THE National Privacy Commission (NPC) is investigating several businesses for allegedly mishandling data collected from contact tracing forms.

Citizens have reported a shopping mall, fast food and drugstore chains, supermarkets, a European fast-fashion retailer, and a North American coffee shop franchisee for mishandling and misusing data, NPC said in a statement on Monday.

Reports said that logbooks were improperly used, with filled-out contact tracing forms left visible to other people. The forms include names, addresses, and contact numbers.

Citizens also said that personal data have been used for purposes outside of contact tracing, and some data have been kept for too long. They said they were also not given privacy notices.

“We hear out the sentiment of the public and their encounters with establishments that violate privacy rights and employ inappropriate security measures,” Privacy Commissioner Raymund E. Liboro said.

The commission may conduct compliance checks, which NPC Director of Compliance and Monitoring Olivia Khane S. Raza said function as early warnings. Subsequent complaints could lead to legal action, she said.

She advised companies to act on issues raised by a notice of deficiency within the prescribed time, as not doing so could lead to a cease-and-desist order.

NPC said that depending on the violation, those who have combined violations of the data privacy law may be fined up to P5 million, or imprisoned for up to six years.

The government has issued two guidelines for contact tracing, including joint privacy guidelines from the NPC and the Health department and workplace health guidelines from the Trade and Labor departments.

Ms. Raza  said businesses must come up with reasonable ways to collect data and prevent accidental viewing.

She added that they must collect minimal data, provide privacy notices, properly dispose of data, limit storage time periods, and train employees on privacy measures.

“As you are in the best position to anticipate and manage risks based on your store setup, you should be able to identify points of possible risks for you to develop the security measures appropriate for your operations,” she said. – Jenina P. Ibañez