September 11th, 2022
House Ways and Means Chair Joey Sarte Salceda (Albay, 2nd district) says that the Inter-Agency Task Force (IATF) on Emerging Infectious Diseases was “careless to require contact tracing under multiple apps and databases,” instead of just one application with a single protecting data controller, saying that contact tracing databases by different establishments may have been the source for personal information by text spam recently received by mobile phone users.
“The IATF did not push hard enough and enforce a single contact tracing app with a single database. That means you had different data collectors, some of whom may not have been able to protect data. I don’t want to ascribe malice, but some of them may have even sold it.”
“All of these potential data breaches could have been limited by having just one single controller and clearinghouse of data that is also protected and audited.”
Salceda asked that the National Telecommunications Commission work with the telecommunications companies to detect and prevent “a mass of successive text messages in suspicious volumes.”
“That way, we can prevent mass or span messaging.”
Salceda wants NPC to find source of data breach
“That said, that doesn’t answer the question of a data breach yet but merely prevents the abuse of data illegally accessed. We still have to find out how they were able to find the data,” Salceda said.
Salceda cited that under the Privacy Policy Office Advisory Opinion No. 2017-68, a data breach appears to have been committed, as it states that “once the said the prepaid number is activated and associated/linked to an individual subscriber, i.e. through the use of the mobile number for various registrations, availment of products or services, etc., then the same is already considered as personal information.”
Salceda also added that under the Data Privacy Act of 2012, the data controller “shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.”
“The data controllers seem to have been incapable of protecting all data. And there were plenty of room for breaches because there were so many data controllers, by virtue of having multiple contact tracing apps.”
“IATF and DOH required contact tracing in March 2020, but privacy guidelines were issued in June 2020. So you had three months where it was a “wild west” for data privacy. There was no sheriff in town for three months at least. That’s the only big data source I can identify.”
Salceda warns that “because of how banking is now so interconnected with mobile, we should treat mobile numbers with the same care as we treat banking. There’s money for thieves to steal in data breaches.”