Confidential
There’s a quiet cultural revolution going on in offices throughout the country involving the very way we think and has involved an audit, not of numbers, but of all kinds of procedures and technologies.
I thought long and hard about a short title for my column that would describe what this cultural revolution is all about and settled on that one word, “confidential,” which is the way we used to handle matters, mainly around correspondence. For large offices, you would write or stamp “Confidential” on a document and seal it well before passing it on. To some extent that’s still being done today, sometimes with almost ridiculous but ineffective zeal.
Look at the mail you’re getting at home and you’ll find many are still stapled in a way that you have to remove the staple wire first before opening the envelope or you risk ripping through the document inside, which might be a check, now mangled and could be rejected by the bank when you want to deposit it.
Article continues after this advertisementThe other way documents were “secured” was to tape it end to end. Being on the receiving end of so many of these documents, I would tell my staff to call the sender and politely complain about how they have mummified the document, making it practically impossible to open.
Now comes a law that could either worsen, or rationalize, the way we handle confidential information. The full name of that law would take an entire paragraph so I will just use the short one, the Data Privacy Act of 2012. It took some years to get a bureaucracy going together with implementing rules and regulations, all to ensure the protection of personal information in all of the country’s offices.
Overseeing this gargantuan task is a National Privacy Commission, which has been pressing hard on institutions to establish data protection offices that will ensure that all sensitive personal information is secured, and not just by stamping “confidential” and stapling or mummifying documents.
Article continues after this advertisementCall centers and data
The law was actually forced upon us by the business process outsourcing (BPO) industry, which employed 1.3 million Filipinos last year and still counting. Most of them are in the contact subsector, better known as call centers and they have access to all kinds of sensitive information provided not just by Filipinos but residents of countries throughout the world. Remember the last time you wanted to clarify a credit card billing which you think was mistaken and how they asked you about everything from your mother’s maiden name to the last credit transaction you had.
Think of all the forms you’ve had to fill out over the years. To get some kind of insurance, for example, you may have been asked to submit to a full medical checkup where you were asked all kinds of questions about the causes of death in your family, and your own existing illnesses, surgical procedures … all the way up to your sex life: how many people have you had sex with, were they male or female, and what kind of sex did you have?
All that information is stored in computer databases.
Educational institutions have all kinds of sensitive data. I’m thinking of two offices in particular. There’s the health service’s medical records, and there’s the registrar, which still has the “jackets” — enrollment forms and, until recently, grades—of each and every person who has ever enrolled in UP, whether you finished or not. Diliman, being the main campus, has files that go back more than a century. I have a feeling many UP alumni would worry more about their grades, rather than their medical records, being kept private.
The new law spells out penalties, including imprisonment, for leaking out sensitive personal information. Hold your breath as I mention some of them: “race, ethnic origin, marital status, age, color and religion, philosophical or political affiliation,” “health, education, genetics or sexual life,” “offenses committed or alleged to have been committed,” “social security, current health records, licenses or its denials, tax returns.”
Each of those items could be further broken down when you think of what “sensitive” can mean. Under this law, we cannot provide the grades of a student to anyone, not even the parents, if the student has reached legal age (18) and unless signed consent is given.
Whistleblowers
The reason I said all this involves a cultural revolution is that the idea of data privacy is almost nonexistent in our culture. The norm is to share information. Have a crush on someone and want to send a gift on his or her birthday? No problem, everyone knows what office and who in that office can get you that information.
Birthdays seem relatively benign but think hard about it and you might be opening the doors to unwanted attention.
Salaries are another example, a source of a lot of resentment within an office, so in UP Diliman we are now banishing the days of open pay slips. Instead, the pay slips come in an encrypted envelope, like the ones banks give you when you get a new ATM card with a password.
Medical records are particularly sensitive. For years now, as dean and then as chancellor, I’ve had to sign all applications for reimbursement of medical expenses and I’ve always been uncomfortable at how the papers go through several offices and personnel, with all kinds of sensitive information. Culture comes into the picture with people, often with the best of intentions, telling friends, “Did you know Professor xxx has cancer? Maybe we can help raise funds for her.”
Golden rule
In other cases, malicious intentions may come in. It’s been so tiring having to respond to anonymous “sumbong” (whistleblowing) made to the government’s hotline, with distorted information that clearly came from access to official files in government agencies, questioning everything from bonuses to an out-of-town conference and often out of a desire for character assassination rather than a concern over corruption. The Filipino term “maiinit na mata” (hot eyes) is an appropriate description of the sources of data breaches.
“Data breach” is a term that will make it into our vocabularies as the Data Privacy Act is implemented and the breach is fairly easy given that so much information is now stored in computer databases. The Data Privacy Act requires that the databases are secured, requiring layers of passwords and security measures, but even the best of systems will still be heavily challenged by culture, to the point where we may have to require all staff—secretaries, receptionists, even drivers — to sign nondisclosure agreements, meaning they are bound by law not to give out sensitive information, not just from computers and documents but from meetings and even conversations.
But more than nondisclosure agreements, we will have to look for other ways to tackle cultural attitudes to privacy. It will mean, for example, reminding someone during a conversation that they just named someone and gave away sensitive information about that person. It will mean, too, periodic meetings discussing data privacy and breaches and the foundation of it all, the golden rule: Do not do unto others what you do not want done to you.
mtan@inquirer.com.ph