Rethink data collection policies, sectors told after voters' data leak

MANILA, Philippines – Following the leak of voters' data records obtained from the website of the Commission on Elections (Comelec) last year, government agencies and the private sector were urged to rethink how they collect Filipinos' personal information.

At the 3rd National Privacy Conference on Friday, January 20, the Foundation for Media Alternatives (FMA) looked back on the incident dubbed as "Comeleak" and presented their insights and recommendations.

Jessamine Pacis of FMA said that the data leak "exposed the extent of Comelec's collection of personal information."

Pacis said that now is a good time not only for the Comelec but also for other government agencies and personal information controllers "to rethink their data collection and processing practices and policies."

"What types of personal information do they protect? Are these information really necessary for the mandate or for the specific purpose for which they are collecting? More importantly, are these information processed in the manner that is proportionate to the purpose for which they are collected?" she asked.

These questions, she said, should serve as guidelines in light of proposals and legislative measures that would involve the collection of personal information, like the establishment of a national ID system, a SIM card registration system, or a government big data center. (READ: Gov't should protect citizen's personal data – NPC's Liboro)

In March 2016, over 70 million voter registration records, both active and deactivated, as well as other election-related data were accessed and leaked online, after the Comelec's website was hacked. (READ: Experts fear identity theft, scams due to Comelec leak)

This led to a probe by the National Privacy Commission (NPC), which ruled that the Comelec and its chairman, Andres Bautista, violated provisions of Republic Act 10173 or the Data Privacy Act of 2012.

Trim down

While some personal data are required to register a voter, other fields in the Comelec's Post Finder application for overseas voters, for instance, asked for the names of the voter's spouse and parents.

"Comelec takes too much data about voters," said Angel Averia of the Philippine Computer Emergency Response Team (PH-CERT). "Considering that we have big data [available] today, if I use a software that could link these names and identities together, I can construct a whole family tree." 

"I think they should review that [data collection] and start trimming down what data they need to establish a person as a voter," he added.

Averia also suggested that the poll body should also have a better disposal policy for the records of deceased voters.

'Silver lining'

"For anyone searching for a silver lining in this controversy, [it] elevated public consciousness regarding the country's data privacy law," said Pacis.

While the Data Privacy Act of 2012 created the NPC, the body was only officially formed in 2016, weeks before the Comelec data leak. The incident served as a "baptism of sorts" for the NPC, Pacis said.

She said that the data breach "must spark new conversations" related to the practice of data privacy not only in government, but also in the private sector, like in banks.

FMA then reiterated the need for personal information controllers to comply with the Data Privacy Act, including the appointment of data protection officers.

Also tackled during the 3rd National Privacy Conference were the importance and impact of data privacy in the age of social media and big data, and FMA's report on the surveillance policy and practice in the country. –

Michael Bueza

Michael Bueza is a researcher and data curator under Rappler's Research Team. He works on data about elections, governance, and the budget. He also follows the Philippine pro wrestling scene and the WWE. Michael is also part of the Laffler Talk podcast trio.