MANILA, Philippines — Business establishments taking pictures of their clients’ identification cards poses great risks such as data breaches, the National Privacy Commission said yesterday.
The NPC called the attention of businesses and associations – through both personal information controllers (PICs) and personal information processors (PIPs) – that authorize their employees and personnel to take photos of the IDs of customers, guests or other persons using their personal electronic devices or without appropriate safeguards and/or without the required privacy notice.
Among the examples cited by the NPC include the practice of hotel
receptionists who take photos of guest IDs using their personal smartphones instead of company-issued phones, car sales agents taking photocopies of a client’s ID for “verification purposes,” telco agents requesting a client to send a photo of their ID through Viber, WhatsApp or Facebook Messenger and homeowners’ and condominium associations making copies and requiring the deposit of physical IDs with sensitive personal information.
“The Commission emphasizes that these types of activities carry a great risk of causing security incidents, data breaches, unauthorized uses, inadequate disposal, lack of informed consent and profiling or discrimination, among others,” the NPC said.
The NPC said that PICs and PIPs “shall obtain the consent of the data subjects prior to the collection and processing of their personal data, subject to exemptions provided by the DPA (Data Privacy Act) and other applicable laws and regulations.”
“It is the duty of the PICs, as well as their employees, agents or representatives, to uphold the confidentiality and privacy of the personal data that they process,” the NPC said.
The NPC said that consent of customers, guests and other persons is necessary.
To this end, the NPC mandates the following practices:
“Consent: Where it is the necessary criteria for lawful processing of Sensitive Personal Information under Sections 13 of the DPA, the PIC must obtain explicit consent from individuals to capture and process their identification photos and details,” the NPC said.
“Privacy Notice: Provide a clear, understandable and transparent privacy notice before capturing their IDs. The notice should include the purposes of the processing, the security measures implemented, the retention period and the purpose limitation, among others,” the NPC added.
“Secure Storage and Transmission: Implement policies to ensure that photos taken by personal devices are stored in a manner that is in compliance with company policies and the DPA. Implement safeguards that ensure that the photos cannot be used by the employees, agents or personnel for other purposes, such as encryption, access controls and other tools,” the NPC further said.
The NPC also said that business establishments and associations are required to properly dispose of the copies of IDs, documents and other personal information of its guests and customers.
“Proper Disposal: Establish policies and procedures that ensure the disposal and deletion of the photos once the purpose is fulfilled. The PICs should conduct verification and audits to ensure that disposal policies have been complied with,” the NPC said.
“We reiterate that processing personal data violative of the Data Privacy Act of 2012 and related issuances of the Commission is subject to penalties and administrative fines,” the NPC added.