In response to the initiatives of the financial services industry on cybersecurity that aim to thwart fraud incidents and uphold customers' confidence in digital payments systems, the National Privacy Commission ("NPC") has issued Advisory Opinion 2021-26 to guide personal information controllers in protecting the privacy of shared databases through strict adherence to the basic data privacy principles of transparency, legitimate purpose, proportionality, and the conduct of privacy impact assessments ("PIAs").
NPC recognises that data sharing for investigation and resolving fraud incidents is allowed under the Data Privacy Act of 2012. While the NPC Privacy Policy Office recognises that having a shared database for know-your-customer, enhanced due diligence, and anti-money laundering purposes may enhance the integrity of the financial system, there is a need to ensure that personal and sensitive personal information (collectively, "personal data") is processed fairly and lawfully. In this particular context, the NPC Privacy Policy Office emphasised that personal data in such database must be accurate, relevant, and kept up to date. Consequently, inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted.
The NPC Privacy Policy also recommends the conduct of a PIA to identify, assess, evaluate, and manage the risks represented by the processing of personal data in the shared database.
Equally important to the rights of financial services industry are the rights of data subjects. In this regard, the NPC Privacy Policy Office has reminded the financial services industry that data subjects should be provided the mechanism to exercise their rights.
