A legal-techie luminary posited a question: Would the act of a person, disclosing the mobile number of another to a third person, without the latter’s consent be considered a violation of Republic Act 10173?
If the all parties concerned in the instant case are merely private persons not involved in personal information processing, the disclosure of A to C (the third person) of B’s number would not qualify as a violation of R.A 10173.
The Law seeks to protect privacy of information not against private persons. To create a blanket that the law envelops even private persons acting in mere regularity of giving someone’s number, intention regardless, would create havoc, incriminating an act so mundane. Such is not the intention of the law.
Please allow me to briefly discuss the law, its intention and some basic concepts.
Republic Act 10173 is the Data Privacy Act of 2012, a Philippine Privacy law.
Black’s Law Dictionary defines that privacy law is the right that determines the nonintervention of secret surveillance and the protection of an individual’s information. It is split into 4 categories
(1) Physical: An imposition whereby another individual is restricted from experiencing an individual or a situation.
(2) Decisional: The imposition of a restriction that is exclusive to an entity.
(3) Informational: The prevention of searching for unknown information and
(4) Dispositional: The prevention of attempts made to get to know the state of mind of an individual.
The State, realizing that Privacy is one aspect of human rights which is rapidly being vulnerable due to advancements in technology, and acting in pursuance to no less than the Constitution, which guarantees an individual’s privacy as found in the Bill of rights, enacted Republic Act 10173 that primary seeks to curtail Informational Privacy prying.
The State declared that the purpose of the law is to “protect the fundamental human right of privacy and of communication” as well as “to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected”.[i]
What does the law encompass?
Found in the scope, the law is applicable to processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph. As defined by the law, processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.[ii]
The significant features of R.A 10173 include:
1. The protection of processing of personal information and sensitive personal information
2. Creation of the National Privacy Commission
3. Established limitations on data processing of personal information
4. The Data Subject (individual whose personal information is processed) has the right to know whether their personal information is processed
5. Imposition upon personal information controllers the obligation to ensure security measures to protect the personal information they process and to be compliant with the requirements of this law
6. Imposing of penalties on certain acts.
Now going back to the hypothetical question, whether the act of a person, disclosing the mobile number of another to a third person, without the latter’s consent be considered a violation of Republic Act 10173
We have 3 parties: A, the one who disclosed B’s mobile number. B, number owner, and C, person who received the mobile number from A.
Some hazy matters deserve to be given clarification as to what exactly is protected, and against whom?
RA 10173 focal substance is the protection of personal information
The law clearly safeguards personal information against possible negligence, abuses and imprudence of Personal information processors (PIP) and Personal information controller (PIC).
Personal information controller refers to a person or organization that controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.[iii]
Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.[iv]
Data subject refers to an individual whose personal information is processed.[v]
The law defines personal information as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual”.[vi]
It is debatable whether a mobile number could be classified as personal information, considering that changing personal mobile numbers is commonplace, and that a person’s number today may actually be in another’s possession or ownership tomorrow. But, as an argument, one could assail that a mobile number could also function as personally identifiable information (PII), which could be linked to an individual’s medical, educational, financial and employment information, hence, personal information.
Taking into consideration advancements in technology and the standards of the times, I submit that a mobile number is indeed personal information. It is not extraordinary for an individual of today to put in a physical or digital medium his or her name, as well as mobile number together, which in causality would enable the relating of two data either by inference or direct sourcing.
If A and/or C is a personal information controller or personal information processor, the law mandates that the information was or should be:
1. Collected for specified and legitimate purposes;
2. Processed fairly and lawfully;
3. Accurate, relevant, kept up to date;
4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained;
6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed.[vii]
As a rule, information to be collected must be with the consent of the owner, but there are circumstances that need not have consent to still be equivalent to lawful processing. Note that the processing is still considered lawful even if one of the criteria below exists, but of course, is still subject to the fundamental rights and freedoms which require protection under the Philippine Constitution.
1. The processing of personal information is necessary and is related to the fulfillment of a contract;
2. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
3. The processing is necessary to protect vitally important interests of the data subject, including life and health;
4. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
5. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed.[viii]
Thus, If either A or C is a PIP or PIC, there are obligations imposed upon them, but also exceptions. In utilizing the mobile number of B, we presume in the first instance B as a private person. Ultimately, the above provisions of the law would apply. But, there are also examples when the information collection does not carry the stringent protection of the law, such as when the:
1. Information about any individual who is or was an officer or employee of a government institution in relation to the position or functions of the individual;
2. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed;
3. Information relating to any discretionary benefit of a financial nature;
4. Personal information processed for journalistic, artistic, literary or research purposes;
5. Information necessary in order to carry out the functions of public;
6. Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
7. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions;[ix]
Whether or not the disclosure of A to C of B’s mobile number would be tantamount to a violation of RA 10173 would depend of the status of each of the parties in the case, the underlying circumstances and the end result of which the mobile number is to be utilized.
I submit that the Data Privacy Act is a complete law that further strengthens the constitutional softness with regard to the digital world, providing a deterrent and a medium through the establishment of the National Privacy Commission.
Privacy should never be put into hinges of uncertainty. The right to privacy must always be upheld despite ever-changing moral and ethical standards of society. Society must always be sympathetic to the steadfast need of man to be sheltered from prying, over inquisitive and to an extent, overly meddling nature of exposure that could be destructive.
One person’s freedom end when another person’s rights begin
All data and information provided on this site is for informational purposes only. The author makes no representations as to accuracy, completeness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis, has no warranties, and confers no rights.
[i] Republic Act 10173, Section 2
[ii] Republic Act 10173, Section 4
[iii] Republic Act 10173, Section 3 (h)
[iv] Republic Act 10173, Section 3 (i)
[v] Republic Act 10173, Section 3 (c )
[vi] Republic Act 10173, Section 3 (g)
[vii] Republic Act 10173, Section 11
[viii] Republic Act 10173, Section 12
[ix] Republic Act 10173, Section 4