AS EASY AS ABC By Atty. Alex B. Cabrera (The Philippine Star) | Updated August 6, 2017 – 12:00am
Can a CEO go to jail because an employee committed identity theft against another employee?
A new law lays grounds for the CEO to face jail time, even if he himself was not the identity theft. I must say, there are technical grounds for him to go to jail for less – like when an exasperated employee keeps on receiving direct marketing materials. You must say it’s ridiculous, but it’s real. The new Data Privacy Act (DPA) criminalized the act of unauthorized disclosure of individuals’ personal information that are collected by the company, including those voluntarily given – if the information was not used in accordance with the permission of the individual.
The DPA is kind of burdensome. Even a new position is required to be created in the company – that of a data protection officer (DPO) – and a rigid information and communications system must now be in place to allow the protection of individual data. That system must even be registered with the National Privacy Commission if the company employs at least a thousand people.
I was thinking that I do not need all that because I can overcome the law simply by getting the right authorizations from our staff, clients and anyone from whom we collect information (like calling cards during events). That was until our firm’s lawyer-expert told me that if no one in the firm is assigned to be responsible, then the CEO is responsible under the law. Now that makes sense to me to appoint or hire a DPO. But it is still not a source of comfort for me to think that someone else will go to jail (or that I hired someone to take the fall). Now, having the rigid systems in place to avoid breach all makes sense.
Let’s take a few examples you can identify with to see how the law impacts things that happen in the workplace. Say, an applicant passed all qualifying tests and given a start date subject to his passing the medical exam. The exam turned out a finding that he is “obese”. Now the Human Capital (HC) head informed the manager under whom the applicant will be assigned of the issue. But the manager told this story to another in the group, and the latter told the story to everyone else. The medical finding spread like wildfire. The applicant was cleared eventually and was hired. He quickly learned everyone was asking in whispers: “Is he the obese?” If he is a jolly fellow, that’s no problem. But if he complains, there could be a violation of his data privacy because the HC head is in possession of sensitive personal information that cannot be used for any other purpose except that relevant to his hiring.
Let’s take this very interesting case in the US where a retail store, using impressive data analytics, was able to predict the pregnancy of this man’s daughter. The father learned that her daughter received from this retail store direct marketing materials and brochures sent to their house about products for pregnant women. The father complained that this kind of marketing was inappropriate as his daughter was still young and did not seem to be pregnant. As the store manager called to make a follow-up apology, the father also apologized as it turned out his daughter was indeed pregnant.
The retail store predicted that because the daughter bought, I think, coco butter lotion and the store’s analytics showed patronage to this product was high among pregnant women. If this incident happened here, under our new law, the daughter should have voluntarily agreed to having her personal details collected (her name and where she lives), and marketing materials sent to her. Otherwise, the law will be breached by the unauthorized use of her information.
Now you may ask, what is the point in all these when online social networking puts out everything about you out there, anyway? Even privacy settings don’t help much because you might limit your posting to a few friends but their friends can see what you posted. To be honest, this can offer some defense. Identity theft, in fact, happens using merely all of a person’s available data in social media. The thing is, identity theft is minimized if less intimate information about you is made available to the public.
Take this actual decided case of a man who did not finish college but was able to get into law school using the identity of his brother. He used his brother’s name and college transcript of records, and was able to get into law school. He passed the Bar exams and used his brother’s name in the roll of attorneys. He would practice in the province anyway and his kind brother whose identity he assumed could not or would not stop him anyway – until estafa and criminal cases against this lawyer came, bothering the peaceful life of his brother. You see, the more intimate data (like transcript of school records) a person can secure, the more chances of success that an identity theft can have.
The unauthorized access of the company’s database, or emails of co-employees (that can bear their personal details) is now criminalized under the law as a violation of data confidentiality. We have handled cases on this before and sometimes, all we can go for is a labor case based on loss of trust and confidence. Today, however, we can proceed against a scheming co-worker criminally if he researches on data that should be none of his business. Surely, lack of criminal intent can always be raised as a defense, but the data protection law is a special law, and criminal intent is less required to violate it.
What about these informants, who without authority provide confidential information to the Bureau of Internal Revenue so that they can get a commission on the tax fraud case, if it succeeds? Can the company go after them for violating data privacy? The answer is not for sharing company data, because the law is meant to protect “individuals”, not corporations. However, if the informant accessed company data on its employees’ compensation to show, for instance, invalid “tax shelter” schemes, that informant, on this score, can be criminally liable under the Data Privacy Act because he accessed and disclosed sensitive individual data.
Are pictures part of personal information that should be treated as data under the DPA? The short answer is yes. Another expert in our firm told me of a case involving Google Street View car, which took pictures of streets along with the people in them. The court recognized the benefit of the technology and did not stop Google from doing it, but just asked that they blur the faces of these people. Yes, companies should technically seek permission from individuals, for instance, who are attending a company event on how their pictures will be used. I must admit, though, that in this selfie-crazy country where everyone seems to be after even 15 seconds of fame and fun, using their picture for non-malicious purposes could hardly be criminal.
I tested the law against “tsismosos” or rumor-mongers in the workplace. It seems there is some ground to proceed against persons who, by their roles, are in possession of sensitive information about individuals, and those persons spread these information about individuals. For the rest, they do not violate the DPA, especially if the rumor they are spreading is untrue. There are other ways to proceed against them, but let’s take that up on another Sunday.
* * *
Alexander B. Cabrera is the chairman and senior partner of Isla Lipana & Co./PwC Philippines. He also chairs the Tax Committee of the Management Association of the Philippines (MAP). Email your comments and questions to aseasyasABC@ph.pwc.com. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.