When is processing of personal information lawful?
The Data Privacy Act of 2012 (DPA) prohibits the processing of “personal information” except when certain conditions exist. Thus, personal information controllers have been very cautious in releasing information, such as lists of names, etc., in fear of violating this rule. In two recent opinions issued by the National Privacy Commission (NPC), however, we get a view as to how NPC interprets such prohibition with respect to homeowners’ associations and universities.
Section 12(c) of the DPA provides that personal information may be processed if it’s necessary for compliance with a legal obligation to which the personal information controller is subject. Section 12(f) of the DPA also permits the processing of personal information if “[t]he processing is necessary for the purposes of the legitimate interests pursued by the personal information controller… except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.”
The DPA defines “personal information” as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.” A person’s name and residence, for instance, are information that can be linked to his or her identity, since they make a person readily identifiable. Thus, both are considered personal information.
In view of above, can a condominium association deny a member’s request for disclosure of unit numbers of its members, to determine and verify the existence (or non-existence) of a quorum? In one case, the lawyer of the condominium association denied such a member’s request, claiming that revealing the unit numbers is a type of personal information processing not allowed under the DPA. Thus, said member sought NPC’s guidance.
The NPC clarified, however, that the condominium association has a legal obligation under the Corporation Code to provide members access to, and allow them to inspect, corporate records and documents. The DPA doesn’t operate to curtail existing rights of members of a condominium corporation, specifically on inspection of corporate books and records. Hence, the condominium corporation may lawfully disclose the unit numbers of the members of the association based on the DPA and the member’s right to inspect corporate books and records.
It’s also universities’ common practice to post on publicly accessible bulletin boards the names of applicants admitted to the said universities. Is this publication of students’ names, done without the students’ consent, be considered permissible processing of personal information under the DPA?
In another recent opinion, the NPC also confirmed that such practice of processing of personal information is allowed even without the consent of students, pursuant to Section 12(f) of the DPA — for being necessary for purposes of the legitimate interests pursued by the university. In this regard, the NPC laid down the following three-part test to determine if there are legitimate interests that may be the basis for lawful processing of personal information:
First: Is the personal information controller pursuing a legitimate interest? (Purpose Test)
Second: Is the processing necessary for that purpose? (Necessity Test)
Third: Do the individual’s interests override the legitimate interest? (Balancing Test) The balancing test requires that the interests or fundamental rights and freedoms of the data subject don’t override the personal information controller’s interests.
NPC took the view that the university’s practice of posting the names of successful applicants on the bulletin board of its school passed all three tests. Such publication was aimed at informing the applicants they successfully passed the examinations in the most transparent and practical way. NPC thus deemed such posting necessary for the purpose as these applicants are most probably already eagerly waiting for the results of the examinations. The processing is necessary, adequate and not excessive in relation to the purpose. The NPC further explained that, by voluntarily participating in this admissions process, the applicant could reasonably expect that his or her name may be posted on the bulletin board of the school if one has successfully passed the examinations. Thus, the NPC confirmed this type of personal information processing, even if done without the consent of the students, is allowed under the DPA.
Nevertheless, the NPC recommended that, in the future, the university obtain the applicants’ consent, in order to ensure the university adheres to the principles of transparency and legitimate purpose. Such consent may be secured in the application form.
Richelle Dianne R. Patawaran is a Senior Associate of Mata-Perez, Tamayo & Francisco (MTF Counsel). She is a corporate, deal, litigation and labor lawyer. The contents of the above article are intended for general information purposes only and do not constitute legal advice. If you have any question or comment regarding this article, you may email the author at info@mtfcounsel.com or visit MTF Counsel’s website at www.mtfcounsel.com.
The post When is processing of personal information lawful? appeared first on The Manila Times Online.