National Privacy Commission | Data Privacy | NPC PHE Bulletin No. 15

Data Privacy Act

Personal data

Contact tracing

Customer and visitor information

NPC guidelines to collecting customer information for contact tracing

NPC issues NPC PHE Bulletin No. 15 to guide establishments collecting and handling customer information for contact tracing

Client Alert - Published on 16 July 2020

The National Privacy Commission (NPC) issued last 8 July 2020 its “NPC PHE Bulletin No. 15: Guidelines for Establishments on the Proper Handling of Customer and Visitor Information for Contact Tracing” (Bulletin 15) to guide businesses in handling customer and visitor information for contact tracing

A. Who is covered by Bulletin 15

Bulletin 15 covers barbershops, salons, dine-in restaurants and fast-food businesses collecting personal data from their customers and visitors.

B. What does Bulletin 15 say

1. Collect only what is necessary

Collect only such information as required under existing government issuances. Businesses may adopt sample health checklist forms issued by government agencies but should not collect beyond what is required and necessary.

2. Be transparent

Inform your customers and visitors of the collection of their personal data and the reasons for such collection. This can be done by posting a privacy notice which is readily visible within the business premises (i.e. the entrance). If you opt to use electronic means, the notice should be posted in the platform prior to collection.

Ensure that the privacy notice is easy to access, understandable, and uses clear and plain language.

3. Use information only for the declared purpose

Use the personal data collected through health checklists or other similar forms only for the purpose of contact-tracing measures. Repurposing the use of data other than contact tracing and storing data for speculative use is not allowed.

You are responsible for reminding your employees and third-party service providers (i.e. security personnel) that using the collected personal data of customers or visitors for any other purpose is punishable under the Data Privacy Act of 2012 (DPA).

4. Implement security measures

You have the obligation to implement reasonable and appropriate safeguards (organizational, physical, and/or technical security measures) to protect the personal data of your customers and visitors against any accidental or unlawful processing, alteration, disclosure, and destruction.

5. Keep the data only for a limited period

All personal data collected for the purpose of contact tracing should be retained only for a period allowed by existing government issuances. After which, all personal data should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or disclosure.

C. How this affects you

If you are a business covered by Bulletin 15, make sure to comply with the guidelines set by the NPC when collecting the personal data of your customers and visitors. Violating the guidelines may be an offense punishable under the DPA which carries a penalty of fine and imprisonment.

If you have any questions about Bulletin 15 or your compliance with the DPA, our Partner Lawyers specializing in Intellectual Property are read to help. Just use our “Ask an Attorney” service and our Partner Lawyers will contact you within 1 to 2 business days for a consultation.