Is the Act of a person, A, disclosing the mobile number of B, to a third person, without B’s consent, considered a violation of RA 10173?
- Republic Act 10173
- What is PII
- Definition of PII
- Identity Theft
- Social Engineering
- Real-life scenario
Mobile phone numbers as compared to home phone subscribers are increasing at a faster rate, taking into consideration that a single family might have only 1 or 2 home phones but each member could have their own mobile. The Philippines now has approximately 103 million subscribers with an estimated population of around 105 million by July 2013. Roughly around 98% of the population based on numbers are using mobiles (prepaid and postpaid), it would be inaccurate to refer to it that 98% of the citizens of the Philippines have mobile phones since we should also take into account the fact that a single individual may have multiple mobile phones and sim cards.
We will now look into what also rose with the rise of mobile phone usage. There has been as well an increase in mobile phone scams that have permeated society that even the government cannot shun away from it.
We now look into a hypothetical situation wherein an individual (C) requesting from (A) the mobile number of (B); Would it be considered as a violation of Republic Act 10173 or the Data Privacy Act of the Philippines?
Countless of people indubitably have already performed such act, we have students asking for their professors number, a friend asking for a number of another individual, a stranger asking for the number of someone he/she supposedly knows, an old friend who says that they want to get the number of another because they want to get in touch.
2. Republic Act 10173 or the Data Privacy Act of the Philippines
Republic Act 10173 could well be said the first real Philippine law regarding personal data privacy, we had multiple laws in the past that tackle privacy but none that would be as focused as the Data Privacy Act. R.A. 10173 or An Act Protecting Individual Personal Information in Information and Communication in the Government and the Private Sector, creating for this purpose a National Privacy Commission, and for other purposes.
3.Personally Identifiable Information
Republic Act 10173 defines what it considers to be Personal Information and it was defined as any information whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify and individual.
This then poses the question on whether mobile numbers can be considered as personal information for purposes of the law. Let us look at the different views expressed on what is regarded as personal information or more specifically known as personally identifiable information since the discussion would primarily hinge itself on the question on whether we would consider a mobile number as a Personally Identifiable Information.
According to the National Institute of Science and Technology in their “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) one of their specific example would be mobile numbers
In this aspect we can then conclude that since mobile numbers are considered as personal information that can be used to directly or in conjunction with other data can be used to identify a specific person then said act of giving out a mobile number might be considered as a violation of the Data Privacy Act of the Philippines. However to prevent of the possibility of the law being absurd in a sense is that we should therefore qualify that not all acts of giving out a mobile number can be considered as illegal in this regard.
According to the R.A. 10173 Sec. 3 (h), a personal information controller, does not include:
- A person or organization who performs such functions as instructed by another person or organization;
- An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
In this regard then it is considered that those falling under those exceptions are not considered as personal information controllers.
There are also certain acts that the Data Privacy Act would not be applicable which can be located in Section 4 entitled Scope. This mostly deals with data or information that is connected with government officials or employees in the function of their office which is understandable since these people are deemed to be in public service and their information cannot be considered as private in this regard however there is of course the phrase that it must have a relation to their function or their employment in the government. There is also a provision that those processed for journalistic, artistic, literary or research purposes are not covered in this Act.
We now look into what is considered as lawful processing of personal information. It says that one of the following conditions exists therefore if any one of the criterion on Section 12 and Section 13 would be met then it could be used as a defense against RA 10173, however since our current predicament is that consent was not given therefore we could validly eliminate Sec 12 (a) and Sec. 13 (a) from possible defenses that one could raise.
Since processing is one of the main actions that is being tackled in RA 10173, then it is but proper to place the definition of processing which is:
Sec. 3 (j) Processing refers to any operation or any set of operations performed upon personal information including, but no limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
Therefore the act of providing the number to a third party without the consent of the data subject can be considered as use of the information without the data subjects consent, and if it does not fall within the specific exceptions of RA 10173 would be a violation of RA 10173 and can be penalized under Sec. 25 or Unauthorized Processing of Personal Information and Sensitive Personal Information; Sec. 28 or Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes, and Section 32 or Unauthorized Disclosure. This however should not be taken to limit its applicability only to A since as per definition even storage is considered as processing therefore the third party who have recorded such is considered to be in violation of the Data Privacy Act.
The question then left unanswered would be who would be considered as a Personal Information Controller, which is aptly defined in Sec. 3 (h) specifically someone who controls the collection, holding, processing or use of personal information. Once the mobile number goes to another person they would have now control and the ability to use said personal information. Therefore once someone gets knowledge of the mobile number and has been given the ability to use and disclose said information they can now be deemed as a personal information controller.
Therefore if the act mentioned on our premise without falling into the exceptions placed in the law, would be considered as a violation of RA 10173. To further bolster my contention and to open the eyes of many on how far an “unauthorized mobile number sharing” could go I will be discussing additional scenario in the succeeding parts.
