Friday, December 7, 2012

RA 10173: Watchusay?


Ideally, I should be able to say that gone are the days when filing cabinets ate up space in offices because almost every transaction is expected to be electronically done already. (I plan to write about my experience at the COMELEC office recently. They said it will take 3 years to input all data into the system. But that’s for another blog entry.) It’s quite funny and people (specially the younger generation) are quick to judge or label your process as “old school” or “Jurassic” when you make them to fill out registration forms using pens and papers. Now, it is not very impressive anymore and is actually deemed “normal” if the process entails you being in front of a computer to input your data, pose to have your digital picture taken and sign with a digital pen. You wait a few seconds for your ID to be printed and voila! DIGITAL. No more pasting your 1 x 1 ID picture and having it laminated.
I have also attended a youth event where they asked the participants to line up and registered in this row of laptops before them. No more pen and paper for you.
            Other than the process being quick, inputting your details and having them backed up AND SECURED in another storage device is one way of sparing everybody from the hassle of retrieving your data when some natural calamity like fire or floods surprise us.
            Another reason why I love how things are turning digital is how it saves everybody’s time and effort. For example, I’d love to see somebody come up with an online pre-registration for enrollment. There will be some scheme on how to secure your slot for a class, then the payment will be through an online transaction too. Imagine, we won’t have to wait for hours to get our applications for a class get approved! What a bliss it will be, right?
            The list of the benefits for having things digitized is endless. However, with that improvement come issues that threaten our security as individuals. Even the big companies are not spared from such dilemma. We hear of stories of security breaches, when unauthorized personnel gain access to personal information from systems that are suppose to be secure. We hear of people’s identity exposed which brings about threats to their security. Spell death threats, or worse, killings. People often get killed for the things they say or show.
            I am not attempting to give an exhaustive discussion on the implications of Republic Act 10173, otherwise known as the “Data Privacy Act of 2012”, but I am wishing to discuss how it affects a mere mortal netizen like me.
            Going through the provisions makes me want to give kudos to the Congress for the effort of keeping in step with the dynamics of society. As previously mentioned, almost everything is digital now. It is quite difficult to cope with the speed and complications of how technology has made our world smaller. “Easy access” has benefits, but it offers some dangers too. Yes, the law is not perfect, we can see some loopholes and lots of room for improvement, but at least, we have something to start with.
            I also like the idea of how the law mandates the interplay and teamwork of the different government agencies and their geniuses so that the intent of protection of the netizens will be achieved. In the law, we will see that the created Commission welcomes or even asks for help because I think the implications of providing details electronically are too broad for them to address one by one.
            I’m not so sure though if all entities, especially in the government are aware of the details of this law and how to go about it. I’m not even sure if the personnel who deal with data are aware of the care and protection they must give so identities of their clients would not be prejudiced. Well, they have the problem of inputting to address first.
            The law discusses also of the right of a person to be informed of the purpose and the length of time that your details will be retained in the entity that will process your data. I do not see any prompt informing me of this right. Is there anybody who tells people this? What I often see is them informing me that my data will be kept confidential, but nobody really tells me for how long they are going to keep it.
            I’ve had the privilege of working in a company that takes data privacy VERY seriously. It ensures that all employees are well aware and exercising the things we learn from the modules on protecting personal information. Our policies on passwords are so strictly implemented so that nobody can access the computers issued to us. Our printers have a separate room which only employees have access. We have a lot of shredders in the office so that data or information on paper could not be retrieved after its use.
            I’d like to quote the rights protected under this Act. Section 16 provides:
SEC. 16. Rights of the Data Subject. – The data subject is entitled to:
(a) Be informed whether personal information pertaining to him or her shall be, are being or have been processed;
(b) Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity:
(1) Description of the personal information to be entered into the system;
(2) Purposes for which they are being or are to be processed;
(3) Scope and method of the personal information processing;
(4) The recipients or classes of recipients to whom they are or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.
Any information supplied or declaration made to the data subject on these matters shall not be amended without prior notification of data subject: Provided, That the notification under subsection (b) shall not apply should the personal information be needed pursuant to asubpoena or when the collection and processing are for obvious purposes, including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship, between the collector and the data subject, or when the information is being collected and processed as a result of legal obligation;

(c) Reasonable access to, upon demand, the following:
(1) Contents of his or her personal information that were processed;
(2) Sources from which personal information were obtained;
(3) Names and addresses of recipients of the personal information;
(4) Manner by which such data were processed;
(5) Reasons for the disclosure of the personal information to recipients;
(6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;
(7) Date when his or her personal information concerning the data subject were last accessed and modified; and
(8) The designation, or name or identity and address of the personal information controller;
(d) Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal information have been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided, That the third parties who have previously received such processed personal information shall he informed of its inaccuracy and its rectification upon reasonable request of the data subject;

(e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information; and
(f) Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
x x x
I suggest that you please take your time to review and discuss this among friends so that you can know how to address an incident that might arise. Thank goodness for my genius friends, I can ask them to help out in case some epistaxis occurs.

No comments:

Post a Comment