guidelines, companies must inform employees, customers or customers and visitors through a privacy notice of the details of the processing of their personal data for the prevention of COVID-19.
The privacy notice must be easy to understand, perceptible and visible in the commercial establishment.
When using QR codes for data collection, the privacy notice should be located next to the QR code with the contact number of the establishment’s data protection officer.
If paper forms are used, companies should provide a designated area where employees and customers or visitors can achieve this to observe physical distancing and eliminate the risk of data exposure.
Security personnel or other authorized establishment personnel must ensure that all required fields on paper and digital customer / visitor contact tracing forms and employee health declaration forms are filled out and data provided are accurate and legible.
Completed forms must also be physically separated to prevent unintended disclosure of personal data.
If QR codes are used, establishments must assign a unique QR code to each employee, while QR codes for customers must be posted at the entrance of the establishment.
Digital forms must be equipped with the appropriate safeguards, such as encryption, to prevent data breach.
In cases where establishments allow the use of their electronic devices by employees or customers for data entry, they must ensure that the operating system and security patches are updated and periodically scanned for viruses.
In addition, companies should disable the autocomplete feature of the web browser to prevent other users from viewing the information previously entered in the digital form.
Businesses should also turn on the auto-lock feature, implement a password, and a remote wipe feature, whenever possible, to ensure that data is securely removed when devices are lost or stolen.
Disclosure of personal data collected through the health declaration form is limited to the Department of Health and its associated agencies, local government units, and authorized entities, officials, or personnel.
[ad_2]
