Filing a Data Privacy Act Complaint for Unauthorized Disclosure of a Courier’s Phone Number

A Comprehensive Philippine-Context Legal Guide (2025 update*)

*Statutes and NPC issuances cited are in force up to July 5 2025. No new amendments affecting this topic have been enacted after that date.

1. Why a Courier’s Phone Number Is Protected Personal Data

Classification	Statutory Reference	Explanation
“Personal Information” (PI)	R.A. 10173 §3(g)	Any data that can identify or distinguish an individual, directly or when combined with other information.
Courier’s mobile or landline number	NPC Advisory Opinion No. 2017-063; NPC Advisory No. 2021-01	A phone number, even one issued for work, is still attributable to a specific, living courier. Once linked to the courier’s name, tracking number, or route, it becomes PI.

Bottom line: Disclosing a courier’s phone number to someone who does not have a lawful basis (e.g., a random buyer seeing all drivers’ contact details) is unauthorized processing and may qualify as unauthorized disclosure or malicious disclosure under R.A. 10173.

2. Legal Foundations You Should Know

Instrument	Key Provisions Relevant to Disclosure
R.A. 10173 (Data Privacy Act of 2012)	• §§11-13: Lawful criteria for processing • §21: Confidentiality • §§25–31: Criminal offenses, incl. Unauthorized Processing (§25) and Unauthorized Disclosure (§31)
IRR of R.A. 10173 (2016)	Rules on complaint handling, breach notification, and penalties
NPC Circular 16-03 (Rules of Procedure)	Administrative complaint flow; mediation; fact-finding; appeals
NPC Circular 2021-01 (Guidelines on Administrative Fines)	Fine matrix up to ₱5 million per violation or 2% of annual gross income, whichever is higher
NPC Citizen’s Charter (2023 ed.)	Service standards, response deadlines
Supreme Court Administrative Matter No. 17-11-03-SC (2019)	Data privacy precautions for litigants (useful when your complaint involves court exhibits)

3. When Does a Disclosure Become “Unauthorized”?

No valid consent or other lawful basis under §12 (e.g., contract necessity, legal obligation).
Exceeds stated purpose (purpose-limitation principle).
Disclosed to a third party who is not a data subject or authorized recipient.
Lacks minimal security standards (e.g., waybill left publicly visible, group text blast revealing all drivers).
Fails proportionality—disclosing the number is not strictly necessary to accomplish delivery.

4. Parties Who May Be Liable

Role	Typical Example	Potential Liability
Personal Information Controller (PIC)	E-commerce platform that prints waybills with driver phone numbers	Administrative fines; criminal prosecution; civil damages
Personal Information Processor (PIP)	Third-party logistics company (3PL) hired to ship items	Same as PIC if it acted beyond instructions or breached security
Individual Employee	Dispatcher who tweeted riders’ numbers	Criminal liability (§30 Malicious Disclosure / §31 Unauthorized Disclosure)

5. Step-by-Step Guide to Filing an NPC Complaint

Stage	What Happens	Statutory / NPC Rule
A. Attempt Internal Resolution (Optional but Favored)	• Send a written demand to the PIC/PIP requesting takedown & explanation. • Keep proof (e-mail, registered mail, courier receipt).	Data subject right to “redress” (§16 f); NPC Advisory Opinion 2018-002
B. Prepare the Complaint	Must be verified (sworn) and contain: 1. Full name & address of complainant & respondent 2. Detailed narration of facts 3. Specific DPA provisions violated 4. Reliefs sought (e.g., cease-and-desist, damages, fines) 5. Certification of non-forum shopping 6. Evidentiary annexes (screenshots, affidavits, waybills)	NPC Rules §4-§5
C. File (at no cost)	• e-file via complaints@privacy.gov.ph, or • Walk-in: NPC office, Diliman, QC. Scanned PDF must be notarized or ID-verified.	Citizen’s Charter (zero filing fee)
D. Evaluation (≤ 30 working days)	NPC may: a) Dismiss outright (lack of prima facie case) b) Refer to Mediation c) Order Answer/Comment from respondent	NPC Rules §9-§10
E. Mediation (≤ 45 days)	Confidential, without prejudice, led by NPC; may result in Compromise Agreement.	NPC Rules §16
F. Investigation / Fact-Finding	Subpoenas, affidavits, technical audits; NPC can conduct onsite inspection.	§12(g) DPA; NPC Circular 2021-01
G. Decision	• Compliance Order, Cease-and-Desist, Monetary Fine, or Referral to DOJ for criminal charges.	NPC Rules §25-§27
H. Appeal	• Motion for Reconsideration within 15 days, or • Appeal to the Court of Appeals under Rule 43.	NPC Rules §29-§31; ROC Rule 43

