Insurers told to protect customer's data privacy
The National Privacy Commission urged the country's non-life insurers to protect the personal data they collect from customers and instill a culture of data privacy within their companies.
In a recent seminar on Data Privacy Protection co-organized by the Philippine Insurers and Reinsurers Association (PIRA) and Pacific Cross, NPC Commissioner Raymund Liboro insurers have a moral and legal responsibility to protect their customers' data since their business is founded on trust.
"Your business is to take care of the risks of your customers, and they trust you with their personal information. You can be a target of hackers, so you have to be ready," he said.
Liboro said that under the country's Data Privacy Law. companies are obliged to appoint a Data Protection Officer who will ensure that a culture of data privacy is established. Such culture of privacy, in turn, would translate to prevention and mitigation of data breaches.
Liboro noted that in 2017, 47% of data breaches were cost by external factors such as cyber attacks, while the remaining 53% are caused by internal factors such as system glitches and employee negligence.
"Human error is a major factor of breaches," he said.
To address this, the NPC chief pointed out several tips:
Collect only personal information for specified and legitimate purposes, determined and declared before or as soon as reasonably practicable after collection.
1. Process personal information fairly and lawfully and in accordance with the rights of data subject.
2. Retain personal information only for as long as necessary for the fulfillment of the purposes for which the data was obtained.
3. Put in place reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information.
"Data privacy is not just about IT. It's part IT, part finance and part legal. We have to protect the CIA of data -- Confidentiality, Integrity and Availability. When the NPC goes to you, we are going to look or check if there’s a culture of privacy, if there is a sensible program in place and if you have trained your staff in data privacy and protection and if you are prepared for a breach," he said.
Liboro's cited Singapore as a country with a culture of data privacy. "When you enter a building in Singapore and you need to log, you will have to sign a privacy notice. That’s the demonstrated compliance," he said.
Finally, he stressed on one golden rule of data privacy: "If you can’t protect it, then don’t collect it."
The NPC has been actively promoting compliance to have government and private firms in the Philippines register their data processing systems with the Commission before the March 8 deadline as part of the requirements of the Data Privacy Act of 2012.
A study by Social Weather Stations (SWS) commissioned by the NPC in 2017 showed that 94% of Filipinos want to know how businesses would use their personal information.Hits: 408