Topic: Will RA10173 provide sufficient mechanism for the introduction of the national ID system in the Philippines without constitutional issues as provided for in the case of Ople vs. Torres?
In this modern day age, technology has made it possible to simplify communication processes. One such technology is the biometric system which measures and analyzes human body characteristics, such as DNA, fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.
Many industries are now using the technology to expedite complex transactions and processes. In high-value e-bank transactions, a bank would first require biometric verification before pushing through with the transaction. Some states also use biometrics for border security by requiring the use of biometric passports.
The creation of a National Computerized Identification System
In Blas F. Ople vs. Torres GR No. 127685, an attempt, through the creation of A.O. 308, had been made by the government to use this technology locally through the establishment of a National Computerized Identification System. In the said scheme, individuals are to be assigned a Population Reference Number (PRN) as a common reference number to establish linkages among concerned agencies through the use of biometrics and computer application designs.
A.O. 308 was created to address the need to provide the citizens and foreigners with the facility to conveniently transact business with the basic service and social security providers and other government instrumentalities and the need to reduce, if not totally eradicate, fraudulent transactions and misrepresentations by persons seeking basic services. The law, however, was challenged as vague, inaccurate and highly prejudicial to the welfare of the citizens. The Supreme Court eventually declared the said law as null and void for violating the Constitutional right to privacy.
Threats to the Constitutional Right to Privacy
Other than the fact that A.O. No. 308 was issued by the executive branch of the government, the following findings were given great weight for they were clearly threats to the Constitutional guarantees of the right to privacy as to communication and correspondence, as to the liberty of abode and travel, and as to the right against unreasonable searches and seizures:
Section 2 and 4 of A.O. 308 authorized an Inter-Agency Coordinating Committee (IACC) to draw-up the implementing guidelines and standards in the use of Biometrics technology. The said provisions however failed to specify the type or class of biometric feature or biometric technology to be used. Failure to do so may result to the excessive grant of authority to collect and use biometric features and will eventually lead to a violation of Constitutional rights.
From the admission made by the Solicitor General that the PRN’s will be used to generate population data for development planning, it was revealed that the biometric characteristics to be collected were not solely to be used for identification purposes. A.O. No. 308 itself failed to specify, in clear terms, the purpose of the collected biometric data. Considering that a PRN is attached to all transactions with government agencies, it would have contained a vast amount of information pertaining to the PRN owner. The use of a biometric database of the population for any other purpose other than for identification as deemed necessary by the government is clearly prejudicial to the Constitutional rights of an individual.
As to the manner of handling biometric data, A.O. No. 308 failed to provide any procedural guidelines. The order did not provide the system of processing biometrics, the circumstances under which data is to be collected and/or processed, the persons responsible for disposing the information as well as their respective accountabilities.
As to the safeguards against data leakages, neither A.O. No. 308 nor any other law at the time failed to safeguard and penalize the unauthorized disclosure of collected information in relation to all government agencies involved in the National Computerized Identification System. Considering that the scheme is a linkage for various government agencies, an effective law for the system must safeguard the collection of biometric data for each and every government agency concerned.
RA 10173 “Data Privacy Act of 2012”
After more than a decade, RA 10173 or the Data Privacy Act of 2012 was enacted by congress to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The Act composed of nine chapters which include the rights of a data subject, the accountabilities and responsibilities for transfer of information and the penalties for its violation.
In answering the question of whether or not the government may now validly pursue of the National Computerized Identification Reference System, notwithstanding the previous Constitutional challenges to it under Ople vs. Torres, the issues herein discussed must be presented as challenges against RA 10173.
RA 10173 addressing the Constitutional Issues in Ople vs Torres
· Unspecified manner/procedures in handling sensitive personal information
In the case of Ople vs Torres, the Supreme Court found that in order to safeguard the privacy and guaranty the integrity of the information, a law must specify the persons involved and authorized in data management or processing and under what circumstances can the process be lawfully done. Sections 11 and 12 of RA 10173 provide these requirements in detail.
Section 11 of RA 10173 gives us the General Data Privacy Principles which provides the circumstances under which personal information is to be collected and processed. Under this provision, personal information must be collected and processed fairly and lawfully. Furthermore, the provision mandates the use of the gathered data pursuant to the purpose for which they are collected, and the retention of the gathered data for as long as necessary for the fulfillment of such purpose.
