When the Philippine Government placed the entirety of the Luzon island group, (including the MIMAROPA region – Mindoro, Marinduque, Romblon and Palawan) on “enhanced community quarantine” last March 16, 2020 in an attempt to address the pandemic of COVID-19 in the country, it mandated “strict home confinement in all households,” the “suspension of transportation lines,” and also urged “private companies to adopt ‘work from home’ arrangements.”
It was an unprecedented, if not entirely unexpected turn of events, and for many Philippine companies and organizations, it was a strange new world.
As everybody scrambled to adjust to what would become the ‘new normal’ for at least another month, the Center for Research and Communication (CRC) wondered what risks companies and organizations faced in terms of data protection in the time of COVID-19.
Fortunately, CRC was quickly able to get in touch with NADPOP Founding President Sam Jacoba, and ask him a few questions about the many data protection risks that accompany this unprecedented shift in most organizations’ paradigm of work.
And while CRC hopes to take a closer look at many of these concerns in a future story, we are sharing the first few questions of our exchange with NADPOP’s Mr. Jacoba.
CRC Communications (CRC): Hello and I hope you’re having a peaceful quarantine! How have you been coping, so far?
Sam Jacoba (S.J.): Thank God I was able to breeze through the crisis, and now I’m at the acceptance stage.
CRC: As we move into an unprecedented era of work-at-home arrangements, we’re all going to be more dependent on technology to get any kind of work done. Do you think this poses any special Privacy Protection risks?
S.J.: Even at this early point in the crisis, several data privacy issues have already emerged. On top of the list is the anonymization of identities, including information such as home and work addresses, etc., of the PUMs, PUIs, positive patients, and those that passed away due to complications from the virus.
For your reference, the National Privacy Commission (NPC) has issued several bulletins on how personal data should be protected during the Crisis. You can refer to them at the “latest updates” page of the NPC at:
Despite these, though, the battle for data protection rages in local communities where the DOH has reported positive patients. Near my village in Parañaque City, another village (through its Barangay government) disclosed the addresses of two houses that they have identified as having positive patients.
Compare this to my Barangay, where the first (and still just the one, to date) instance of a positive patient has been anonymized. This is a good thing, of course, but in response to this anonymization though, some of my village mates were demanding to know the home address of the patient, since there were rumors that the patient lives in our village.
CRC: What do you think organizations following a work-from-home setup need to particularly watch out for?
S.J.: Connections at home are not secure in comparison to corporate offices with firewalls and other cyber-security solutions. Companies should have installed cyber-security client software to the officially-issued and employee-owned devices that log in to their corporate networks. This will minimize the instances of breaches when employees work from home.
There’s also the risk of other family members or housemates getting access to the devices when they are left unlocked.
CRC: Is there any practical data privacy advice you can give for these organizations and their employees?
S. J.: Organizations can focus on protecting all instances of data throughout their organization, including all devices used by their employees. They should also conduct a Privacy Impact Assessment (PIA) of this new arrangement so they can identify the risks and mitigate them. This will also allow them to document the challenges that they face, given this unprecedented global crisis.
CRC: How about protecting personal data? Are there particular risks we have to watch for at times like this, and what should we do about it?
S.J.: Please refer to Bulletin #4 of the NPC.
[Editor’s note: In Bulletin #4, Privacy Commissioner Raymund Enriquez Liboro of the NPC encourages the Philippine public: not to give out personal data in suspicious COVID-themed emails and messages; to use trusted government and other legitimate websites as the go-to source for the latest COVID information; to ensure that the charity or crowdfunding campaign the public is considering donating to is legitimate; and to be mindful of phishing baits from online scammers. The bulletin goes into much greater detail, and can easily be accessed at https://www.privacy.gov.ph/2020/03/npc-phe-bulletin-no-4-protecting-personal-data-in-the-time-of-covid-19/.]
CRC: We were excited about the CRC and NADPOP’s Intensive Data Protection Officer Foundational and Certification Course, which has been delayed. When the quarantine is lifted and the event gets rescheduled, do you think events like the certification course are going to be done differently?
S.J.: The world will change dramatically after the crisis, and I see three things that we should do to serve our data privacy colleagues well:
(1) We should look at having blended learning (online, face-to-face, apprenticeship, mentoring, etc.) for the courses that will be run when the crisis is over.
(2) For face-to-face trainings, we’ll need bigger rooms to adopt social distancing in the class. This may mean smaller class sizes.
(3) Begin creating content for pure online delivery of classes. This is a gain as the whole world now becomes our audience.
CRC: Thank you very much for responding to our questions so quickly! We look forward to hearing more from you as we learn more about the new privacy concerns that are revealing themselves as we continue to cooperate with scientists and medical professionals in the face of the COVID-19 pandemic. And we’re especially excited for the resumption of the Intensive Data Protection Officer Foundational and Certification Course.
S.J.: Thank you!
CRC can link your company to expertise in a wide range of fields, from market and financial studies to continuing employee education to analytics, data protection, and so on. To learn more about the ways CRC can connect you to the expertise of experts like Mr. Jacoba and the hardworking team of NADPOP, send an email to [email protected]. When the COVID-19 situation normalizes, you will also be able to give us a call at +(63)(2)86370912 ext. 350.
In the area of Data Protection and Data Privacy, CRC has been working closely with the National Association of Data Protection Officers of the Philippines (NADPOP) – a non-stock, non-profit organization whose mission is to build, develop and manage a nationwide data privacy and protection ecosystem that will support DPOs and their respective organizations to safeguard the personal information of their employees, customers and families. || CRC/REdeLeon