Monday, May 6, 2013

REPUBLIC ACT 10173 (Data Privacy Act) in re: OPLE vs. TORRES


WILL REPUBLIC ACT NO. 10173 PROVIDE SUFFICIENT MECHANISM FOR THE INTRODUCTION OF THE NATIONAL ID SYSTEM IN THE PHILIPPINES WITHOUT CONSTITUTIONAL ISSUES PROVIDED FOR IN THE CASE OF OPLE vs. TORRES?


INTRODUCTION

Running a government is no easy task. Law enforcement, service delivery and social security benefits availment entail voluminous documents that have compelled states to devise tools that simplify and manage these tasks. One mechanism is the establishment of the national identification (ID) system.

A lot of issues and concerns relative to the implementation of an ID system makes it a contentious measure. Some reject the idea arguing that in our today’s world in information technology, privacy on personal information has become misleading since with the right connections and good price, those information may be given or accessed without proper consent and justification to which it may serve purpose other than its original intent.

In broad terms, a national identification (ID) system is a mechanism used by governments to assist government agencies in identifying and verifying the identities of citizens who are availing of government services or making public transactions.

The government must be adequately equipped and organized in implementing an ID system, taking into consideration the cost, policy and legal environment so as to protect the citizens that it wants to serve.

In 1996, President Fidel Ramos issued Administrative Order No. 308, entitled “Adoption of a National Computerized Identification Reference System,” the pertinent portions of which reads:

ADOPTION OF A NATIONAL COMPUTERIZED IDENTIFICATION REFERENCE SYSTEM

WHEREAS, there is a need to provide Filipino citizens and foreign residents with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities;

WHEREAS, this will require a computerized system to properly and efficiently identify persons seeking basic services on social security and reduce, if not totally eradicate, fraudulent transactions and misrepresentations;

WHEREAS, a concerted and collaborative effort among the various basic services and social security providing agencies and other government instrumentalities is required to achieve such a system;

NOW, THEREFORE, I, FIDEL V. RAMOS, President of the Republic of the Philippines, by virtue of the powers vested in me by law, do hereby direct the following:

SECTION 1. Establishment of a National Computerized Identification Reference System. A decentralized Identification Reference System among the key basic services and social security providers is hereby established.
    xxx
SEC. 4. Linkage Among Agencies. The Population Reference Number (PRN) generated by the NSO shall serve as the common reference number to establish a linkage among concerned agencies. The IACC Secretariat shall coordinate with the different Social Security and Services Agencies to establish the standards in the use of Biometrics Technology and in computer application designs of their respective systems.

A.O. 308 involves a subject that is not appropriate to be covered by an administrative order and usurps the power of Congress to legislate.

With the advent of RA 10173 or also known as the Data Privacy Act, the purpose of the Legislative in passing this law is to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. The law penalizes the unauthorized disclosure of personal information. It protects journalists and publishers, as they will not be compelled to reveal the source of a news report.

Excluded in the scope of RA 10173 are, among others, personal information processed for journalistic, artistic, literary or research purposes, information about government officials and other civil servants, information necessary for banks and financial institutions as part of anti-money laundering efforts, and personal data processed by central monetary authorities and law enforcement and regulatory agencies.


DISCUSSION


Does Administrative Order No. 308 violate the right to privacy?

Administrative Order No. 308 is so vague. The vagueness, the over breadth of Administrative Order No. 308 which if implemented will put our people's right to privacy in clear and present danger. There are no vital safeguards. Administrative Order No. 308 should also raise our antennas for a further look will show that it does not state whether encoding of data is limited to biological information alone for identification purposes. In fact, the Solicitor General claims that the adoption of the Identification Reference System will contribute to the "generation of population data for development planning." This is an admission that the Population Reference Number (PRN) will not be used solely for identification but for the generation of other data with remote relation to the avowed purposes of Administrative Order No. 308. Clearly, the indefiniteness of Administrative Order No. 308 can give the government the roving authority to store and retrieve information for a purpose other than the identification of the individual through his PRN .The potential for misuse of the data to be gathered under Administrative Order No. 308 cannot be underplayed as the dissenters do. Pursuant to said administrative order, an individual must present his PRN everytime he deals with a government agency to avail of basic services and security. His transactions with the government agency will necessarily be recorded -- whether it be in the computer or in the documentary file of the agency. The individual's file may include his transactions for loan availments, income tax returns, statement of assets and liabilities, reimbursements for medication, hospitalization, etc. The more frequent the use of the PRN, the better the chance of building a huge and formidable information base through the electronic linkage of the files. The data may be gathered for gainful and useful government purposes; but the existence of this vast reservoir of personal information constitutes a covert invitation to misuse, a temptation that may be too great for some of our authorities to resist.


The Supreme Court in striking down Administrative Order No. 308, it emphasized that it is not fundamentally against the use of computers to accumulate, store, process, retrieve and transmit data to improve our bureaucracy. The Supreme Court also emphasized that the right to privacy does not bar all intrusions into the right to individual privacy. This right merely requires that the law be narrowly focused and a compelling interest justify such intrusions. Intrusions into the right must be accompanied by proper safeguards and well-defined standards to prevent unconstitutional invasions.


