Ideally, I should be able to say that gone
are the days when filing cabinets ate up space in offices because almost every
transaction is expected to be electronically done already. (I plan to write
about my experience at the COMELEC office recently. They said it will take 3
years to input all data into the system. But that’s for another blog entry.) It’s
quite funny and people (specially the younger generation) are quick to judge or
label your process as “old school” or “Jurassic” when you make them to fill out
registration forms using pens and papers. Now, it is not very impressive
anymore and is actually deemed “normal” if the process entails you being in
front of a computer to input your data, pose to have your digital picture taken
and sign with a digital pen. You wait a few seconds for your ID to be printed
and voila! DIGITAL. No more pasting your 1 x 1 ID picture and having it
laminated.
I have also attended a youth event where they
asked the participants to line up and registered in this row of laptops before
them. No more pen and paper for you.
Other
than the process being quick, inputting your details and having them backed up
AND SECURED in another storage device is one way of sparing everybody from the
hassle of retrieving your data when some natural calamity like fire or floods
surprise us.
Another
reason why I love how things are turning digital is how it saves everybody’s
time and effort. For example, I’d love to see somebody come up with an online
pre-registration for enrollment. There will be some scheme on how to secure
your slot for a class, then the payment will be through an online transaction
too. Imagine, we won’t have to wait for hours to get our applications for a
class get approved! What a bliss it will be, right?
The
list of the benefits for having things digitized is endless. However, with that
improvement come issues that threaten our security as individuals. Even the big
companies are not spared from such dilemma. We hear of stories of security
breaches, when unauthorized personnel gain access to personal information from
systems that are suppose to be secure. We hear of people’s identity exposed
which brings about threats to their security. Spell death threats, or worse,
killings. People often get killed for the things they say or show.
I
am not attempting to give an exhaustive discussion on the implications of
Republic Act 10173, otherwise known as the “Data Privacy Act of 2012”, but I am
wishing to discuss how it affects a mere mortal netizen like me.
Going
through the provisions makes me want to give kudos to the Congress for the
effort of keeping in step with the dynamics of society. As previously
mentioned, almost everything is digital now. It is quite difficult to cope with
the speed and complications of how technology has made our world smaller. “Easy
access” has benefits, but it offers some dangers too. Yes, the law is not
perfect, we can see some loopholes and lots of room for improvement, but at
least, we have something to start with.
I
also like the idea of how the law mandates the interplay and teamwork of the
different government agencies and their geniuses so that the intent of
protection of the netizens will be achieved. In the law, we will see that the
created Commission welcomes or even asks for help because I think the
implications of providing details electronically are too broad for them to
address one by one.
I’m
not so sure though if all entities, especially in the government are aware of
the details of this law and how to go about it. I’m not even sure if the
personnel who deal with data are aware of the care and protection they must
give so identities of their clients would not be prejudiced. Well, they have
the problem of inputting to address first.
The
law discusses also of the right of a person to be informed of the purpose and
the length of time that your details will be retained in the entity that will
process your data. I do not see any prompt informing me of this right. Is there
anybody who tells people this? What I often see is them informing me that my
data will be kept confidential, but nobody really tells me for how long they
are going to keep it.
I’ve
had the privilege of working in a company that takes data privacy VERY
seriously. It ensures that all employees are well aware and exercising the
things we learn from the modules on protecting personal information. Our policies
on passwords are so strictly implemented so that nobody can access the
computers issued to us. Our printers have a separate room which only employees
have access. We have a lot of shredders in the office so that data or
information on paper could not be retrieved after its use.
I’d
like to quote the rights protected under this Act. Section 16 provides:
SEC. 16. Rights of the Data Subject. – The
data subject is entitled to:
(a) Be informed whether personal information pertaining to him or her
shall be, are being or have been processed;
(b) Be furnished the information indicated hereunder before the entry of
his or her personal information into the processing system of the personal
information controller, or at the next practical opportunity:
(1) Description of the personal information
to be entered into the system;
(2) Purposes for which they are being or are
to be processed;
(3) Scope and method of the personal
information processing;
(4) The recipients or classes of recipients
to whom they are or may be disclosed;
(5) Methods utilized for automated access, if
the same is allowed by the data subject, and the extent to which such access is
authorized;
(6) The identity and contact details of the
personal information controller or its representative;
(7) The period for which the information will
be stored; and
(8) The existence of their rights, i.e., to
access, correction, as well as the right to lodge a complaint before the
Commission.
Any
information supplied or declaration made to the data subject on these matters
shall not be amended without prior notification of data subject: Provided, That
the notification under subsection (b) shall not apply should the personal
information be needed pursuant to asubpoena or when
the collection and processing are for obvious purposes, including when it is
necessary for the performance of or in relation to a contract or service or
when necessary or desirable in the context of an employer-employee
relationship, between the collector and the data subject, or when the
information is being collected and processed as a result of legal obligation;
(c) Reasonable access to, upon demand, the following:
(1) Contents of his or her personal
information that were processed;
(2) Sources from which personal information
were obtained;
(3) Names and addresses of recipients of the
personal information;
(4) Manner by which such data were processed;
(5) Reasons for the disclosure of the
personal information to recipients;
(6) Information on automated processes where
the data will or likely to be made as the sole basis for any decision
significantly affecting or will affect the data subject;
(7) Date when his or her personal information
concerning the data subject were last accessed and modified; and
(8) The designation, or name or identity and
address of the personal information controller;
(d)
Dispute the inaccuracy or error in the personal information and have the
personal information controller correct it immediately and accordingly, unless
the request is vexatious or otherwise unreasonable. If the personal information
have been corrected, the personal information controller shall ensure the
accessibility of both the new and the retracted information and the
simultaneous receipt of the new and the retracted information by recipients
thereof: Provided, That the third parties who have previously
received such processed personal information shall he informed of its
inaccuracy and its rectification upon reasonable request of the data subject;
(e)
Suspend, withdraw or order the blocking, removal or destruction of his or her
personal information from the personal information controller’s filing system
upon discovery and substantial proof that the personal information are
incomplete, outdated, false, unlawfully obtained, used for unauthorized
purposes or are no longer necessary for the purposes for which they were
collected. In this case, the personal information controller may notify third
parties who have previously received such processed personal information; and
(f) Be indemnified for any damages sustained due to such inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal
information.
x
x x
I suggest that you please take your time to
review and discuss this among friends so that you can know how to address an
incident that might arise. Thank goodness for my genius friends, I can ask them
to help out in case some epistaxis occurs.
No comments:
Post a Comment