The recent implementation of a five year old Data Privacy Act in the Philippines created quite an uproar in the business sector. Like all companies, airlines are required to adopt international principles and standards in data protection/ privacy. It remains to be seen whether the rules will be able to strike a balance between the rights of every person to privacy and the objective of the state to ensure a free of communication.
In a nutshell, the new rules require airline companies and their respective service providers and suppliers to install processes to minimize security breaches and allow a procedure to immediately report such breaches in data privacy to the National Privacy Commission. As the recently designated Data Protection Officer of Philippine Airlines, I can only surmise the magnitude of the impact of such privacy law on how we use information that we gather and maintain. Common carriers require the collection and use of personal information for various purposes – market research, targeted marketing, customer analysis, passenger profiling, to name a few. Common carriers are also bound to share personal information with government regulators for various purposes – compliance, audit, and border security as well as to third party serviceproviders.
With the rapid advancement in technology and the advantages of faster internet speed, information can easily be obtained, used, and, unfortunately abused.
Among others, the law dictates that information about a data subject shall require an informed consent to the extent that the subject has to be apprised as to the purpose, usage, and retention periods of any and all information prior to its collection, save for some exceptions. Rights of data subject include right to have access, to object its collection, to rectify, to erase, among others.
With the rapid advancement in technology and the advantages of faster internet speed, information can easily be obtained, used, and, unfortunately abused. As a result thereto, collecting and compiling passenger information at the point of tickets sales will have to be reviewed. Maintaining information databases for loyalty and rewards programs will have to be reevaluated. Opt in and opt out provisions in web-based forms will have to be reassessed. All of these concerns will be addressed soon after each department will conduct a privacy impact assessment. The greater concern is whether information freely given online in social media sites is protected.
Take the case of a passenger who lodged a complaint online using his Facebook account. Other information such as such as the email address, mobile number, birthday, gender, and civil status may be unnecessarily exposed and even accessed by the handling customer agent. Naturally, issues will arise as to whether prior consent was obtained and as to whether how such information can be used. So far, PAL is in the middle of establishing procedures to insure that all data subjects who transact business with PAL are given sufficient notices and warnings every time they “freely” offer whatever information they have shared online.
Breaches in information security or data privacy will nonetheless occur despite systems in place. The law imposes the duty upon the Data Protection Officer to report such breach to the National Privacy Commission within 72 hours upon knowledge of such breach.