ELECTRONIC DATA collection for contact tracing must have adequate security safeguards, with devices using updated operating systems and security patches, the National Privacy Commission (NPC) said.
The commission on Thursday released advisory 2020-03 as additional guidance for workplaces processing data for pandemic response. The advisory details NPC rules on collecting and sharing data, including the use of digital forms.
For electronic-based data collection, NPC said that data storage and transmission must be encrypted, while the devices used must be regularly scanned for viruses and malware.
Users filling out forms must also be required to complete each field so that information is complete, and the autocomplete feature must be disabled.
Access to the data, the commission said, should also be limited to authorized personnel.
“The electronic devices deployed must be enabled with an automatic lock feature, encrypted with a password or protected with biometrics for login and equipped with a remote wipe functionality, whenever practical, so that data are securely deleted should the device be reported lost or stolen.”
When using QR (Quick Response) codes to log health declarations, a privacy notice with the contact number of the establishment’s data protection officer must be displayed beside the code.
“Where QR codes are used, establishments should assign a unique QR code to each employee,” NPC said. When scanned on entry to the premises, the code will automatically log each employee health declaration to their system.
“For Clients/Visitors, QR codes posted in the entrance of the establishment may be used. Such codes, when scanned by a mobile phone camera, shall link to an electronic web form to be filled out by clients visiting the premises.”
The commission reminded establishments that data collected should only be used for contact tracing, and should not be used for direct marketing and profiling. NPC had received reports that businesses have been misusing contact tracing information, such as customer names, ages, addresses, and contact details.
“Since the COVID-19 pandemic hit, we are seeing an unprecedented manner of data collection and processing, which proportionally also increased its associated privacy risks. Data privacy is crucial to the survival of businesses and therefore must be embedded into processes or policies that involve the personal data of employees and customers,” Privacy Commissioner Raymund E. Liboro said.
Personal data should only be disclosed to the Health department and its partner agencies, local government units, and other authorized entities. — Jenina P. Ibañez
