This question deserves a qualified answer. There is no doubt that a person’s phone number is considered personal information sought to be protected under the Act[i]. However, in order for liability to be ascertained, it is necessary to determine how the giver of the phone number acquired such information. Taken as a whole, it can be deduced that the legislative intent of Republic Act No. 10173 (“RA 10173” or “the Act”, for brevity) is to secure, regulate and protect personal information in the government’s and private sector’s information and communications systems. By defining who a personal information controller is, the Act explicitly excludes an individual who collects, holds, processes or uses personal information in connection with his personal, family or household affairs. Thus, the act of A in giving B’s phone number to C is free from any liability if A acquired B’s phone number through his individual and personal capacity.
When RA 10173 has no application
Sec.. 4, par. 2 of RA 10173 provides for instances which the Act does not cover[ii]. Consequent to the enumeration under number 1 and 2 of said section, it follows that if B is a government officer, employee or service contractor for a government institution, A’s action would not fall within the ambit of the Act. The Act would also have no application if B happens to be a source of any news report or information appearing in a publication, who gave his phone number in confidence to such reporter, A – since this would be governed by Republic Act No. 53. The same goes if A obtained and gave out B’s phone number in the performance of a necessary function of public authority or for banks and financial institutions since this would be governed by the Secrecy Bank Deposits Act (Republic Act No. 1405), Foreign Currency Deposit Act (Republic Act No. 6426), and Credit Information System Act (Republic Act No. 9510), respectively.
RA 10173, when applied
For purposes of this discussion, we resolve to provide two scenarios: the first is that A validly obtained B’s phone number, A being a personal information controller defined under Sec. 3 (h) of the Act; and in the second scenario, A did not have any authority to access such personal information. In both instances, B did not give his consent for the release of such information to third persons.
We now tackle the first scenario. Without B’s consent, the act of A in giving B’s phone number to a third person would still be free from any liability under the Act if passes the following necessity test:
1) A’s action was necessary in relation to the fulfilment of a contract with B;
2) A had to give B’s phone number in compliance with a legal obligation to which A was the subject (ex. A court order to release such information);
3) A’s action was necessary to protect B’s vitally important interests, including his life and health;
4) A was compelled to give B’s phone number to respond to national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority; and
5) A’s action was done in order to serve the legitimate interests of the entity to which the phone number has been disclosed as long as no constitutional rights are violated.
Thus, A will only be liable under the first scenario if his purpose in releasing the personal information was other than those enumerated above. A may then be charged with Malicious Disclosure[iii] or Unauthorized Disclosure[iv], as the case may be.
It cannot be overemphasized that this Act only allows the release of personal information under justifiable circumstances to prevent a greater evil. As can be gleaned from the court’s pronouncement in the case of Gamboa vs. Chan[v]: “…when the right to privacy finds tension with a competing state objective, the courts are required to weigh both notions. In these cases, although considered a fundamental right, the right to privacy may nevertheless succumb to an opposing or overriding state interest deemed legitimate and compelling.. x x x…the fact that the PNP released information to the Zeñarosa Commission without prior communication to Gamboa and without affording her the opportunity to refute the same cannot be interpreted as a violation or threat to her right to privacy since that act is an inherent and crucial component of intelligence-gathering and investigation.”
To further exemplify liability under RA10173, the court held in the same case that although the leakage of the information to the media warrants reproach, Gamboa failed to establish that respondents were responsible for this unintended disclosure. Hence, applying this finding to the present scenario, it is not only necessary that A acted without any authority to disclose the personal information; B must also be able to establish that the unauthorized disclosure came from A.
Conversely, the court struck down an administrative order in the case of Ople vs. Torres[vi] where it held that: “the right to privacy is a fundamental right guaranteed by the Constitution, hence, it is the burden of government to show that A.O. No. 308 is justified by some compelling state interest and that it is narrowly drawn. A.O. No. 308 is predicated on two considerations: (1) the need to provides our citizens and foreigners with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities and (2) the need to reduce, if not totally eradicate, fraudulent transactions and misrepresentations by persons seeking basic services. It is debatable whether these interests are compelling enough to warrant the issuance of A.O. No. 308. But what is not arguable is the broadness, the vagueness, the overbreadth of A.O. No. 308 which if implemented will put our people’s right to privacy in clear and present danger…x x x… A.O. No. 308 falls short of assuring that personal information which will be gathered about our people will only be processed for unequivocally specified purposes. The lack of proper safeguards in this regard of A.O. No. 308 may interfere with the individual’s liberty of abode and travel by enabling authorities to track down his movement; it may also enable unscrupulous persons to access confidential information and circumvent the right against self-incrimination; it may pave the way for “fishing expeditions” by government authorities and evade the right against unreasonable searches and seizures… They threaten the very abuses that the Bill of Rights seeks to prevent.”
We now move to the second scenario where A, not having any authority to access such personal information, discloses the same to a third person. If A was able to access such personal information by negligence, he can be held liable under Sec. 26[vii] of RA 10173, which provides a punishment of 1 to 3 years imprisonment and a fine of P500,000 to P2,000,000. If A obtained the personal information so disclosed by intentional breach, then he can be held liable under Sec. 29[viii] of the same acts. Punishment provided under the Sec. 29 also ranges from 1 to 3 years imprisonment and a fine of P500,000 to P2,000,000. The act of disclosing the personal information without authority metes a different punishment. If A is found to have maliciously disclosed such information, he can be subjected to imprisonment for a term of 1 year and 6 months to 5 years and a fine of P500,000-P1,000,000. Should A be found to have disclosed said personal information without malice, he can be subjected to a term of 1 to 3 years imprisonment and a fine of P500,000 to P1,000,000.
