Privacy Concerns and Ways Toward a Human Rights Compliant Baguio Smart City System

Smart City System

Automating cities have advanced from traffic lights to complex surveillance and data sharing mechanisms. At the turn of the 21^st century, the integration of digital technology in governance has rapidly made the Smart City concept a reality worldwide, including in developing countries.

The coming of the COVID-19 pandemic, which required physical distancing and limited movement to contain its spread, fast-tracked the digitalization of different aspects of life including public service delivery worldwide.

The most significant of this digital technology is the State-led development of applications and database for people’s surveillance intended for more efficient monitoring and managing the spread of COVID-19. While this emerged as a practical solution for fast and large-scale COVID-19 contact tracing and management, it also raised concerns on its impact to human rights across the globe.

This surge of technological advancement, especially in tracking the population and gathering personal information, benefitted the governments running and those embarking on Smart City projects. It has, in a way, made their task of compiling digital information easier with a definitive purpose of supporting more responsive and evidence based public health and safety policies and programs.

The rise of Smart Cities and the intrusiveness of COVID-19 tracking applications make existing data privacy and cybersecurity legislation more urgent. Compliance of government smart systems with these safeguards ensures that the general population enjoys more efficient public services and welfare without violating their inherent right to privacy and freedom from unwarranted surveillance. The clear and present threat of these digital governance systems to human rights and security makes public involvement imperative.

The report of the Secretary-General during the 19th Session of the United Nations Economic and Social Council Commission on Science and Technology for Development underscored the importance of the International Telecommunication Union Smart City as follows:

“A smart, sustainable city is an innovative city that uses information and communication technologies (ICTs) and other means to improve quality of life, the efficiency of urban operation and services, and competitiveness, while ensuring that it meets the needs of present and future generations with respect to economic, social, environmental as well as cultural aspects.”

The US-based Cisco Systems Inc., one of the pioneers in developing the Smart City concept and the ICT infrastructure that comes with it, characterized Smart City as “a city that uses digital technology to connect, protect, and enhance the lives of citizens. IoT (Internet of Things) sensors, video cameras, social media, and other inputs act as a nervous system, providing the city operator and citizens with constant feedback so they can make informed decisions.”

However, while technology and interconnected devices are making sweeping changes that are making life in Smart Cities better with more efficient governance, these also increase the risk of cyberattacks and digital data breaches.

The Philippines has had first-hand experience of large-scale data breaches of commercial and government-managed data systems. The most recent was the leak of around 345,000 sensitive court documents from the Office of the Solicitor General in April 2021. In 2019, the personal data of Sephora customers in the Philippines were among the 3.7 million online customers profiles accessed by hackers who breached the company’s system. The 2016 Voters Registration System Breach exposed the personal information of 55 million Filipinos and the US$81milion Bangladesh Bank Cyberheist passed partly through the Rizal Commercial Banking Corporation (RCBC). Data breaches have become prevalent in the country that a 2019 survey conducted by US-based Unisys Corp. found that it has become a key concern for Filipino consumers.

Meanwhile, the integration of Smart devices in everyday life is becoming pervasive and data collection intrusive. The most controversial are the dangers posed by artificial intelligence (AI) and big data analytics (BDA). These are integral components of smart city systems.

Recently, BBC reported the practice of Chinese surveillance using face-scanning technology that targets journalists in Henan province.

Digital rights groups have also exposed the use of AI-powered systems for surveillance, mainly noting the threat of facial recognition technologies on human rights.

Amnesty Internatonal considers these systems a means of mass surveiallance that violates the right to privacy and threatens the people’s rights to freedom of peaceful assembly and expression. Launching the international campaign “Ban the Scan,” the group cited case studies on the overreaching use and human rights impact of facial recognition systems in New York City, USA and Hyderabad City, India.

Additionally, in South Korea, civil society groups are opposing the planned AI identification and tracking system, calling it “a human rights disaster.” The European Data Protection Board and the European Data Protection Supervisor also recommended banning facial recognition.

 

International Data Privacy Standards

The Universal Declaration of Human Rights (UDHR) and the International Convention on Civil and Political Rights (ICCPR) explicitly state the Right to Privacy as a fundamental human right.

Article 12 of the UDHR states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Article 17 of the ICCPR states: “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

In its General Comment to Article 17 of the ICCPR, the UN Human Rights Committee said: “Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant.”