Sec 12 of RA 10173 on the other hand provides the criteria for lawful processing of personal information. This provision provides us with the enumeration of circumstances under which the processing of personal information is permitted by law.
· Insufficient safeguard against indiscriminate disclosure
Ople vs Torres also revealed to us the Court’s concern for the lack of safeguard against the leakage of gathered information. It was noted that A.O. 308 lacks the teeth to guaranty that the information gathered shall only be used for the purpose for which they were collected. This problem opens the door to widespread misuse of the information attached to the PRN of a data subject. Under the Data Privacy Act of 2012, this concern is resolved by the establishment of a National Privacy Commission who shall ensure compliance of data handlers with the provisions of the Act. This is further reinforced by sections 14, 15, 16, 20, 21, and Chapter VIII of the same law.
Section 14 of RA 10173 - Subcontract of personal information- sets conditions on when a personal information controller may subcontract the processing of personal information to ensure the confidentiality of the data gathered and prevent its unauthorized usage. Section 15 on the other hand grants personal information controllers the right to invoke the principle of privileged communication over the data that they lawfully control or possess. Section 16 is a repository of the rights of a data subject which lets the data subject gain a sense of control over the already released personal information. This provision empowers the data subject to receive notice on the status of the released information, to dispute errors in the entries of the personal information, to suspend or withdraw his/her personal information from the filing system, and lastly, to be indemnified of any damages sustained due to an incorrect entry of information or an unauthorized use of such information.
Section 21of R.A. 10173 speaks of levels of accountability. The provision not only details the level of accountability of each information controller but also the accountability of third party information processors. This provision is essential to the constant confidentiality of the personal information as it passes through the different stages of data processing,ensuring that the safeguards provided for by law are observed at all levels of such information transfer.
Chapter VIII of the same law contains penal provisions defining the prohibited acts under the Data Privacy Act of 2012 together with their corresponding penalties. This chapter is essential in the enforcement of the law for the purpose of giving the law more teeth for compliance.
· Concerns of the Court regarding the decreasing level of reasonably expected privacy
Although not against technology, the Court also raised its concern over the use of computers in data collection, as they can access almost any type of information with ease thereby decreasing the level of reasonably expected privacy. Furthermore, due to the rapid development in science and technology, what is considered as a secured system under current standards may become vulnerable after only a short period of time. The very same technology that may enable us to simplify and eventually escape the struggles of bureaucracy may very well be the same technology that will lead to the impairment of our right to privacy. In this sense, the Data Privacy Act of 2012 becomes more effective as its wordings on establishing guidelines and safeguards are made in a general manner in which it may be made applicable to future conditions or technologies.
While the Data Privacy Act of 2012 effectively lays the foundation for the creation of a National Computerized Identification Reference System, the law that shall establish a National Identification system must be in itself clear and concise in its terms as to effectively grant a definite authority to enforce the law. The purpose of data collection, may it be biometrics or otherwise, must be clearly provided as to make it complimentary to the provisions of RA 10173 specifically sections 11 d,e and f which provides that the personal information must be:
(d) Adequate and not excessive in relation to the purposes for which they are collected and processed;
(e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
(f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.
Lastly, the type of data to be used or collected and the type of technology must be specified in order to comply with the standards set by law. Again, failure to do so may result to the excessive grant of authority to collect and use biometric features and will eventually lead to a violation of the Constitutional right to privacy.
With the enactment of RA 10173, the government may now pursue the establishment of a National Computerized Identification System. The Data Privacy Act of 2012 lays a stable foundation for the utilization of an information gathering system, may it be biometrics or otherwise, through the setting up of a Privacy Commission, and the formulation of precise definitions as to the scope of personal information covered, information processing, chain of accountabilities and respective penalties for its violation.
The establishment of a National Computerized Identification System will not only reduce, if not totally eradicate misrepresentations and corruptions through fixers but also, the system will expedite government transactions leading to faster provisions of services and social security.
DISCLAIMER: This blog is not made by a lawyer. It is not intended to give advice nor establish any attorney-client relationship with any person. This publication is made solely to comply with the requirements for the subject Technology and the law.
 “Biometric Authentication ATMs, Law enforcement and Airports” website: http://ntrg.cs.tcd.ie/undergrad/4ba2.02/biometrics/now.html
 Blas F. Ople vs Torres GR No. 127685 July 23, 1998
 Blas F. Ople vs Torres GR No. 127685 July 23, 1998
 Sec 2. RA 10173 (Data Privacy Act of 2012)