Is Using a Real Person’s Name in Training Materials a Data Privacy Act Violation

Introduction

In the digital age, organizations frequently develop training materials to educate employees on various topics, ranging from compliance and customer service to data handling and security. These materials often incorporate real-world examples to enhance relatability and effectiveness. However, a critical question arises: Does including a real person’s name in such materials constitute a violation of the Data Privacy Act (DPA) in the Philippines? This article explores the intricacies of this issue under Republic Act No. 10173, also known as the Data Privacy Act of 2012, and its implementing rules and regulations (IRR) issued by the National Privacy Commission (NPC). We delve into the definitions of personal data, the principles of data processing, potential risks, exemptions, and best practices for compliance, providing a comprehensive analysis tailored to the Philippine legal framework.

The DPA aims to protect the fundamental human right to privacy while ensuring the free flow of information to promote innovation and growth. It applies to all natural and juridical persons involved in the processing of personal information, including government agencies, private companies, and non-profit organizations. At its core, the law regulates the collection, use, disclosure, and disposal of personal data to prevent misuse and unauthorized access. Using a real person’s name in training materials could implicate these provisions if it involves processing personal information without proper safeguards.

Key Definitions Under the Data Privacy Act

To determine whether using a real person’s name in training materials violates the DPA, it is essential to understand the key terms defined in the law:

  • Personal Information: This refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Section 3(g), DPA). A person’s name is a classic example of personal information, as it directly identifies an individual.

  • Sensitive Personal Information: This category includes data about an individual’s race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic or sexual life, proceedings for any offense committed or alleged, social security numbers, tax returns, and other similar information (Section 3(l), DPA). If the name is linked to such sensitive details in training materials, the threshold for compliance becomes higher.

  • Processing: Encompasses any operation or set of operations performed upon personal information, including collection, recording, organization, storage, updating, retrieval, consultation, use, consolidation, blocking, erasure, or destruction (Section 3(j), DPA). Creating and distributing training materials that include a real person’s name qualifies as processing if it involves using or disclosing that name.

  • Personal Information Controller (PIC): The natural or juridical person who determines the purposes and means of processing personal information (Section 3(h), DPA). In a corporate setting, the employer or training developer would typically be the PIC.

  • Personal Information Processor (PIP): Any entity to whom a PIC may outsource the processing of personal data (Section 3(i), DPA). If external consultants create the materials, they act as PIPs and must adhere to the DPA.

Under these definitions, a real person’s name in training materials is undoubtedly personal information. The mere inclusion does not automatically violate the law; rather, the violation hinges on whether the processing complies with the DPA’s principles and requirements.

Principles of Lawful Processing

The DPA establishes five core principles for processing personal information: transparency, legitimate purpose, proportionality, data minimization, and accountability (NPC Circular No. 16-01). These principles guide whether using a name in training materials is permissible:

  1. Transparency: Data subjects must be informed about the processing of their personal information. If a real person’s name is used, the individual (data subject) should be notified in advance, typically through a privacy notice or consent form, detailing how their name will be used in training materials.

  2. Legitimate Purpose: Processing must be for a declared, specified, and legitimate purpose (Section 11, DPA). In training contexts, purposes might include employee education on data privacy, anti-fraud measures, or operational efficiency. Using a name to illustrate a scenario (e.g., "John Doe reported a data breach") could be legitimate if it directly serves the training objective. However, if the use is gratuitous or unrelated, it may lack legitimacy.

  3. Proportionality: The processing must be adequate, relevant, suitable, necessary, and not excessive in relation to the declared purpose (Section 11(c), DPA). Including a full real name might be disproportionate if a pseudonym or anonymized identifier (e.g., "Employee X") suffices. The NPC emphasizes that personal data should only be processed to the extent necessary.

  4. Data Minimization: Organizations should collect and use only the minimum data required. Substituting real names with fictitious ones aligns with this principle and reduces privacy risks.

  5. Accountability: PICs must demonstrate compliance through records, policies, and measures like data protection officers (DPOs) and privacy impact assessments (PIAs) (Section 21, DPA).

Non-compliance with these principles can lead to violations. For instance, if a name is used without consent or for an undeclared purpose, it could breach Section 20 of the DPA, which prohibits unauthorized processing.

