Monday, May 6, 2013

R.A. No. 10173: Sufficient Mechanism to the Introduction of a National I.T. System in the Philippines

People say that the internet makes everything easier for them, but using the internet also has its disadvantages which may put the users in danger. According to an article, the common uses of the Internet are for (1) browsing, either for research purpose, information or to learn some new things; (2) communication in the forms of emails, chats, video and chats, and video conferences; (3) to build and take part in discussion forums; and (4) the buying and selling over the internet, or online shopping.

For research purposes, users have to make sure that they would also look into other sources aside from the internet because there are a lot of wrong information on the internet. In the use of emails, chats, video chats, and video conferences and taking parts in discussion forums, it may be easier and less costly than the use of cellular phones or sending of telegrams, but due to the internet, some users are having a hard time socializing and communicating with other people in front of them and prefer to just socialize with other people in front of their monitors. In online shopping, the buyer is required to enter his/her credit card number in order to effect payment.

With all the people around the world, how many of them are protected from all the disadvantages of using the internet?

According to NBC News,

"Government restrictions on the Internet have risen over the past year around the world as regimes use violence against bloggers and turn to censorship and arrest to squelch calls for reform."

And due to the disadvantages of the use of the internet, some countries have already monitored their users, and even implemented restrictions. A report on NBC News stated that:

"Pakistan, Bahrain and Ethiopia saw the biggest rollbacks in Internet freedom since January 2011 and were among the 20 countries out of 47 assessed by Freedom House that declined in their rankings. In contrast Tunisia, Libya and Burma, all countries that have seen dramatic political opening or regime changes, improved over previous years along with 14 other countries, the U.S. group, which advocates democracy and open societies, said. Vietnam handed out stiff jail terms to three high-profile bloggers for their bold criticism of government handling of land rights issues and corruption. Estonia topped the list of countries for freedom of the Internet with the United States in second place, according to the Freedom House report. The rankings were based on obstacles to Internet access, limits on content and violations of user rights. Estonia has a highly developed online culture that includes online voting and access to electronic medical records and some of the lightest content restrictions in the world, the report found. The United States has fallen behind in Internet speed and cost and broadband availability.

Methods for controlling free speech on digital media also have grown more sophisticated and diverse the past year.

Governments have passed new restrictive laws in 19 states. In Iran, censors have improved software for filtering content and hackeddigital certificates. In Pakistan, virtual private networks are banned. And in 14 countries the governments have followed China's lead in hiring armies of commentators to manipulate online discussions."

In the Philippines, Administrative Order No. 308 was issued by President Fidel V. Ramos in 1996. A.O. No. 308 is entitled "Adoption of a National Computerized Identification Reference System." Its purpose is to provide Filipino citizens and foreign residents with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities. The Philippines introduced the use of the internet to improve and uplift public service, but there were also flaws in such Administrative Order.
In the case, Blas F. Ople vs. Ruben D. Torres, et. al., G.R. No. 127685, the Petitioner prayed that A.O. No. 308 be invalidated due to two constitutional grounds: (1) it is a usurpation of the power of Congress to legislate; and (2) it impermissibly intrudes on our citizenry's protected zone of privacy. The petitioner contended that:

A. The establishment of a national computerized identification reference system requires a legislative act. The issuance of A.O. No. 308 by the President of the Republic of the Philippines is, therefore, an unconstitutional usurpation of the legislative powers of the Congress of the Republic of the Philippines.
B. The appropriation of public funds by the President for the implementation of A.O. No. 308 is an unconstitutional usurpation of the exclusive right of Congress to appropriate public funds for expenditure.
C. The implementation of A.O. No. 308 insidiously lays the groundwork for a system which will violate the Bill of Rights enshrined in the Constitution.

The Supreme Court ruled in favor of the petitioner, Blas F. Ople. In the decision of the Court, it was stated that it is beyond the power of the President to issue A.O. No. 308, and that A.O. No. 308 should not be even considered as an Administrative Order. The decision also stated that the A.O. No. 308 violates the right to privacy. A portion of the decision reads as follows:

"While the Congress is vested with the power to enact laws, the President executes the laws. The executive power is vested in the Presidents. It is generally defined as the power to enforce and administer the laws. It is the power of carrying the laws into practical operation and enforcing their due observance. Administrative power is concerned with the work of applying policies and enforcing orders as determined by proper governmental organs. It enables the President to fix a uniform standard of administrative efficiency and check the official conduct of his agents. To this end, he can issue administrative orders, rules and regulations.

Assuming, arguendo, that A.O. No. 308 need not be the subject of a law, still it cannot pass constitutional muster as an administrative legislation because facially it violates the right to privacy. The essence of privacy is the right to be let alone.

The right to privacy is one of the most threatened rights of man living in a mass society. The threats emanate from various sources — governments, journalists, employers, social scientists, etc. In the case at bar, the threat comes from the executive branch of government which by issuing A.O. No. 308 pressures the people to surrender their privacy by giving information about themselves on the pretext that it will facilitate delivery of basic services. Given the record-keeping power of the computer, only the indifferent fail to perceive the danger that A.O. No. 308 gives the government the power to compile a devastating dossier against unsuspecting citizens."

But in his dissenting opinion, Justice Kapunan stated that the President has the right to issue A.O. No. 308, and that:

"The National Computerized Identification Reference System was established pursuant to the afore-quoted provision precisely because its principal purpose, as expressly stated in the order, is to provide the people with the facility to conveniently transact business with the various government agencies providing basic services. Being the administrative head, it is unquestionably the responsibility of the President to find ways and means to improve the government bureaucracy, and make it more professional, efficient and reliable, specially those government agencies and instrumentalities which provide basic services and which the citizenry constantly transact with."