On December 18, 2013, the United Nations General Assembly adopted during its 68th Session two resolutions on the people’s right to privacy in the digital age — Resolution 68/167 and Resolution 69/166. The UN has also set the Principles on Personal Data Protection and Privacy to guide UN System Organizations in processing personal data necessary in fulfilling their functions.

The ASEAN Framework on Personal Data Protection was adopted in November 2016 “to strengthen the protection of personal data in ASEAN and facilitate cooperation … and growth of regional and global trade and the flow of information.” However, the Framework does not “constitute or create, obligations under domestic or international law … or create any legally binding or enforceable obligations, express or implied.”

The International Organization for Standardization (ISO) also has sets of controls and guidelines on ensuring data privacy and security; the International Data Protection Standard consists of the following: Privacy framework, Code of practice for personally identifiable information protection, Framework for identity management, and the Guidelines for privacy impact assessment. In 2021, the Philippine National Privacy Commission released separate advisories[1] [2] [3] [4] adopting guidelines in  processing and managing personal digital information.

The European Union’s General Data Protection Regulation (GDPR) is the most far-reaching data privacy regulation. The law came into effect in Europe in May 2018. Touted as “the toughest privacy and security law globally,” it imposes obligations on all organizations, including those outside its borders, that target or collect data related to EU citizens.

Aside from having “improved rights” for data subjects, Privacy International noted GDPR’s  cross-border impact like the provision that “allows the European Commission to decide if a country has an ‘adequate’ level of data privacy protection in order to transfer data to that country.”

 

Philippine Data Privacy Act

The Right to Privacy is a fundamental right protected under the 1987 Philippine Constitution. Section 2 states: “The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall be issued except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized.”

The Constitution also made the privacy of communication and correspondence inviolable “except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law” under Section 3(1).

In August 2012, President Benigno Aquino III signed Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA 2012). The law intends “to protect the fundamental human right of privacy, of communication while ensuring free flow of information… (and) ensure that personal information in information and communications systems in the government and the private sector are secured and protected.”[5]

The law also created the National Privacy Commission (NPC, the office responsible for ensuring the implementation and compliance with the provisions of the law. Its task is to monitor the country’s adherence to international data protection standards. The office also receives and investigates grievances and adjudicates disputes arising from the law’s implementation.[6]

In short, the Data Privacy Act of 2012 sets the minimum standards one should fulfill when handling personal information while working towards achieving compliance with international standards.

Under this law, the collection and processing of personal information should adhere to the principles of transparency, legitimate purpose, and proportionality. Section 18 of its Implementing Rules and Regulations states the following:

a. Transparency. The data subjects must be aware of the nature, purpose, and extent of the processing of their personal data, including the risks and safeguards involved, the identity of the personal information controller, their rights as data subject and how to exercise these. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.

b. Legitimate purpose. Information processing shall be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy.

c. Proportionality. The processing of information shall be adequate, relevant, suitable, necessary, and not excessive with the declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

Consent of the data subject is a prerequisite to any data processing. Under the law, this refers to “any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information.” It should be recorded in any means – written or electronic. A lawful or authorized representative can also consent on behalf of the data subject.

The law also identifies the Personal Information Controller (PIC) as the primary entity responsible for ensuring that the processing of personal information is compliant with the law and safeguarding the collected data. This includes cases where third parties are involved in the processing and storing of the collected data.[7]

To ensure these, the DPA 2012 mandates all offices and institutions involved in the collection and processing of personal information to (1) appoint a Data Protection Officer (DPO), (2) conduct a Privacy Impact Assessment (PIA), (3) set a Privacy Management Program contained in a Privacy Manual, (4) implement Data Privacy and Protection Measures, and (5) have a clear Breach Reporting Procedures.

The Data Privacy Officer is in charge of ensuring compliance with the DPA 2012, while the conduct of the Privacy Impact Assessment aims to:

a. identify, assess, evaluate, and manage the risks represented by the processing of personal data;

b. assist the Personal Information Controller or Personal Information Processor in preparing the records of its processing activities, and in maintaining its privacy management program;

c. facilitate compliance by the Personal Information Controller or Personal Information Processor with the DPA, its Implementing Rules and Regulations, and other applicable issuances of the National Privacy Commission, by determining:

i. its adherence to the principles of transparency, legitimate purpose and proportionality;

ii. its existing organizational, physical and technical security measures relative to its data processing systems;

iii. the extent by which it upholds the rights of data subjects; and

iv. aid the Personal Information Controller or Personal Information Processor in addressing privacy risks by allowing it to establish a control framework.