Consent and Other Lawful Bases for Processing

Consent is not always required under the DPA; processing can be based on other grounds. However, it is often the safest route for using names in training materials:

  • Consent: Must be freely given, specific, informed, and evidenced by written, electronic, or recorded means (Section 3(a), DPA). The data subject must explicitly agree to their name being used in training materials. Consent can be withdrawn at any time, necessitating removal of the name from materials.

  • Other Lawful Bases: Processing is allowed without consent if it is necessary for compliance with a legal obligation, protection of vital interests, response to national emergencies, or fulfillment of functions of public authority (Section 12, DPA). In private sectors, it may also be based on contractual necessity or legitimate interests of the PIC, provided these do not override the data subject’s rights. For example, if the training material uses an employee’s name in an internal compliance training based on a real incident, it might fall under legitimate interests, but a balancing test is required.

For sensitive personal information, stricter rules apply: Processing generally requires explicit consent, unless it falls under specific exemptions like medical treatment or legal claims (Section 13, DPA).

Potential Violations and Penalties

Using a real person’s name without proper authorization could constitute several violations:

  • Unauthorized Processing (Section 25, DPA): Punishable by imprisonment from one to three years and fines from PHP 500,000 to PHP 2,000,000.

  • Unauthorized Access or Intentional Breach (Section 26, DPA): If the name is disclosed externally without safeguards, penalties increase to imprisonment from one and a half to five years and fines up to PHP 4,000,000.

  • Concealment of Security Breaches (Section 29, DPA): If using the name leads to a data breach (e.g., materials are leaked), failure to notify the NPC and affected individuals can result in additional penalties.

The NPC has investigative and enforcement powers, including issuing cease-and-desist orders and recommending criminal prosecution. In aggravated cases involving sensitive data or large-scale processing, penalties can double.

Exemptions and Special Considerations

Certain scenarios may exempt the use from DPA requirements:

  • Publicly Available Information: If the name is from publicly available sources (e.g., news articles or public records) and not combined with non-public data, processing might be exempt (Section 4, DPA). However, this does not apply to sensitive information.

  • Journalistic, Artistic, Literary, or Research Purposes: Exempt if the processing is for these purposes and safeguards individual privacy (Section 4(c), DPA). Training materials rarely qualify unless they have an artistic or research element.

  • Government Processing: Public authorities may process data for official functions without consent, but must still adhere to principles (Section 4(a), DPA).

In the context of employee training, if the name belongs to an employee, the employer-employee relationship might invoke legitimate interests, but consent is advisable to mitigate risks.

Case Studies and NPC Opinions

While specific jurisprudence on this exact issue is limited, analogous cases provide insights:

  • NPC Advisory Opinion No. 2017-03: Discusses the use of employee data in internal systems, emphasizing consent and minimization. Extrapolating, using names in training should follow similar protocols.

  • In re: Data Breach Incidents: The NPC has penalized companies for mishandling personal data in internal documents, highlighting that even internal use requires compliance.

  • Philippine Supreme Court Rulings: Cases like Vivares v. St. Theresa's College (G.R. No. 202666, 2014) underscore privacy rights in digital contexts, potentially extending to training materials if they are shared online.

Organizations should conduct PIAs before creating materials to identify and mitigate risks.

Best Practices for Compliance

To avoid violations, organizations should:

  1. Use Anonymization or Pseudonymization: Replace real names with fictitious ones or codes to eliminate identification risks.

  2. Obtain Explicit Consent: Use clear forms specifying the purpose, scope, and duration of use.

  3. Implement Data Protection Measures: Limit access to materials, use secure storage, and include disclaimers.

  4. Appoint a DPO: Ensure oversight of data processing activities.

  5. Train on DPA Compliance: Ironically, include DPA training in materials but without real names unless consented.

  6. Regular Audits: Review materials periodically for compliance.

Conclusion

Using a real person’s name in training materials is not inherently a violation of the Data Privacy Act in the Philippines, but it carries significant risks if not handled in accordance with the law’s principles, consent requirements, and safeguards. The key is to ensure that processing is transparent, proportionate, and based on a lawful ground. By prioritizing data minimization and obtaining consent where necessary, organizations can create effective training resources without infringing on privacy rights. As the NPC continues to evolve its guidelines, staying informed through official advisories is crucial. Ultimately, erring on the side of caution—such as opting for anonymized examples—promotes both legal compliance and ethical data handling in the Philippine context.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login