14 December, 2018
In this age when everything is “instant,” information on just about anything and anyone under the sun is not only readily available, but easy to come by. Especially with the proliferation of social media sites and other publicly-accessible platforms and the increasing transparency of government databases most of which are accessible on-line, a few clicks of a mouse will yield a treasure trove of information. But along with this bounty comes the inevitable question of boundaries: What information should be made publicly available? Can we use it? How should we use it?
These questions are particularly relevant today, with the implementation of the Data Privacy Act (“DPA”) in the past few years. On its surface, the DPA is fairly easy to grasp and apply. The DPA is teeming with rules, requirements and restrictions on the use and processing of Personal Information. Significantly, the DPA declares that the consent of the individual, or data subject, is paramount and indispensable, before any processing or handling of his or her personal information may be performed. This places a considerable constraint and control on all types of human relations since the processing of personal information is a necessary activity in all aspects of such relations — be they private or public. Ultimately, the DPA aims to empower data subjects to control when, how, and for what purpose their personal information may be processed.
However, the lines of when and how the DPA may be applied appears to be blurred when applied to “publicly-accessible” personal information. For when information has been disseminated to the public, how can it be considered private? How can public information be private? Verily, the definition of Personal Information under the DPA provides little (if not no) aid in determining such boundaries. The DPA defines Personal Information as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual” (Section 3 g). There is no mention in both the law and rules and regulations of the source of the information that constitutes Personal Information.
In addressing this seemingly grey area of the DPA’s applicability, the National Privacy Commission (“NPC”) has declared in several Advisory Opinions that the DPA has specified the information which is outside of its scope but only to the minimum extent necessary to achieve the specific purpose, function, or activity in Section 4 thereof and there is no express mention that personal data which is available publicly is outside of its scope. Thus, the provisions of the DPA are still applicable even for those personal data which are available in the public domain. The NPC echoes the sentiment of the Office of the Privacy Commissioner for Personal Data of Hong Kong in saying that even if the data subject has provided his or her personal data in a publicly accessible platform, this does not mean he or she has given blanket consent for the use of his/her personal data for whatever purposes (Guidance Note — Guidance on Use of Personal Data Obtained from the Public Domain, August 2013).
Another implication of the NPC’s declaration is that personal information obtained from public documents may not be processed by third parties for purposes other than which such personal information was provided. Thus, third parties may no longer process or use personal information obtained from documents submitted to government regulatory agencies unless with the consent of the data subject/s.
This nuance is also especially crucial in contracts with business partners and third party service providers involving the processing of personal information, including the outsourcing of the processing of personal information. In addition to the mandatory stipulations required to be incorporated in such outsourcing contracts under the Implementing Rules and Regulations of the DPA, personal information controllers must also be careful in indicating in such contracts how personal information obtained from other sources other than the data subject are to be treated. While it has become increasingly common in such contracts to provide for separate provisions specifically dealing with personal information, in most instances, personal information are lumped together in the greater group of information under “Confidential Information.” In such instances, Information that is in, or subsequently enters, the public domain are often considered excluded from the definition of Confidential Information. Applying the NPC’s position on personal information found in and made available via publicly-accessible platforms, in cases where personal information are included in what are considered Confidential Information, there arises a need to carve out personal information from the exclusion.
The NPC’s position also behooves individuals and legal entities from using and relying on information obtained from social media platforms, such as Facebook. While these information were shared on the platform with the intention of making them public, this fact alone does not automatically constitute consent for other uses of the information. Consequently, social media policies have become increasingly important in companies and organizations.
Thus, while personal information from publicly-accessible platform is not particularly provided for in the DPA, the NPC’s opinion has shed light on the issue and confirms that the protection attaches to the underlying right to privacy and not actually to the pieces of personal information. Certainly, this means that some things that have been made public are still private.
For further information, please contact:
Maria Isabel M. Llave, Angara Abello Concepcion Regala & Cruz (ACCRALAW)
mmllave@accralaw.com