Data privacy lawyer explains implications of data being ‘taken’ from DFA

A data privacy lawyer on Saturday warned against the possibility of identity theft after Foreign Affairs Secretary Teodoro Locsin Jr. revealed on Twitter that a former contractor has taken "all the data" from the Department of Foreign Affairs.

Lawyer Cecilia Soria told GMA News Online in an interview that the impact of the incident depends on what the former contractor took.

"If it’s personal information that is usually indicated in the passport, e cause for concern 'yan for us, because these can leave the data subjects vulnerable to identity theft," Soria said.

"Think about it: They have your complete name, complete birth date, complete address, signature pa yata. Also passport number, assuming that passport has not expired yet," said Soria, who holds a Certified Information Privacy Manager (CIPM) certification from the International Association of Privacy Professionals (IAPP).

The problem will exponentially worsen if the former contractor also has a copy of people's birth certificates, as this contains sensitive information like the name of an individual's parents.

"And since wala naman picture 'yong birth certificate, then anyone can actually use that for transactions as well, with other people none the wiser na the bearer is not the person to whom the birth cert pertains," Soria said.

The DFA said it has no comment about the data privacy issue.

The "breach" was revealed by Locsin earlier this week on Twitter, stating that the DFA is rebuilding files "from scratch because previous outsourced passport maker took all the data when contract terminated."

Locsin added that, "We did nothing about it or couldn't because we were in the wrong."

Soria said it is important to find out when the transaction/contract was effected/signed between the DFA and the former contractor, as it needs to be determined whether it falls under the protection of the Data Privacy Act of 2012.

Nonetheless, Soria stressed that the information handled by the DFA is still personal data, owned by the individual and not the state nor the contractor's.

"It’s not clear why Locsin says they had no recourse when the contractor took the data. Assuming there was breach of contract on the part of the government, the contractor still wouldn’t have the right to hold on to the data because people’s personal data is not owned by government. The mere act of collecting and compiling the data does not change the owner thereof," Soria clarified.

GMA News Online is waiting for the response of the National Privacy Commission and the Philippine National Police Anti-Cybercrime Group regarding the matter. — With a report from JP Soriano/KG, GMA News