GEE5: Living in the IT Era

Quiz No. 3 – Case Study

Transgression of Data Privacy due to Negligence: A Case Study

Submitted to
Mr. Louie Ian Mariano

Submitted by
Jalbay, Altaire Joshua L.

POL1A
April 27, 2022
 Transgression of Data Privacy due to Negligence: A Case Study
Each and every individual possesses rights to data privacy as reinforced under the Data
Privacy Act of 2012 (RA 10173) - which is a very significant aspect of our modern society as we
embrace the technological world where our information and identity is exposed to millions of
everyday interactions. The law guarantees our rights to data privacy, personal information, and
safeguards its confidentiality while providing a standardized mechanism for which consumers,
businesses, institutions, and the government are accountable and responsible for the information
and data they collect, manage, provide, and handle (Padilla, 2020). Its importance, according to an
article published by Ecci (2019), lies beyond just the privacy rights of an individual. It intends also
to safeguard an “important corporate asset” - data, from being breached especially under this
technological time of the century.
With the case of Juan dela Cruz vs. Pedro Ramos and Anna Cruz, Juan, the customer who
filed a request for a birth certificate from the PSA through its customer service center inside a mall
- claimed that Pedro Ramos (mall department in-charge) and Anna Cruz (mall personnel) did not
safeguard the rights and privacy of his data and personal information by not providing any
envelope together with the birth certificate he requested for. The issues of this case are: (1)
whether an acquisition of a birth certificate without an envelope constitutes to a data privacy
violation; (2) whether the cashier upheld the privacy rights of the data subject under Chapter 4 -
Section 16 of the Data Privacy Law; (3) whether Juan dela Cruz violated the data privacy rights of
Pedro Ramos and Anna Cruz by taking photos and videos of them; and (4) whether the mall
maintained standardized measures for data privacy as mandated by their institution and the law as
well as considering if it was appropriate. As such, this paper hypothesizes three things: (1) Juan
dela Cruz did not commit any violations of RA 10173; (2) Pedro Ramos and Anna Cruz committed
several violations of RA 10173; and (3) the mall policies were reasonable and appropriate on the
basis of law and institutional regulations. By examining the issues above, testing hypotheses
through arguments, and providing solutions to it, one would be able to responsibly handle and
protect their personal data and information from vulnerability, privacy attacks, identity theft, and
other cybercrimes (Stouffer, 2021). Moreover, this case shall provide a sense of why data privacy
is important in many situations, how it may possibly be compromised, and what concrete steps one
can take to protect and uphold their privacy and information security.
 The facts of this case are (1) upon filing a request for the birth certificate, Juan’s name,
address, and phone number were collected by the cashier without stating why it was needed; (2)
Anna handed the birth certificate to Juan from a folder on her desk without an envelope; (3) a
certificate of no marriage can be seen lying on a table seemingly accessible to any other personnel
at the mall; and (4) prior to Juan complaining to Pedro Ramos, he took photos and videos of them
as “evidence” and documentation. These facts are important in assessing the issues provided
earlier. Firstly, according to Chapter 4, Section 16 of the Data Privacy Act of 2012, the data subject
is entitled to be informed of the reasons why their personal information is needed, “purposes for
which they are being or are to be processed”. In this case, Juan should have been informed by the
cashier why his name, contact information, and address were needed for acquiring the birth
certificate. Unfortunately, the cashier did not inform him which was clearly against Section 16.
Secondly, based on the fifth (5th) mall policy on requested certificates to customers, “the
authorized personnel must always maintain all the certificates inside the labeled envelopes.” Here,
Anna Cruz pulled the birth certificate of Juan from a folder on her desk. It was a folder and not an
envelope. Hence, it did not meet one of the mall policy requirements mandating that certificates
should be inside labeled envelopes. Thirdly, Juan also noticed that there was a certificate of no
marriage lying on another table seemingly accessible to any unauthorized personnel. According to
Chapter 5, Section 20 of the Data Privacy Act of 2012, “the personal information controller must
implement reasonable and appropriate organizational, physical and technical measures intended
for the protection of personal information against any accidental or unlawful destruction, alteration
and disclosure, as well as against any other unlawful processing...” In this instance, the authorized
representative of the mall handling certificates was negligent as there was a certificate of no
marriage seen lying on another table. Because of the representative’s negligence, she inevitably
provided room for the certificate to be accidentally disclosed to absolutely anyone unauthorized in
the mall. Therefore, there were no reasonable and appropriate measures taken conforming to
Section 20 of RA 10173. This could also be a violation of Section 26 if another person was able
to access the lying certificate. Fourthly, in assessing the case, it is worth noting that Juan took
photos and videos of Pedro and Anna as “evidence”. This may seem as a violation of privacy
because there was no consent, but it is not. According to an article published by legal writers of
FindLaw (2019), there is no violation of privacy rights as long as when a person takes a photo and
video of another person, they are in a public place or in a private place but with consent. Hence, it
is permissible for Juan to take photos and videos of Pedro and Anna because they are in a public
space. Lastly, Anna Cruz handed the birth certificate of Juan without an envelope. Some PSA
offices provide envelopes such as the instance it is via delivery, and some offices do not. It is
difficult to tell if privacy is compromised based on a mere envelope. Thus, the manner in which it
was given to Juan should be valid if it conforms to Section 20 - Security of Personal Information
and Section 26 - Accessing Personal Information and Sensitive Personal Information Due to
Negligence of the DPA of 2012.
As such, issues are now solved: (1) as long as the manner by which a personal information
is handed conforms to Chapter 5, Section 20 of RA 10173, then it does not constitute violation;
(2) the cashier did not uphold the privacy rights of Juan because the cashier did not state the
purpose of processing Juan’s data in accordance with Chapter 4, Section 16 of RA 10173; (3) Juan
did not violate the privacy rights of Pedro and Anna because when he took photos and videos of
them, they were in a public place; and (4) the mall policies were appropriate and up to standards,
but there was an instance when one of its policy was not followed by Pedro and Anna. Possible
solutions for future cases include the cashier stating why customer’s information is needed to be
collected, ensure that there are no random certificates lying on an easily accessible place by any
unauthorized persons, that mall policies are implemented and followed - certificates should be
inside labeled envelopes and not in folders on a desk open to anyone, and one should bring his
own envelope for convenience.
Therefore, Juan dela Cruz did not commit any violation of the Data Privacy Act of 2012.
Only Pedro Ramos and Anna Cruz committed violations as Section 16, and Section 20 of RA
10173 were not followed. Also, the mall policies were very reasonable and appropriate as it meets
the standards of the Data Privacy Law. After careful consideration of the case’s issues and
formulating arguments, this paper recommends the solutions mentioned above. A simple violation
of RA 10173 may be avoided if as a cashier, the customer is informed why their personal
information is needed. The customer always has the right to be informed on how their information
will be processed. Secondly, proper management of personal information should be an easy job
unlike the instance when a certificate of no marriage is exposed to absolutely anyone. Store in a
place where it is only accessible by authorized individuals. Thirdly, as customers, there is no harm
in recording conversations, taking photos, and videos as long as both parties are in a public place.
In addition, when in doubt regarding one’s privacy and data information - always ask. Lastly,
policies should be reinforced and implemented well so that there would be no more future
violations. Other solutions in safeguarding personal information and privacy of data include
strengthening password combinations, backuping data, using anti-malware security programs,
avoiding sharing personal information to the public, and taking advantage of firewalls. Through
these collective, simple yet effective solutions, an individual, businesses, institutions, or even the
government may draw better ways to safeguard information, data, and privacy as we seek to
mitigate future data breaches so that an event similar to the breach of the 952.8 million accounts
containing personal information in 2021 would be prevented - towards a better modern society
(Gkoutzamanis, 2021).
Resources:

