Data Privacy and the Philippine Identification System

Last August 6, 2018, President Duterte signed into law Republic Act No. 11055, also known as “An Act Establishing the Philippine Identification System (or “National ID Act”).”  The Act seeks to establish a single national identification system referred to as the “Philippine Identification System” or the “PhilSys” for all citizens and residents of the Philippines[1] to provide a valid proof of identity for them as a means of simplifying public and private transactions.[2] The Implementing Rules to the National ID Act (or “IRR”) were approved on 5 October 2018.

 

Overview of the Philippine Identification System

 

The management, maintenance, and administration of the PhilSys shall carried out by the Philippine Statistics Authority (or “PSA”), with technical assistance from the Department of Information and Communications Technology (or “DICT”).[3]  In establishing the PhilSys, each citizen and resident alien is required to have a PhilID, which shall serve as the official government-issued identification document in dealing with all national government agencies, local government units, government-owned or –controlled corporations, and private sector entities.[4]

 

The initial application and issuance, as well as renewal of the PhilID is free of charge for Filipino citizens; however, a standard fee will be charged from resident aliens and for reissuance of a replacement PhilID. The PhilID can be used for the following transactions: (1) application for social welfare and benefits; (2) availing of government services from SSS or GSIS, Pag-IBIG, PhilHealth, and other agencies; (3) application for passports and driver’s licenses; (4) tax-related transactions; (5) voter’s registration and identification; (6) admission to helath institutions; (7) application to learning institutions; (8) job applications; (9) opening of bank accounts and other financial transactions; (10) criminal record verification and clearances; and other transactions requiring proof or verification of citizens’ or resident aliens’ identity.[5] Each transaction requiring the presentation of the PhilID will be subject to authentication or the verification of the identity of the individual against the registry information in the PhilSys.

 

One (1) year after the effectivity of the National ID Act, registration centers will be made available to the public and an individual must personally go to a designated registration center in order to apply for the PhilID. The applicant must submit the application form and present supporting identification documents[6]; and the entries provided in the application form will be compared with and verified from the identification documents. If there are no discrepancies, the applicant’s biometric information[7] shall be captured. If the biometric information is found to be unique, a PhilSys Number or “PSN” will be issued to the applicant, and the registration is deemed complete. Biometric exceptions will only allowed in cases of visual or physical impairment that would render the capturing of the said information impossible. It is only upon complete registration that the person shall be issued a PhilID.[8]

 

Data Privacy in PhilSys

 

Information and data of the PhilID cardholders are to be collected and stored under the PhilSys by the PSA. It is thus vital that there be safeguards put in place in order to protect these data, consistent as this would be with the data privacy regime under the Data Privacy Act. The National ID Act limits the PhilSys data to the cardholder’s demographic data consisting of their full name, sex, date and place of birth, blood type, address, biometric information, and if he or she is a Filipino citizen or a resident alien. Some demographic data such as the cardholder’s marital status, mobile number, and e-mail address, are categorized as only optional.[9]

 

The PSA is mandated to ensure that individuals are adequately informed upon their PhilSys registration on how their data will be used[10] and the registered person should give his or her consent as to the processing of his or her personal information in transactions Each cardholder will also have a record history in the system consisting of particulars in relation to the filing of his or her application for registration, modification of his or her data in the system, issuance of the PhilID, and details of authentication requests whenever the PhilID is used in transactions.[11] All data collected by the PSA under the PhilSys may be used to generate aggregate data or statistical summaries without reference to or identification of any specific individual.[12]

 

The National ID Act and its IRR further provide for measures against unlawful disclosure of information by providing that the data collected and stored may only be used for the purposes for which they were collected as set forth in the National ID Act, and the only instances when disclosure may be made to third parties is upon the consent of the registered person or upon order of competent court when the compelling interest of public health or safety so requires.[13] In case of unlawful access, use, and disclosure of PhilSys data, penalties of imprisonment and imposition of fines are provided for in the law.[14] The PSA shall also designate a Data Protection Officer to ensure that data protection measures are put into place and that there is compliance with the Data Privacy Act.[15]

 

The PSA will be working closely with the National Privacy Commission, (“NPC”) to help secure PhilSys. NPC has expressed that data privacy is still a priority in relation to the national ID system[16], and that it is enlisting the help of white hat hackers[17] to identify possible issues with PhilSys and ways of implementing privacy strategies and reducing security risks and data breaches.[18]

 

Concerns have been raised over the fact that the government would have access to all the transactions entered into by the individual using the PhilID, and the possibility that such data collected may be used for purposes other than the law’s purpose of identity verification.[19] The National ID Act and its IRR provide penal provisions sanctioning those who commit data privacy breaches in violation of the National ID law, but they do not expressly specify other reliefs that those whose privacy rights had been breached may avail of.

 

 

[1] R.A. No. 11055, Sec. 2

[2] R.A. No. 11055, Sec. 3

[3] R.A. No. 11055, Sec. 20

[4] R.A. No. 11055, Sec. 7(c)(2)

[5] R.A. No. 11055, Sec. 13

[6] PSA-issued birth certificate and one (1) government-issued identification document with full name, photo and signature or thumbmark; or Philippine ePassport issued by DFA; ot Unified Multi-purpose Identification (UMID) Card issued by GSIS or SSS; or other equivalent identification documents as may be determined in the guidelines issued by the PSA.

[7] Front-facing photograph, full set of fingerprints, and iris scan.

[8] IRR of R.A. No. 11055, Rule II, Sec. 8

[9] R.A. No. 11055, Sec. 8

[10] R.A. No. 11055, Sec. 18

[11] R.A. No. 11055, Sec. 5(i)

[12] R.A. No. 11055, Sec. 18

[13] R.A. No. 11055, Sec. 17

[14] R.A. No. 11055, Sec. 19

[15] IRR of R.A. No. 11055, Sec. 22

[16] Data Privacy Still a Top Priority in National ID Implementation, NPC Says. <https://privacy.com.ph/news-article/data-privacy-still-a-top-priority-in-national-id-implementation-npc-says/>

[17] ethical computer hackers or security experts

[18] Gov’t. taps “hack bayani” community to help secure PhilSys, data-driven public projects. <https://www.privacy.gov.ph/2018/09/govt-taps-hack-bayani-community-to-help-secure-philsys-data-driven-public-projects/>

[19] ‘Record history’ casts cloud of doubt on proposed national ID system. <https://www.rappler.com/newsbreak/in-depth/204229-record-history-proposed-national-id-system-philippines>

Post a Comment