5. Real-life Scenarios on the role of mobile numbers in recent event
There would be many who would be skeptical as to the implication of a mere number transfer leading to something disastrous and could be simply tagged as making a mountain out of a molehill. However I would be providing multiple scenarios that would show how something that is perceived as a molehill could lead to something immense.
How much information could we actually derive from a mere mobile number, taking into consideration the scenario it would be safe to assume that by the fact that a person asked for a person’s mobile number is that it would include their name. So how far would a person be able to go with just a name and a mobile number? Very far.
Taking into consideration our initial premise, once the third party has acquired said number without the consent of the data subject just how much could he do with said number.
Calling a telecommunications company would lead you to one of their call centers based here and normal requirement in order to initiate service would be your name and your mobile/phone number and sometimes one additional data which would be the client’s birthday.
We now have a name as well as a number; via Social Engineering techniques we could then derive the birthday easily. Approaching a common acquaintance it would be easy to say that one knows the person and that would like to place it in their calendar, or via something termed as “doxxing” which is getting bits and pieces of information via the internet (Facebook, Twitter e.g. check when people would greet them happy birthday) or other methods.
A popular method of doxxing would be to call different areas in one of our rising industries, the BPO industry, it would be common for different departments of a company to be located in multiple “centers”. Billing could be located in Manila while technical support could be located somewhere else and intercompany communication is routed via telephony. Knowing the intricacies of call centers you would be able to pretend that one is from technical support that is requesting assistance from billing.
Communication could proceed as follows:
“Good morning this is A from Technical support and I have a customer on the line who is having troubles with his mobile phone, I would just like to confirm if we have received payment on his account with mobile number 09XX-XXXXXXX and does he have additional balance that needs to be settled.”
After said conversation it could then move to something off tangent to minimize suspicion:
“By the way the customer would also like to confirm what is the current billing address that he has on file because he just moved and would like to see if the one on file is current”
It would be a violation of privacy guidelines if said is to be provided without confirmation however this kind of defense is not impenetrable. We have to remember these are people answering the calls and not machines that are automated to check identity prior to releasing information.
There is a very controversial case on how one 15 year old has been able to bypass some of the most secure institutions via social engineering and doxing. I am talking about the one named as “Cosmo the God’ of the UGNazi they were able to (Directed Denial of Service) DDOS multiple sites and released multiple credit card and social security numbers using only a phone, names, numbers and other information that could be gathered over the internet, his acts are said to even rival the legendary group Anonymous.
Now then tell me that “It’s just a mobile number so what’s the big deal?” in the hands of skilled people that would be just the start.
As an alternative to just freely giving away numbers to those we ask for them, we have a clear chance to evade the possibility of violating not just the law but common ethical standards. Why not just ask for permission or consent from the data subject before processing it to any other party? Would it be that difficult to be safe? However we should take note that in application of this Act, Consent should be “freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her”. Consent for purposes of this Act should also be evidence by written, electronic or recorded means.
We are living in a world where a simple innocent mistake could lead to disastrous results. Facebook pages being considered as just cause for termination. Stalking has never been easier with technology and just a mere mobile number as was reported in theregister.uk People committing suicide because of a YouTube video, considered as Cyber-bullying. Other countries have also released memos regarding mobile phone bullying and to keep a record on the people the mobile numbers have been given and telecoms in other countries have agreed to coordinate and track down mobile phone bullies.
It is also worth noting that in the Philippines actual tracking of perpetrators using mobile phones are harder as compared to other countries. In the United States and in other countries such as Australia, post-paid and prepaid subscribers are all registered in their respective provider’s database. Unlike in the Philippines where there is an abundance of pre-paid sim cards that can be bought very cheaply, it is quite common for people to change their numbers once in a while and this is the kind of environment that makes it very conducive to commit text scams, text bullying and text marketing. It has been recognized as well by some of our lawmakers when they tried to introduce sim card registration that would cover both pre-paid and post paid sim cards.
Therefore we should take into consideration all of these things to ensure that we would not be in violation of our Data Privacy law.
On a side note: In line with the Independence Day of the United States celebrated last 4th of July, there was the cry reminding American’s “Restore the Fourth” which can be deemed to be with regard to their Independence day but it is more to the restoration of the Fourth Amendment due to the biggest leak in American History on Data Privacy with the release of information regarding the NSA’s Prism. I do hope that the day would come that our right to Privacy would not be violated.
“Man is least himself when he talks in his own person, give him a mask and he will tell you the truth” – Oscar Wilde
Disclaimer: This guide is for educational purposes only, and should not to be regarded as legal advice. If you have specific legal questions, you should seek the advice of counsel.
 RA 10173
 In Re Lougheed Importers Ltd., BCLRB No. B190/2010