Ecci. (2019, October 14). Understanding Data Privacy Act of 2012. ECC International.
https://eccinternational.com/understanding-data-privacy-act-
2012/#:%7E:text=Republic%20Act%20No.%2010173%20or%20Data%20Privacy%20A
ct,Act%20of%202012%20intends%20to%20protect%20personal%20information.
FindLaw. (2019, October 28). Can Someone Take My Photo Without Permission?
https://www.findlaw.com/injury/torts-and-personal-injuries/can-someone-take-my-photo-
without-
permission.html#:%7E:text=It%20is%20generally%20permissible%20for,owner%27s%2
0consent%20to%20take%20photos.
Gkoutzamanis, D. (2021, December 31). Data Breach Statistics for 2021. The CISO Times.
https://cisotimes.com/data-breach-statistics-for-2021/
Padilla, R. (2020). Importance of the Data Privacy Act of 2012. Importance of the Data Privacy
Act of 2012.
Republic Act No. 10173. (n.d.). The LawPhil Project. Retrieved April 26, 2022, from
https://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html
Stouffer, C. (2021, January). What Is Data Privacy and Why Is it Important? Life Lock.
https://www.lifelock.com/learn/identity-theft-resources/what-is-data-privacy-and-why-is-
it-
important#:%7E:text=Why%20is%20data%20privacy%20important,the%20hands%20of
%20a%20competitor.
Thibodeau, C. T. (2015). Identity Documentation and Verification. Science Direct.
https://www.sciencedirect.com/topics/medicine-and-dentistry/birth-certificate