M-2024-019: Reminders on the Handling of Personally Identifiable Information (PII) and Other Sensitive Data

-* 44 BANGl<O SENTRAL NG PILIPINAS OFFICE OF THE DEPUTY GOVERNOR I FINANCIAL SUPERVISION SECTOR rillEMORAN DU h/I No. rill-2024- o19 To Subject ALL BSP-SUPERVISED FINANCIALINSTITUTIONS IBSFlsj Reminders on the Handling of Personally Identifiable Information (PIl) and Other Sensitive Data As harnessing customer data drives competitive advantages and market OPPortu nities, many institutions leverage innovative solutions and technologies to enable them to access, utilize, and transform data to gain deeper insights into the market needs, assess product suitability, and optimize customer service processes. However, improper and/or unauthorized access end handling of customer data, particularly involving financial information, may expose BSFls to customer complaints and data privacy concerns Related thereto, the use of robotic process automation IRPA)' and other similar tools as an alternative data-sharing method raises some issues within the financial services industry. While these technologies have merits as an internal data collection automation tool, the use of RPA and other data scraping' methods, specifically to collect Personally Identifiable Information (PIl)' (i. e. , log-in credentialsj and use it in gaining access to financial account and/or facilitating financial transaction, is seen to pose significant risks that may undermine consumer trust in financial service providers and compromise the integrity of the financial system. In this regard, the BSP underscores the importance of responsible data handling in fostering innovation in the financial ecosystem. The proper handling and protection of PIl and other sensitive data serve as cornerstones of customer privacy and represent critical components in the prevention offraud, identity theft, and other fine ridal crimes. Moreover, BSFls, as personal information controllers (PICSj of their customers' data, are ultimately responsible for compliance with the Data Privacy Act of 2012 (DPA), including adherence to the data privacy principles of transparency, legitimate purpose, and proportional ity. BSFls must meet the ' Robotic process automation IRPA), also known as software robotics, uses intelligent automation technologies to perform repetitive office tasks of human workers, such as extracting data, filling in forms, moving files and more. Source: htt s WWW. ibm. coin to ics r a .. , .... .. . .. .. .... ., Data scraping is a techniquein which a computer program extracts data from humeri-readable output. Source htt a diction ar .cambr;d e. or us diction ar en lish data-scra in ' Personal Identifiable Information IPIll is defined by the Data Privacy Act of 2012 as any information whether recorded in a material form or not. from which the identity of an individual is apparent or can be reasonably and -dir. ectly ascertained by the entity holding the information, or when put together with other information would

• directly and'qertainly identify an individual. Pagel of 2 , " . .

requirements provided under the National Privacy Commission's (N PCI Guidelines on Consent (NPC Circular No. 2023-04 dated 7 November 2023) and other NPC Issuances concerning consumer consent. These requirements may pertain to the right to data portability', the procedures for obtaining and managing consent, data access methods, and data sharing arrangements. BSFls are strongly enjoined to employ robust risk management systems and implement adequate safeguards in handling PIl and other sensitive data, including those covered under outsourcing arrangements. These include ensu ring compliance with relevant laws and pertinent BSP regulations on financial consumer protection, data privacy and data protection, anti-money laundering and combating the financing of terrorism (AM 11CFTj, cybersecurity, outsourcing, and open finance, among others. BSFls should also regularly review and update their policies and practices to reflect the evolving data governance standards and requirements. For strict coin PIiance. 11 June 2024 SUIziect: Reminders on the Hand"rig of Personally Idenrifiable Information IPIlj ond Other Sensitive Data CH HI G. FONACIER eputy Governor 831;!;,?;;'^;. . The right to data portability is referred to under the DPA as the right of a data subject to obtain from a PIC a co of his or her personal data that was processed or undergoing processing by the latter. in an electronic or structured format, which is commonly used and allowsfor further use by the data subject. Page 2 of 2 , I, J. ,. =,=,