The National Privacy Commission (NPC) have been receiving complaints on the misuse and mishandling of contact tracing data by some business establishments. Concerns include the open access of contact-tracing forms that contain a customer’s personal data such as name, address and contact details.

The agency pointed out a lack of privacy notice and usage of data apart from contact tracing efforts. Although they did not name which particular establishments breached consumer privacy, they said that these include a mall, a European fashion retailer and a North American coffee shop franchisee as well as some supermarkets and fast food and drugstore chains.

Contact tracing form templates have been prescribed for businesses. However, it lacked uniform format and content. The NPC noted that contact tracing forms must collect minimum necessary information, have transparent data privacy notice and proper disposal mechanism and must have a limited storage period.

Businesses’ contact tracing procedures must be based on two joint memorandum circulars: Privacy Guidelines on the Processing and Disclosure of COVID-19 Related Data for Disease Surveillance and Response (from the Department of Health and NPC) and Supplemental Guidelines on Workplace Prevention and Control of COVID-19 (from the Trade and Labor Departments).

Under the Privacy Act, violators will receive a penalty of up to P5 million and maximum imprisonment of six years. 

Subscribe to our weekly newsletter to receive all the tools and solutions entrepreneurs need to stay updated on the latest news in the industry