The financial services industry is advised to handle personal data of customers carefully in their bid against fraud.
The National Privacy Commission (NPC) in a statement yesterday said it has issued Advisory Opinion No. 2021-026 as a guide to personal information controllers in protecting the privacy of shared databases in response to the initiatives of the financial services industry on cybersecurity.
The advisory sets strict adherence to the basic data privacy principles of transparency, legitimate purpose, and proportionality, and the conduct of privacy impact assessments (PIA).
The financial industry’s shift to digital financial and payment services due to the COVID-19 pandemic brought about cyber-attacks and fraudulent schemes on financial institutions and their clients.
“Anti-fraud data sharing initiatives of the financial services industry must eliminate potential risks on the personal data of data subjects. A shared database calls for fair and lawful processing of personal data,” NPC said.
While data sharing for investigation and resolving fraud incidents is allowed under the Data Privacy Act of 2012, the NPC advised the financial services industry to conduct a PIA, which is crucial in “identifying, assessing, evaluating, and managing the risks that originate from a shared database and provide data subjects avenues to exercise their rights.”
The NPC said it recognizes a shared database for know-your-customer, enhanced due diligence, and anti-money laundering monitoring purposes may boost the integrity and security of the financial system.
However, it said a shared database may have significant legal effects on the rights and freedoms of data subjects included in the database.
“To ensure privacy protection in shared databases, the personal data “must be accurate, relevant, and kept up-to-date. Inaccurate or incomplete data must be rectified, supplemented, destroyed, or their further processing restricted,” the advisory opinion read.
“There is a need to ensure that personal and sensitive personal information (collectively, personal data) is processed fairly and lawfully,” the advisory said.
NPC said the PIA will identify, assess, evaluate, and manage the risks represented by the processing of personal data in the shared database.
“We remind the financial services industry that data subjects should be provided mechanism to exercise their rights. Needless to say, these rights are not absolute and may be duly limited when necessary for public interest, protection of other fundamental rights, or when the processing of personal data is for investigations in relation to any criminal, administrative, or tax liabilities of a data subject, among others,” the advisory said.