The issues in this case are (1) whether the issuance of the A.O. No. 308 is unconstitutional; and (2) whether such Administrative Order violates the right of the people to privacy.

I agree with what Justice Kapunan and Justice Mendoza said in their dissenting opinion. An Administrative Order is defined, under the 1987 Administrative Code, is an act of the President which relate to particular aspects of governmental operations in pursuance of his duties as administrative head shall be promulgated in administrative orders.

In issuing Administrative Order No. 308, the President's purpose was to improve government bureaucracy. As the administrative head, the President has the right to issue such order to ultimately achieve administrative efficiency. Moreover, such Administrative Order does not require all the people to avail the benefits that A.O. No. 308 provide. It is merely voluntary.

In implementing A.O. No. 308, advanced methods of the Biometrics Technology may pose danger to the right of privacy of the people but the standard set states that:

"The need to provide citizens and foreign residents with the facility to conveniently transact business with basic service and social security providers and other government instrumentalities; the computerized system is intended to properly and efficiently identify persons seeking basic services or social security and reduce, if not totally eradicate fraudulent transactions and misreprentation; the national identification reference system is established among the key basic services and social security providers; and finally, the IACC Secretariat shall coordinate with different Social Security and Services Agencies to establish the standards in the use of Biometrics Technology. Consequently, the choice of the particular form and extent of Biometrics Technology that will be applied and the parameters for its use (as will be defined in the guidelines) will necessarily and logically be guided, limited and circumscribed by the afore-stated standards. The fear entertained by the majority on the potential dangers of this new technology is thus securedly allayed by the specific limitations set by the above-mentioned standards. More than this, the right to privacy is well-esconced in and directly protected by various provisions of the Bill of Rights, the Civil Code, the Revised Penal Code, and certain laws, all so painstakingly and resourcefully catalogued in the majority opinion. Many of these laws provide penalties for their violation in the form of imprisonment, fines, or damages. These laws will serve as powerful deterrents not only in the establishment of any administrative rule that will violate the constitutionally protected right to privacy, but also to would-be transgressors of such right."

The standards set show that the information of the people will be protected by the government. And in cases where it is possible that information may be disclosed, there is a sufficient number of laws prohibiting and punishing any such unwarranted disclosures.

According to Justice Mendoza, A.O. No. 308 does not violate the right of the people to privacy because such Order requires only an identification system based on data which the government agencies involved have already been requiring individuals making use of their services to give.

After reading the case of Ople vs. Torres and all the separate opinions of the Justices who heard such case, it may be concluded that there would always be pros and cons in adapting into the advancement of technology. New developments may really be hard to adapt at first, but it may be regulated of standards and methods will be set. And if violations would really be inevitable, corresponding penalties should be provided by the government.

When Republic Act No. 10173, entitled AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES, the government clearly stated that the right to privacy of the people would be protected by such Act. Section 2 of the Act reads as follows:

"SEC. 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected."

Just like in A.O. No. 308, the people would have to give out their information to the government and rely that the latter would protect the information given. There is also an agency responsible in administering and implementing the provisions in order to ensure the compliance of the people with the standards set, both in the R.A. 10173 and in A.O. No. 308.

The only difference in A.O. No. 308 and R.A. No. 10173 is that in the latter, the government was able to emphasize on the provisions stating how the information given by the people would be protected.

Section 20 of R.A. No. 10173 speaks of the measures to be observed in order to protect the personal information of the people against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. The provision reads as follows:

"SEC. 20. Security of Personal Information.  (a) The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.

(b) The personal information controller shall implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

(c) The determination of the appropriate level of security under this section must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation. Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:

(1) Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;
(2) A security policy with respect to the processing of personal information;
(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach; and
(4) Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.

(d) The personal information controller must further ensure that third parties processing personal information on its behalf shall implement the security measures required by this provision.

(e) The employees, agents or representatives of a personal information controller who are involved in the processing of personal information shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another position or upon termination of employment or contractual relations.

(f) The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes (bat such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system."

While Section 22 of the same Act speaks of how sensitive personal information should be protected by the heads of agencies. The provision states that:

"All sensitive personal information maintained by the government, its agencies and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, and as recommended by the Commission. The head of each government agency or instrumentality shall be responsible for complying with the security requirements mentioned herein while the Commission shall monitor the compliance and may recommend the necessary action in order to satisfy the minimum standards."

Sections 20 and 22 of R.A. 10173 are the provisions lacking in A.O. No. 308 which caused the petitioner to file a petition alleging that the Order violates the right to privacy of the people. A.O. No. 308 failed to assure the people that all personal information given will be protected by the government.

Wherefore, I think R.A. 10173 will provide sufficient mechanism to the introduction of a national I.T. system in the Philippines without the Constitutional issues that have arisen in the case of Ople vs. Torres. Due to the provisions in R.A. 10173 emphasizing the measure on how the personal information will be protected, such Act should no longer be considered as a threat to the privacy of the people.

1. Accessed May 5, 2013.
2. Accessed May 5, 2013.
3. Accessed May 5, 2013.
4. Accessed May 5, 2013.

[Disclaimer: This blog is for our Technology and the Law class only. The contents of this entry is the writer's opinion and is not intended in any way to serve as a legal advice.]

1 comment:

  1. Please provide your analysis of Sections 20 and 22 of the Data Privacy Act as to its sufficiency in addressing the constitutionality issues raised in AO No. 308.