The National Privacy Commission (NPC) said the final version of the SIM card Registration bill should ensure Filipinos’ personal data are secured and protected.
At the same time, NPC said the law should provide sufficient time for registration to prevent mobile users from being cut off from enjoying mobile services due to a limiting SIM-card registration period.
Privacy Commissioner Raymund Liboro made these statements following the approval on final reading last December 6 House Bill 5793 or the proposed SIM-Card Registration Act. A similar measure has been filed in the Senate.
“The final version must clearly articulate the requirements for the implementation of data security measures by entities identified to handle SIM-card registration and that these entities be held accountable for any violation of data privacy rights under the DPA (Data Privacy Act,” Liboro said in a statement yesterday.
Liboro said the NPC will assess the potential risks of the proposed law and provide practical recommendations to mitigate these risks so mobile users can be protected.
NPC acknowledges the benefits of the proposed law by enabling small and medium enterprises engaged in e-commerce while building consumer trust to go digital.
NPC said the need to know-your-customer or know your caller is imperative to protect the public from ICT-enabled scams and frauds.
But it noted mandatory SIM-card registration will succeed only under a framework of guaranteed privacy protection for mobile users.
NPC said in addition to the DPA, the PhilSys which establishes a single source of truth for identification will address the registration barrier of validating identities.
The bill includes a confidentiality clause that prohibits disclosing any information of a subscriber, unless upon subpoena or order from a court or written request from a law enforcement agency about an investigation that a particular number is used in the commission of a crime.
Under the bill, every public telecommunication entity (PTE) or direct seller shall require the end-user to present valid identification to register a SIM.
PTEs or telcos must provide the data protection citizens expect. They are required by the DPA to afford appropriate organizational, technical, and physical security measures to secure the personal data they will collect and prevent its unauthorized use and abuse.
Under the DPA, telcos are required, among other things, to conduct privacy impact assessments, enable their employees and supply chains on data security and privacy to prevent data breaches and ensure end-to-end protection of personal data. – Irma Isip
