CURRENT SOCIETAL CONCERNS-PRIVACY
Elpidio V. Peria
12 June 2017
from : http://creditinfo.gov.ph
Relaxing at home during this Independence Day, I saw this social media posting from a veteran consumer activist from Davao, which, according to him, is from GLOBE, one of the leading telcos of the country, which reads :
“We’d like to share an important update on RA 9510 or the Credit Information Systems Act (CISA). In compliance with this government mandate, we’ll be sending basic credit information about your Globe account/s, including any overdue balance, to the Credit Information Corporation, a state-run agency, starting June 2017. We at Globe value your awareness on these matters. Learn more at http://www.creditinfo.gov.ph. Data charges may apply.”
This action of GLOBE, cavalierly informing only its clients and purportedly in pursuit of complying with this mentioned law, on credit information of individuals being processed by a specific government entity, the Credit Information Corporation, is VIOLATIVE of a later law, the Data Privacy Act or Republic Act 10173, passed in 2012. This later law came four years after this law on credit information was passed, in 2008. Maybe the lawyers of GLOBE may have overlooked this law or interpreted the law such that they went ahead with their action, but hopefully, with this blog post, citizens may be made aware and will react and tell GLOBE to stop what it is doing.
The Data Privacy Act recognizes the rights of data subjects, actually, us, humans, people, individuals, not computers, to our personal information, such that, this personal information cannot just be immediately processed without our consent. The law in sec. 12 gives the number one criteria for the lawful processing of personal information : that the data subject has given his or her consent.
What GLOBE has done in its announcement, that of merely informing its subscribers that GLOBE will be sending basic credit information of its subscribers, including overdue balance, to another government agency, the Credit Information Corporation, created by Republic Act 9510, is something that is not allowed by the Data Privacy Act as provided for in its sec. 13 dealing with sensitive personal information and privileged information.
The rule in sec. 13 is that the processing of sensitive personal information is PROHIBITED, and there are some instances where the processing of information is allowed, and it may be these exceptions that may be pointed out by GLOBE which enables it to pass on such credit information to the agency created by RA 9510.
Let us analyze the exception closely. It reads:
Sec. 13. Sensitive Personal Information and Privileged Information – the processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
Xxx (b) The processing of the same is provided for by existing laws and regulations; Provided, that such regulatory enactments guarantee the protection of sensitive personal information and the privileged information; Provided further, that the consent of the data subjects are not required by law or regulation permitting the processing of sensitive personal information or the privileged information.
We consulted the provision of RA 9510 on the guarantee of protection of this sensitive personal information and there, in sec. 6 of the law, is the following provision :
Section 6. Confidentiality of Credit Information. – The Corporation, the submitting entities, the accessing entities, the outsource entities, the special accessing entities and the duly authorized non-accessing entities shall hold the credit information under strict confidentiality and shall use the same only for the declared purpose of establishing the creditworthiness of the borrower. Outsource entities which may process and consolidate basic credit data are absolutely prohibited from releasing such data received from the Corporation other than to the Corporation.
While this guarantee of strict confidentiality seems to be stated by this law, the number of entity categories, around six (Corporation, the submitting entities, the accessing entities, the outsource entities, the special accessing entities and the duly authorized non-accessing entities) that deal with a person’s credit information is surely one too many, that this strict confidentiality rule is actually meaningless. Why, these entities are all the entities that matter to a person’s credit history; if you go to the definitions section of the law, these are mainly also private companies who deal in the business of these things. Why bother with strict confidentiality when all those who will be interested will be given a creditors’ information anyway?
With the above-mentioned doubt on whether strictly confidentiality of a person’s credit information is guaranteed by RA 9510, this same law however seems to comply with the second criteria of the Data Privacy Act, which states that the consent of the data subjects are not required by law permitting the processing of the sensitive personal information.
This is because there is nothing in RA 9510 which requires the consent of persons with credit information or history to process their credit information under that law. That is one interpretation of the RA 10173 requirement which may be used by GLOBE to escape any legal liability under RA 10173.
But this same provision, sec. 13(b), of RA 10173 may also be interpreted to mean that there has to be a specific provision in any law that should explicitly state that such consent is no longer required. If that interpretation holds, and this kind of provision does not exist in the law, then RA 9510 may breach RA 10173.
Which is which? If you ask me, my view is to provide for a greater right to the person’s data privacy as regards his or her sensitive personal information, particularly his or her unpaid GLOBE accounts which may be compiled to provide an unsavory credit reputation to the person.
RA 9510 however requires the consent of the borrower (not the GLOBE subscriber, mind you) when such credit information is passed on to a special accessing entity, which is defined by RA 9510 as a duly accredited private corporation engaged primarily in the business of providing credit reports, ratings and other similar credit information products and services. But aren’t these precisely the kinds of entities subscribers with bad credit standing avoid? This provision of RA 9510 should also be looked into whether it still accords with the stated policy goals of the Data Privacy Act, which is to protect the identity of an individual from being ascertained, since RA 9510 already gives out not only the identity of the person but also more, especially the credit information of that person.
So, what happens now to what GLOBE will do this month of June, when it will do it, it does not yet say – that it will pass on credit information of its subscribers to the Credit Information Corporation ? That GLOBE purports to easily do it without any express consent of its subscriber speaks badly of its oft-repeated commitment in its ads to keep its customers welfare above its own. GLOBE should not be merely informing or making aware its subscribers that it will do such thing, it should also seek out, expressly, in written form, the subscribers’s consent and if the subscriber does not allow it, then GLOBE should not pass on such information.
But given that subscribers are busy people, the default setting here should be NO sharing of information to the Credit Information Corporation, unless the person consents to such sharing, which should be done in writing.
If the GLOBE does not do this, it is our view that it violates the provisions of the Data Privacy Act in its act of passing on the credit information of its subscribers, including unpaid accounts, to a government entity created by law, the Credit Information Corporation.
Perhaps the National Privacy Commission should step in to propose measures such that the functions of the Credit Information Corporation may be fulfilled, but not at the expense of the violation of the rights of the data subjects, the GLOBE subscribers.
Or, given that agencies, perhaps too occupied with their mundane concerns relating to their mandate, may act not in a prompt manner, and if that is the case, the citizenry, or the disgruntled GLOBE subscribers perhaps, should give the telco a lesson that consumers are not to be trifled with. We haven’t even examined the provisions of the Consumer Code on this.