30 November 2021
Personal information sharing is as sure as life itself in this time and age. The availment of almost every service, whether in the area of health, banking, technology, education, etc., entails the sharing of personal information. The benefits include access and convenience but such is not without a downside. Consumers are at the same time increasingly becoming worried about who has ultimate access to their personal information.
Under the Data Privacy Act of 2012, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data – or the processing of personal information – must be done only for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection. Any such information must be processed in a way compatible with such declared, specified, and legitimate purposes only.
The processing of personal information must be adequate and not excessive in relation to the purposes for which they are collected and processed. Any processed information cannot be retained longer than necessary, and it cannot be used for illegal purposes such as for harassment or exacting leverage from the data subject. In all cases, there must be adequate safeguards for their storage.
But one area of concern is the concept of data sharing. Can one’s personal data be shared without the data subject’s prior consent? Does one lose track of his/her personal information the moment it is shared?
The Implementing Rules and Regulations (IRR) of the Data Privacy Act defines “data sharing” as the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.
Data sharing is allowed when it is expressly authorized by law, subject to adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose, and proportionality.
The key concept here is consent. The data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and including data sharing. It is allowed in the private sector if the data subject consents to data sharing, and such consent is required even when the data is to be shared with an affiliate or mother company, or similar relationships. If the sharing is for commercial purposes, including direct marketing, it shall be covered by a data sharing agreement, which must establish adequate safeguards for data privacy and security, and uphold rights of data subjects.
The data sharing agreement shall be subject to review by the Commission, on its own initiative or upon complaint of data subject.
On the other hand, there are certain information that the data subject must be provided with prior to collection or before data is shared: a) Identity of the personal information controllers or personal information processors that will be given access to the personal data; b) Purpose of data sharing; c) Categories of personal data concerned; d) Intended recipients or categories of recipients of the personal data; e ) Existence of the rights of data subjects, including the right to access and correction, and the right to object; and f ) Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.
Data sharing between government agencies for the purpose of a public function or provision of public service shall also be covered a data sharing agreement.
At the end of the day, the sharing of personal information boils down to informed, valid, prior consent and observance of these requirements. These regulations are aimed at protecting the fundamental and cherished right to privacy. Rights must be respected, while adequate measures are put in place to ensure the free flow of information in a manner that is compliant with data privacy laws.
First published on The Daily Tribune.
For further information, please contact:
Nilo T. Divina, Managing Partner, DivinaLaw
nilo.divina@divinalaw.com