The law likewise requires State authorities to ensure that surveillance operations comply with the law.

Philippines’ Smart City Initiatives

The country’s digitalization program dates back to 2006 when the Commission on Information and Communication Technology (the precursor of the Department of Information and Communication Technology) crafted the Philippine ICT Roadmap. Its principal thrust was to ensure universal access to ICT and a reliable online environment. This includes the National Broadband Project and the development of an IP-based nationwide communication network to connect all government agencies. The plan stated that most of these projects “would be outsourced to the private sector.”

Since then, different government agencies have undertaken programs with local governments to set up ICT infrastructure, including integrated monitoring and communications systems. Among the first of these initiatives is the Davao City Public Safety and Security Command Center (PSSCC) established in 2010 “to create a Safe City by using information, people, technology, solution and develop an intelligent operations unit.” The facility also allows the “exchange of important and confidential information and intelligence” among agencies for daily events, responding to crises, and security operations.

In 2015, Cauayan City in Isabela launched its Electronic Government Application System (eGAPS), a mobile application for government services and identification systems. The Department of Science and Technology, in 2015, acknowledged the project as the first ICT-based Smart system among the 144 cities in the country.

The government has embarked on several Smart systems in different urban centers in the country. During the 4th ASEAN Smart Cities Network (ASCN) Annual Meeting held virtually on August 30, 2021, the Department of Interior and Local Government (DILG) committed to complete six Smart City projects. These include the Command Center Upgrade and E-government Services in the City of Manila; Bus Rapid Transit System and Digital Traffic System in Cebu City; and Converged Command and Control Center and Intelligent Transportation and Traffic Systems with Security in Davao City.

The Baguio Smart City System

Baguio City has invested in several technologies towards digitalizing its governance, such as crowd density monitoring and real-time weather prediction. In 2017, the City installed 70 CCTV cameras in the central business district. In the same year, the installation of CCTV cameras, video recorders, and monitors in business establishments became mandatory.

Under Mayor Benjamin Magalong, the City began creating the country’s first all-in-one Smart City Integrated Command and Control Center (ICCC), the latest addition to the country’s Smart City System. It is part of the steps to achieve the 15-Point Core Agenda of the Duterte administration.

In August 2019, the mayor announced his thrust towards innovative technologies to manage the peace and order situation in the city and transform the Summer Capital from a “Safe City” to a “Smart City” by using cutting-edge technology.

In a report by Midland Courier, Magalong said he envisions “the use of technology in dealing with peace and order, traffic and disaster concerns in Baguio with the establishment of a command center.”

Baguio’s Smart City system is an integration and upgrade of Davao City’s PSSCC, which houses its Intelligent Transport Management System, the Intelligent Operation Center, and the Cauayan City’s eGAPS.

At present, the system is composed of two separate but interconnected components –Baguio In My Pocket (BIMP) smart mobile application and the Integrated Command and Control Center (ICCC). The BIMP app was rolled out for city-wide use in November 2020, while the City formally launched the command center in September 2021.

Integrated Command and Control Center (ICCC). The facility features an Integrated Communication Platform (ICP, a Video Management System (VMS) with Video Analytics, Computer-Aided Dispatch (CAD, and Geographical Information System (GIS, and big data analytics. The facility is located in the Baguio Convention Center.

City officials formally launched the P200 million state-of-the-art ICCC on September 10, fully demonstrating its capabilities. The Philippine subsidiary of technology giant Cisco Systems Inc. developed and installed the holistic and integrated platform for the facility.

The ICCC’s artificial intelligence-capable closed-circuit television system can aid authorities to manage and monitor the city’s security, traffic, disaster response, environment, lighting, and emergency response. Live feed to the system includes those captured by the body IP radio-cameras worn by police personnel when responding to crime reports and similar operations.

Authorities can also use the cameras to track the location of subjects (persons and vehicles) once their face and plate number are uploaded into the system. The City purchased 64 AI cameras for high traffic and high crime rate areas. During the command center launching, there were already 20 newly installed high-definition AI cameras, and the integration of existing 90 cameras across the City is also on the way. The City is awaiting the government’s guidelines on the use of facial recognition before it will activate the feature.

