The National Privacy Commission (NPC) warned businesses that using ID card scanning operations has a high risk of data leaks.
Businesses and associations that permit their employees to use personal electronic devices or take photos of the IDs of clients, guests, or other people without the necessary privacy notice were brought to the NPC's attention.
According to the NPC, personal information controllers (PICs) and personal information processors (PIPs) "shall obtain the consent of the data subjects prior to the collection and processing of their personal data, subject to exemptions provided by the DPA (Data Privacy Act) and other applicable laws and regulations."
It cited the practice of hotel chains as one example of how this must be done.
Receptionists who use their personal smartphones rather than the ones provided by their employers to take photos of guest IDs, car salespeople who photocopy a customer's ID for "verification purposes," telco representatives who ask customers to send photos of their IDs through Viber, WhatsApp, or Facebook Messenger, and homeowners' and condominium associations that make copies of physical IDs and demand that their members deposit them
According to the NPC, permission from clients, visitors, and other people is required.
In order to achieve this, the NPC needs the following behaviors:
- Consent: When it meets the requirements for the authorized processing of sensitive personal data under Section 13 of the DPA, the PIC must get the individual's express agreement before taking and processing their identifying photographs and details.
- Privacy Notice: Before capturing their IDs, present a concise, transparent, and easily understood privacy notice. The purposes of the processing, the security measures used, the retention term, and the purpose limitation should all be included in the notice, among other things. Put rules in place to make sure that pictures taken with personal devices are stored in a way that complies with corporate standards and the DPA.
- Secure Storage and Transmission: Implement measures to prevent employees, agents, or other personnel from using the images for other purposes, such as encryption, access controls, and other tools.
- Proper Disposal: Establish rules and procedures to ensure that images are deleted and disposed of once the intended use has been achieved. The PICs should carry out audits and verifications to make sure that disposal guidelines have been followed.
The NPC also stated that organizations and businesses must appropriately dispose of copies of IDs, documents, and other personal information belonging to their visitors and clients.
