MANILA, Philippines — The National Privacy Commission (NPC) will investigate the claim of Foreign Affairs Secretary Teodoro Locsin Jr. on social media that a terminated contractor had run off with personal data of passport holders.
Privacy commissioner Raymund Liboro over the weekend said they are preparing to summon officials of the Department of Foreign Affairs (DFA) and other agencies as well as the unnamed contractor to shed light on the matter.
“The NPC shall conduct its own investigation on the DFA assertion that a private contractor has caused the non-availability of Filipino passport data and other documents entrusted to it for processing,” Liboro said.
“Any form of non-availability of personal data, infringement of the rights of data subjects and harm from processing that includes inconveniencing the public, must be adequately explained to the satisfaction of the law,” he added.
The Data Privacy Act of 2012 created the NPC and mandated it to ensure that the law’s provisions, particularly on the protection of personal data of Filipinos, are upheld by government agencies and private organizations.
Locsin earlier claimed that a contractor ran off with the passport data, prompting the agency to require those renewing passports to submit birth certificates.
He did not identify the contractor involved, or when it carted away the data, or how the DFA responded to the incident.
“One way is by not sharing the app that allows access. In other words the public has been inconvenienced horrendously on f***ing officials’ excuse the data has to be reconstituted. Any other angle is what we journalists call a cover-up,” he said in a tweet when asked how the contractor was able to retain the data.
The possible data theft was a national security issue and a reflection of the Duterte administration’s incompetence in protecting the people’s private data, according to Sen. Risa Hontiveros.
“Exactly what data were lost? When, how and under whose watch did this happen? Where did the breakdown occur? Who exactly is the responsible firm? And why aren’t they being sued for running away with such vital information?”
She said the government needs to reassure the people that their data would be retrieved completely and that those responsible for such “gross display of incompetence” are held fully responsible.
“They say, ‘go out and see the world.’ But how can our people do that if our government can’t even provide efficient passport application and renewal services to the public? Worse, it can’t be trusted to protect the citizens’ sensitive data,” she said.
The senator said it’s now doubtful if the President can keep his promises to protect the country’s sovereignty and the people. “If we cannot trust it to protect our people’s documents, how can we trust it with anything else?”
Worried passport holders, meanwhile, have bombarded social media with expressions of concern and indignation.
On Twitter where he made the initial claim that passport data were taken by a contractor, Locsin received a flurry of comments and inquiries regarding the government’s action on the matter.
“So where is the data now? With the private firm? If it is, we should get it back! Are we expecting soon a #DFADataLeak? I hope not,” one Twitter user told the secretary.
“What’s the government action plan for the possible data leak?” another asked.
A netizen noted that digital hacking is already considered an e-crime punishable by Philippine laws, apparently referring to cybercrime prevention and data privacy laws.
“The government should unleash hell on earth for this crime upon the state and its people,” he added.
Lawyer Romel Bagares noted that the Data Privacy Act, passed in 2012, provides that the personal information belongs to the data subject concerned.
“The DFA is required under law to have data sharing agreement – with appropriate protections for data subjects – for transactions like this,” he said in a post on Facebook.
But in one post, the secretary appeared to downplay the incident and even insinuated that it may have never happened at all.
“(Old passports) should f**king be enough unless the data based in birth certificate got lost, stolen or is as being now claimed mere inaccessible which is f***ing the same thing,” he told one user who asked if birth certificates are necessary for passport renewal.
“It is not a question of data privacy. The data is useless to the old contractor. It is a question of official stupidity or more likely cupidity,” he added in another post.
He later admitted that they are not aware if the matter had been corrected or not.
“I just want it fixed and not repeated. Redundancy of data was promised by previous contractor but not fulfilled or just denied us. We have no knowledge whatsoever if it had been corrected,” he said.
“Like a cuckolded husband, we are always the last to know,” he added.
It was Locsin who revealed earlier this week that a terminated contractor ran away with data of passport users.
He used the anomaly to explain why birth certificates are needed for renewal of green or maroon passports, or those issued before the dark maroon electronic passports.
“Previous contractor got pissed when terminated it made off with data. We did nothing about it or couldn’t because we were in the wrong. It won’t happen again. Passports pose national security issues and cannot be kept by private entities. Data belongs to the state,” he said.
“DFA lost its previous data to the previous contractor who claimed they owned it,” he added. – With Cecille Suerte Felipe