Phase 1 of the ICCC is its present set-up and capabilities, with four use cases: (1) the 911 emergency management system, (2) the AI-enabled CCTV system, which only captures video at the moment, (3) environmental data recording that includes a mini-weather system, and (4) the geographic information system.

Phase 2 would include the addition of more use cases that would include contactless traffic apprehension and addition of more data base. The City is eyeing data sharing agreements with other government agencies and the Benguet Electric Cooperative (Beneco) to integrate their data bases in the system. Information from the electric cooperative would include the names of the registered owners of the meters of houses connected to their systems.

Composite personnel from the city’s disaster risk reduction office, police, fire department, and emergency medical services will operate the center.

The system’s software platform is Cisco Kinetics for Cities; its partner Indian company, Quantela, provided the AI software for the CCTV surveillance system. The Philippine Long Distance Company developed and owns the 911 Customer Relationship Management (CRM) software, which the city subscribed to, based on the guidelines set by the National 911 Center.

Baguio in my Pocket (BIMP). Earlier, the City introduced its own smart city mobile application, Baguio in My Picket, to create a “digital ecosystem.” The app serves as a public registration platform and a transaction portal for social services and commerce. The mayor sees Baguio in My Pocket as empowering barangays, making it necessary to “require the registration of all constituents at the barangay level” to enable barangay officials to deliver essential services to everyone.

The project’s primary objective is to modernize and create an up-to-date record of the city’s inhabitants in compliance with the Department of Interior and Local Government  Memorandum Circular No. 2005-69 directing local governments of cities, municipalities and barangays to maintain and update records of all barangay inhabitants. The order specifically identified the department’s Registry of Barangay Inhabitants (RBI) forms as capture instruments for the said purpose.

Personal information collected through the app includes the user’s complete name and address, contact number, birthday, age, gender, civil status, residency, and tenurial status of their abode. It also requires sensitive information such as religion, ethnicity, and blood type. The Information Technology Business Solutions (ITBS), which developed the app, claims they based the information collected on DILG’s Data Inhabitant Record Registration Form. The app requires submitting a valid government and facial ID to complete the registration process.

The ITBS is in charge of securing the information that passes through its app and gateway using a layer of security: SSL certificate, one-time password (OTP), and 128–256-bit AES algorithm to encrypt the data.[8]

The City intends to use the collected data to facilitate efficient disaster response, delivery of social services, and ease business transactions and trade. Baguio in my Pocket also features a cashless payment system, a COVID-19 contact tracing module, and an emergency response hotline.

The project implementation for BIMP commenced in July 2020 through a memorandum agreement between the Baguio City government and the Information Technology Business Solutions. The National Privacy Commission issued a certification for ITBS to collect and process the information on behalf of local governments with partnership agreements. The contract between the City and ITBS runs for five years.

The City pilot tested BIMP in Barangay Irisan in October, with 23,000 residents registering in three weeks. Officials launched the app for City-wide use on November 9 as the integrated mobile smart application for city services and other public transactions. Use of the app became a requirement for City officials and employees in December. By January 6, 2021, the City reported that 30,000 residents had already signed in to the application.

On January 7, 2021 the mayor issued Memorandum No. 18 s. 2021 implementing the “No QR Code, No Entry” policy for all city hall officials, employees, and citizens who have transactions inside the city hall. This requires them to register with BIMP through the website or to download the app using a smartphone to get QR codes. The City’s public information office announced the policy on January 8 through its Facebook page.

The policy took many Baguio residents by surprise, not only for the sudden implementation but also for the volume of personal information required from the users. Many residents complained since the app requires smartphones, which not all have. The policy also prompted concerns over security and privacy. However, Magalong dismissed concerns on the security of personal data and privacy as a “leftist” issue.

On January 18, the City Council called for an inquiry arising from the complaints.  During the inquiry, the Information Technology Business Solutions as the app developer explained that they would only process information but Baguio City will own the data and manage it through the Management Information Technology Division (MITD). The executed contract between the City and Information Technology Business Solutions covers the use of the ITBS app and its data processing service. ITBS has only “gateway access” to the data and is covered by a non-disclosure agreement.

Engr. Philip Puzon, who is in charge of the Smart City program, elaborated that the agreement with ITBS also includes the necessary action and accountability in a data breach.