Unauthorized disclosure of personal information is an issue we encounter everyday. It seems that the Philippines, not being as susceptible to identity theft as Americans are, still have a laid back attitude towards protecting personal information. This could be attributed to a American centralized ID system through the Social Security Number. Whereas, the administrative order implementing the same system was struck down here in the Philippines for being violative of the right to privacy, lacking appropriate measures to assure that information gathered will be processed for unequivocally specified purposes only.
Some may not pay due regard to unintended or unauthorized disclosure of personal information because the risk it carries with it is so trivia. But to others, the dangers can be as grave as death. It could be the opportunity that robbers have been waiting for, or the chance that an obsessive stalker has been hoping for, the moment that extortionists have been eyeing for. To illustrate further, we move to discuss specific cases in point.
Agents offering loans, credit cards & other bank products
Most cell phone users, if not all, must have probably encountered these stubborn text messages from financial institutions and other companies offering a wide array of services ranging from preapproved credit cards, loans with minimal requirements and low interest rates, free health insurance coverage, balance transfers and the like. It would perhaps be acceptable if one has an existing relationship with these companies or service providers, as the case may be. But absent any relationship, one could wonder where these people could have gotten one’s phone number.
If they were able to obtain your name and phone number behind your back, who knows what else they know about you? If unscrupulous individuals found out that you took out a P3M loan from Y Bank, wouldn’t that make you a very easy target for extortion or robbery?
The ease of changing SIM cards and the lack of personal interaction makes it hard if not impossible to make someone accountable for his action. Some of these agents do not even use their real of complete names in these transactions, which make it even harder to find accountability.
HR Recruitment Officers offering a job through a referral system
It is quite a trend nowadays that HR Recruitment Officers from companies in the BPO industry would sometimes ask applicants to fill out a Referral Sheet wherein they would need to write down the names of approximately 3-5 people who would fit the job applied for, including their relationship with the applicant, location, current employment status and contact numbers.
Suppose Girlie, a call center agent who works on a graveyard shift receives a call at 11am, from Al who is an HR Recruiter from Global Company X. Girlie was disrupted from her deep slumber but when she saw that it was from an unknown number, she just disregarded the call. The following day, Girlie received call from the same number. Agitated, she ended the call. On the third day, the same caller called but this time Girlie heeded the call. When Girlie found out what it was about, she politely refused the job invitation but communicated her discomfort to Al.
Discomforting as it may seem, people like Girlie are often left to the hope that no other friend would enlist her on a company’s referral list or at the reliance that no other Recruitment Officer from the same company would be calling her to offer the same job in the future.
It seems that since Girlie gave her phone number to her friend, the friend is not liable under the RA 10173 because this is not one of the situations contemplated under the Act.
Service Provider sharing customer information with a sister company or affiliate
Suppose Mr. Ang is a holder of a P5M Special Deposit Account (SDA) at Bank XYZ, which is an affiliate of Investment Firm ABC. Mr. Ang then entrusted his personal information to Bank XYZ, but not to Investment Firm ABC. In time with the approaching abolition of the SDA by the Bangko Sentral ng Pilipinas (BSP), a Financial Consultant (FC) from Investment Firm ABC has been calling him to offer alternative investment products. When Mr. Ang asked as to where the FC got his personal information, the FC refused to provide it saying he got the information based on public information. This outraged Mr. Ang, who subsequently filed a complaint against Bank XYZ pursuant to RA 10173. Mr. Ang worries that his life may be now be in danger because of such unauthorized release of his personal information.
The questions to be answered are as follows: Are affiliate institutions authorized to share client information? In the affirmative, what are the limitations as to this sharing of information?
RA 10173 allows for the outsourcing of the processing of personal data pertaining to data subjects, where information can be shared with another entity. However, the collection and processing should be conducted for specific and legitimate purposes only and can be stored only as long as needed for the purpose for which it was obtained, or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law.
While Mr. Ang may have a valid claim, it bears stressing that he must be able to establish that it was Bank XYZ who released his personal information to the Financial Consultant of Investment Firm ABC. Additionally, he must be able to prove that such act is not authorized by the Bank’s Charter or any law.
In sum, to see whether there is liability or not in disclosing personal information to third persons is to apply the necessity test – that in the absence of the data subject’s consent, the necessity of such disclosure is so vital as to warrant an override of the constitutional guaranty of privacy, subject to certain limitations. Such claim should also be coupled with proof to establish that he who is impugned is the one responsible for the unauthorized disclosure of personal information.
In cases where the right to privacy comes in conflict with a legitimate State objective, the court is required to weigh both notions; and while it is true that Sec. 21 of the 1987 Constitution of the Philippines guarantees respect for rights of persons affected by the legislative investigation, not every invocation of the right to privacy should be allowed to thwart a legitimate Congressional inquiry. But, where a law is so vague and not narrowly drawn that it threatens the very abuses that the Bill of Rights seek to prevent, it should not be permitted to override a Constitutional right.
[i] RA 10173, Sec. 3 (g) Personal Information – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
[ii] Sec. 4, par. 2 – This Act does not apply to the following:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
[iii] SEC. 31. Malicious Disclosure. – Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
[iv] SEC. 32. Unauthorized Disclosure. – (a) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
(b) Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00).
[v] Gamboa vs. Chan, GR No. 193636, July 24, 2012
[vi] Ople vs. Torres, GR No. 127685, July 23, 1998
[vii] SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. – (a) Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
(b) Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law.
[viii] SEC. 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.