6. Penalties & Remedies at a Glance

Statutory Offense	Imprisonment	Fine (₱)
Unauthorized Processing (§25)	1 – 3 years	500 k – 2 M
Unauthorized Disclosure (§31)	3 – 5 years	500 k – 1 M
Malicious Disclosure (§30)	3 – 6 years	500 k – 1 M
Failure to Comply with NPC Order	Contempt; ₱50 k-100 k per day	--

Civil Action: Independent of NPC, you may sue for actual, moral, and exemplary damages under §16(f) and Civil Code Art. 19, 20, 2219, 2229. Labor Implications: If the courier is an employee whose data was leaked, employer may face DOLE sanctions for OSH or labor standard breaches.

7. Evidence Checklist for Phone-Number Disclosure Cases

📸 Screenshots of the platform/page/text showing the number
✉️ Notice to or from the PIC/PIP (e-mails, chat logs)
📝 Sworn statement of courier or data subject
📦 Waybills / shipment labels bearing phone numbers
🗂️ Company policies (to show negligence or willful breach)
🛡️ Any proof that the disclosure caused harm (spam calls, harassment)

8. Compliance Tips for Businesses & Couriers

Data-Minimization: Use driver IDs or anonymized hotlines instead of personal numbers on waybills.
Role-Based Access Controls: Limit dashboard views so only the buyer assigned to a delivery can see the driver’s contact.
Screen Obfuscation: Mask digits until “call” button is pressed.
Vendor Due Diligence: Make sure 3PL contracts impose DPA-compliant security and escalation clauses.
Breach Response Plan: Notify NPC within 72 hours if the leak poses “real risk of serious harm” (NPC Circular 16-03, §38).

9. Frequently Asked Questions (FAQs)

Question	Short Answer
Is the courier’s number still protected if the courier is an independent contractor?	Yes. The DPA protects any natural person, regardless of employment status.
Can I go straight to court instead of NPC?	Yes, you may file a civil action directly, but exhaustion of administrative remedies (NPC) is generally advised for data-privacy matters.
What if the number is a company-issued SIM?	Still personal information if linked to one person. If recycled among drivers and no longer individually identifiable, protection may be weaker.
What if I’m only a concerned bystander?	Only the data subject (courier) or a duly authorized representative has standing to file.
Prescriptive period?	Three years from discovery of the violation (§34, R.A. 10173). Criminal actions must be filed within this period.

10. Sample Outline of a Verified Complaint (Template)

Republic of the Philippines National Privacy Commission Quezon City

[Name], Complainant —versus— [Company / Platform], Respondent

VERIFIED COMPLAINT

Parties

Statement of Facts

Jurisdictional Allegations

Causes of Action

Violation of §§11, 12, 21, 31 of R.A. 10173

Reliefs Prayed For

Cease-and-desist, administrative fine, damages, etc.

Certification of Non-Forum Shopping

Verification and Notarization

11. Key Takeaways

A courier’s phone number is protected personal information; disclosing it without legal basis is punishable under the Data Privacy Act.
The NPC provides a no-fee, quasi-judicial route for complaints, with options for mediation, investigation, and hefty administrative fines.
Criminal prosecution and civil damages are available in parallel, but start by documenting the leak and, where practical, seeking internal redress.
Businesses should adopt data-minimization and access-control measures to avoid inadvertent disclosure.

Disclaimer

This article is for educational purposes only and does not constitute legal advice. For specific cases, consult a Philippine lawyer specializing in data privacy or contact the National Privacy Commission.