The right to privacy is a constitutional right, granted recognition independently of its identification with liberty. It is recognized and protected in several provisions of our Constitution, specifically in Sections 1, 2, 3 (1), 6, 8 and 17 of the Bill of Rights. Areas of privacy are also recognized and protected in our laws, including certain provisions of the Civil Code and the Revised Penal Code, as well as in special laws (e.g., Anti-Wiretapping Law, the Secrecy of Bank Deposit Act and the Intellectual Property Code).

The right to privacy is a fundamental right guaranteed by the Constitution. Thefore, it is the burden of government to show that Administrative Order No. 308 is justified by some compelling state interest and that it is narrowly drawn.


A.O. 308 is rested on two considerations:

(1) the need to provide our citizens and foreigners with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities; and

(2) the need to reduce, if not totally eradicate, fraudulent transactions and misrepresentations by persons seeking basic services.

While it is debatable whether these interests are compelling enough to warrant the issuance of A.O. 308, it is not arguable that the broadness, the vagueness, the overbreadth of Administrative Order No. 308, if implemented, will put our people’s right to privacy in clear and present danger.

Administrative Order No. 308 falls short of assuring that personal information which will be gathered about our people will only be processed for unequivocally specified purposes. The lack of proper safeguards in this regard of Administrative Order No. 308 may interfere with the individual’s liberty of abode and travel by enabling authorities to track down his movement; it may also enable unscrupulous persons to access confidential information and circumvent the right against self-incrimination; it may pave the way for “fishing expeditions” by government authorities and evade the right against unreasonable searches and seizures. The possibilities of abuse and misuse of the PRN, biometrics and computer technology are accentuated when we consider that the individual lacks control over what can be read or placed on his ID, much less verify the correctness of the data encoded. They threaten the very abuses that the Bill of Rights seeks to prevent.


In addition, as stated in Section 11 and 12 of Republic Act 10173 (R.A. 10173) or also known as Data Privacy Act of 2012, there can be no gathering of information if there is non-adherence without following the guidelines of processing personal information as therein enumerated. Herein below are the aforementioned rules set forth accordingly:

SEC. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

Personal information must, be:

(a) Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;

(b) Processed fairly and lawfully;

(c) Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;

(d) Adequate and not excessive in relation to the purposes for which they are collected and processed;

(e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and

(f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

The personal information controller must ensure implementation of personal information processing principles set out herein.

SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.




Under Administrative Order No. 308, the National ID system has no definite legitimate purpose of collecting the information and the usage of the said information does not state the accuracy, relevancy and necessity for which purpose it will be use.

Moreover, in Administrative Order No. 308 if given access to the public without the security to prevent any emergence and infraction to the public of the information, it will cause greater problem for an individual’s right to privacy. Thus, in order for the National ID System to augment, adequate safeguards which will protect the information and safely process the personal information of a person must be guaranteed.

On the above case cited, the issue was the implementation of Administrative Order No. 308, and as the court have stated on this case, won’t the government misuse the data that they have acquired? They may have included a confidentiality clause on the new RA 10173, but there is also this underlying fear that the data that they have filtered to a person may be used against them. On the quoted case, the Supreme Court stressed that, the right to privacy is one of the most threatened rights of a man living in a mass society, and the threats may come from various sources, one on which is the government. It is like opening our personal information to the government, or as how most would say it, we are stark naked in the eyes of the government.


VERDICT

Truly, there may be different perspectives on this issue, but I think it is yet to be identified and proven the effect of this act because it is too early to determine its true advantages and disadvantages.  The burden lies with the application and implementation where it would be more of the government’s responsibility of disseminating and explaining the real purpose and intent of such act in order to really affect growth and promote innovation for the purpose of nation building.

How then does this act truly impact my situation as of this time? This query continues to linger in my mind. At any rate, we should always be mindful of the fact that in every transaction, security and integrity is often required. 

Every life should be basically private. It is only the works of man that some lives lose their sense of privacy. Just like the public officials whose life is imbued with public interest. But still, public figures as they are, there should be part of their lives that should be treated with privacy. Everything has limitations. One should always respect the privacy of others.
















END NOTES:
Sources


G.R. No. 127685         July 23, 1998
BLAS F. OPLE, petitioner vs. RUBEN D. TORRES, ALEXANDER AGUIRRE, HECTOR VILLANUEVA, CIELITO HABITO, ROBERT BARBERS, CARMENCITA REODICA, CESAR SARINO, RENATO VALENCIA, TOMAS P. AFRICA, HEAD OF THE NATIONAL COMPUTER CENTER and CHAIRMAN OF THE COMMISSION ON AUDIT, respondents. The Lawphil Project. http://www.lawphil.net/judjuris/juri1998/jul1998/gr_127685_1998.html (accessed May 1, 2013)

REPUBLIC ACT NO. 10173: AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES; The Lawphil Project. http://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html (accessed May 1, 2013)





Disclaimer: The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. Your use of the blog does not create an attorney-client relationship between you and the blogger.