Having acknowledged the overly broad personal information being generated, the City Council adopted a resolution urging the executive office to trim down the information needed when registering to the app.

In May, Mayor Magalong created the Smart City Council composed of sectoral representatives. Its task is to develop action plans and resource guides about the system. The group will assist in ensuring compliance with the DPA 2012 and other related laws and in addressing issues that may arise during its implementation. The executive also engaged the LGU Advisory Council for the project.

Magalong also issued Executive Order 116 s. 2021 in September requiring all government offices, agencies, and business establishments to adopt BIMP QR System as the primary COVID-19 contact tracing application.

The BIMP is connected to the Integrated Command and Control Center platform. Using the 911 emergency button directly transmits information on incidents that requires the immediate attention of the concerned office. The caller’s identity, contact details, and geolocation are among the data automatically sent.

Other data collection platforms. After the initial lifting of travel restrictions during the Luzon-wide lockdown, the City mandated the use of its online health declaration form (hdf.baguio.gov.ph) for Authorized Persons Outside Residence (APOR) traveling to and from the city. Besides personal information like name, address, contact number of the data subject, the portal also asks for the travel details, including the type of vehicle and plate number. The registrant is also required to submit documents relevant to his travel and government issued ID.

Visitors, mainly tourists, have a separate registration portal — the Baguio VISITA, designed to “regulate entry and monitor mobility of visitors through a ticketing system using a QR-coded Tourist Pass (QTP), and at the same time implementing the City’s health and safety protocols, from the mandated triaging up to digital check-ins for contact tracing.”

The Baguio Bakuna serves as the registration portal for the city’s COVID-19 vaccination drive. Users can also download their vaccination certificates and QR passports from the site using their registered name and birthday or mobile number.

All the platforms are integrated with the City’s website.

 

Data Access and Storage

Cisco Systems’ Philippine subsidiary has yet to turn over the integrated ICCC system as of December 18, 2021, and the City has yet to formulate its Privacy Management Program and Privacy Manual.

This means that at the moment, the company still has the full control and access of the platform, including the information stored in the servers. Once the City accepts the platform and takes control, all access credentials of Cisco and other system installers will be revoked except their access to do the necessary maintenance and repair.

For the meantime, the Management Information Technology Division has set up access hierarchy and set up filters allowing persons and offices with access credentials to only view the data needed in their discharge of duties. All changes in the stored data need the approval of the head of the office in charge of the information. Each office has a designated administrator that can allow the change in the database. The system also logs every action, including those who access data stored in the servers.

The following local government branches will have access to limited information on the data subjects tailored to their needs: (1) barangay, (2) local civil registrar, (3) disaster risk reduction and management office command center, (4) health services office, and (5) social services office.[9] Authorized personnel in the Integrated Command and Control Center may access the information gathered through the BIMP app.

All information gathered by the input hardware connected to the ICCC are stored in the secured servers in a separate room adjacent to the control room and accessible to limited individuals.

The ITBS processes the information gathered using the BIMP and stores it in a cloud drive run by Oracle, providing security for stored data. ITBS holds the contract for this with Oracle and not the City.

Meanwhile, information collected from the VISITA app is also stored in an Oracle cloud drive, and those that pass through the hdf.baguio.gov.ph and Baguio Bakuna are deposited in an onsite data server in the City Hall.

In principle, the user, besides the authorized person by the concerned city departments, can access the information from the said online registration sites. However, getting hold of the person’s vaccination card and/or certificate is a different matter. Currently, any person who knows the full name of a registrant, his/her cellphone number and birthday can download the said identifying document, which contains personal and sensitive information.

The City plans to migrate all data from the online services to onsite servers to make it “cheaper and safer.”

For 2021, the Management Information and Technology Department received PhP25 million for its operation and maintenance of the City’s digital ecosystem. Originally, the MITD requested PhP250 million to “update the outdated IT system.” The amount approved managed to upgrade the servers, update the software needed, and the necessary subscription for the system security, but the office said that “there is much to be done” to ensure security of the system and the stored digital data.

 

Law Compliance and Social Concerns

The potential of the Baguio Smart City to improve governance and administration of public services is encouraging.  Public services can be accelerated.  Burdensome bureaucratic processes will be minimized and corruption can be avoided.

For example, barangay databases can immediately identify vulnerable sectors that need immediate or special assistance in times of calamities. Online transactions like assessment of taxes and fees and payment to the city’s treasury also eliminate chances of fixers profiting from the process.

