Data Privacy and Prepaid Credit Information: How Telecom X violates the Data Privacy Act

The scenario: Friend X asked me to “pasa-load” 15 to him. I am not actually friends-friends with him, neither did I feel to be so generous that night; so I just replied that I do not have enough prepaid credit. Then he texted and called me liar since he knew that I had 85 pesos worth of credits. I was shocked. How did he know this? Well, Telecom X has a feature allowing such.

Data Privacy

Yes, my dear friends, Telecom X allows other person to know how much credit you currently have. By just dialling a string of number combination and following a series of instructions, you will readily know how much prepaid credits, and how many free text messages one has.

To some, it might have been so childish of me to feel so violated when I knew someone could pry about the information on my cellphone load. But, I do really think it is fair for me to expect some level of security as to the data about my prepaid credits. However, Telecom X seems to invade my privacy for allowing a third party to pry on that particular information.

Data Privacy Act

Atty Disini on Data Privacy

Last Saturday, Atty. JJ Disini talked about Data Privacy Act and discuss some of its salient features. I consulted the situation with Atty. Disini and we analyzed the legality behind Telecom X’s feature. Basically. I asked two questions:

  • Can prepaid credits be treated as personal information?
  • Is Telecom X legally liable under RA 10173 for divulging prepaid credits information to a third party without appropriate consent?

The Dat Privacy Act defines Personal Information as:

Sec 3. (g) Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Atty. Disini is clear in saying that any information are personal as long as the identity of an individual is apparent. I think that, prepaid numbers should qualify as personal information because an individual identity can be directly ascertained from prepaid numbers, at least, to a number of people (ie number holder’s friends and network). Atty. Disini said that the telecom, as a personal information controller (see Sec 3. par h), could not possibly associate a particular number to a particular person thus a mobile number could not possibly used as an identification perse. However, the main point is that, quite a good number of people could definitely associate a mobile number to a person, and thus, that association qualifies mobile number, and the prepaid credits associated to the mobile number, plays a key role in the act of identification.

In case of prepaid credits, I do think that it is a natural implication that since prepaid numbers are personal information, then prepaid credits associated with it is also personal information. Atty. Disini even says that it is possible to argue that prepaid credits can be treated as financial information, as it is possible to use prepaid credits as a discriminating factor (like bank accounts, race, sex, etc). Therefore, Telecom X has no right to divulge prepaid credit information to a third party without appropriate consent.

Telecom X has violated my privacy

Now that we established that prepaid credit information can be classified as personal information, can we now say that Telecom X has violated a subscribers privacy when it divulges prepaid credit information to third party.

Section 20, par. a provides that:

The personal information controller must implement reasonable and appropriate organizational, physical, and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.

Clearly, the mere fact that my friend successfully received information about my prepaid credit means that Telecom X failed to provide measures to secure such information.

Option to Block

I personally tried the feature and with all fairness to Telecom X, there is an option to block third party in seeing prepaid credit information. I find it hilarious because what Telecom X is doing is that there is an “option to block” and not an “option to give consent”. The Act defines consent  as:

Sec 3. par b. Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her…

Now, did I give consent to Telecom X to divulge my prepaid credit information? No, I did not. IT is apparent, therefore, that Telecom X has divulged a personal information without my consent.

Childish

It may seem childish of me to rant about the fact that my friend discovered that I was lying about my prepaid credits. Yes, I did lie because I do not want to give him load, mainly because I do not like the person. But the fact is that, Telecom X has a feature that can be used to illegally extract personal information about particular person. What if  prepaid credit load be used as a discriminating factor, let say, in job application? What if a person could track the changes on your prepaid credit information, thus gaining information about your financial activities on your prepaid cellphone?

In this age where information are within anyone’s reach, the issue of privacy is something that we should tackle seriously. Identity theft and other crimes can occur when personal data are not being processed securely. It is scary to know that other person can gain access to prepaid credit information. And what is more scary is that Telecom can divulge information to third party without us knowing.

Something to think about.

For a full version of RA 10173, otherwise known as the Data Privacy Act of 2013, click here

Advertisements

3 thoughts on “Data Privacy and Prepaid Credit Information: How Telecom X violates the Data Privacy Act

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s