Meanwhile, the ability of the CCTV network to identify individuals and vehicle plates in the city’s database can significantly increase the law enforcement capacity of the police and other City personnel. The integrated emergency service between the BIMP (911) and the ICCC can speed up response time for emergency services for the health and safety of residents.

While these benefits are hard to overlook, it is also vital to ensure that the Smart technology does not risk individual privacy and people’s rights. In addition, these potential benefits will only be optimized if corresponding public service infrastructures are set in place.  Real time data will be helpful if real time response is made available. Infrastructure for emergency services must be available to respond to emerging urgent situations. Additionally, the Baguio constituents must be empowered to make use of the Smart City system for their benefit.

While the City government has already registered its system to collect and process data, it has yet to completely comply with the Data Privacy Act 2012. This report noted the following compliance issues and social concerns that the City must address as it moves forward with its Smart City ambition.

1. Non-compliance with Privacy Impact Assessment. On February 8, 2021, the city council urged the executive to designate a data protection officer and formulate a data privacy management program. The body noted that agencies processing data should strictly comply with the five pillars of data privacy and accountability.

However, more than a year after the City mandated the use of BIMP and its pilot registration, the local government has yet to conduct a Privacy           Impact Assessment. With the admission of the person in charge of the Smart City Project that digital and data security is a “relatively new” policy in the   City, the conduct of the PIA should have been paramount in the implementation of the whole project.

While the person in charge of the project and ITBS assured the City officials and the public of the system’s security and adherence to the DPA 2012,  these cannot be ascertained, even by the Data Protection Officer, without the Privacy Impact Assessment report.

The City designated its Data Protection Officer on October 14, 2021, almost a year after it processed tens of thousands of personal information through the Baguio in My Pocket application and months after the public expressed concern on the security of personal data and the City Council’s recommendation to comply with the DPA 2012. As of December 2021, the City has not published the contact details of its Data Privacy Officer as mandated under NPC Advisory No. 2017-01.

2. Token compliance with transparency and informed consent. The principle of transparency in the DPA 2012 mandates that the data subjects must be aware of the nature, purpose, and extent of the processing of their personal data, including the risks and safeguards involved, the identity of the personal information controller, their rights as data subject. However, the City failed to ensure this principle when it launched the mandatory BIMP registration.

As pointed out during the January 18 inquiry on the use of BIMP, “there is no portion [in the form] where [the users] are supposed to sign a consent. They are not being told; there is no briefing before they fill up the form.”

Transparency also requires that “information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.” However, the ITBS Privacy Statement contains vague provisions, with some even falling short of complying with the principles laid out in the DPA 2012. The statement also uses jargon that is incomprehensible for many individuals and cites several laws but fails to explain how they are related to the data collected by the application. These issues are discussed in the next number.

The Mayor’s statement brushing aside the personal information security and privacy issue that the app and Smart City Project may create as a mere leftist concern undermines the City government’s responsibility to provide the public with timely and complete information on matters involving right to privacy and data access rights as enshrined in the DPA 2012.

3. The City has yet to adopt its own privacy notice and statement for its online digital ecosystem. At the moment, the City utilizes the ITBS privacy statement for BIMP, which is readily available in the mobile app’s interface. Scrutiny of the ITBS Privacy Statement noted the following issues:

a. In its policy statement, the application asks data subjects “to provide their personal information and accept the terms and conditions by saving the information with their consent.” The law requires “informed consent” for specific use of the information being collected from the data subject, which means the reader should know what they consent to and be recorded.[10]

DILG MC No. 2005-69, which the data processor cited in the policy statement, also directs the agencies to treat the information “strictly confidential,” requiring written authorization from the owner for any access, disclosure, correction and revision.

b. The law requires that the collection of personal data “must be for a declared, specified, and legitimate purpose.”[11] The policy statement failed to specify the “concerned government agencies” and “authorized personnel” who will have access to the information collected. It also did not elaborate on “any legitimate purposes” for which the City will utilize the collected data. It also says that personal data can be disclosed “to authorized personnel only for any legitimate and beneficial purpose it may serve” but does not enumerate or specify who are the authorized personnel, what data and for what legitimate and beneficial purpose it will serve.

c. While the app developer declared its “right to amend, update, and change the application’s privacy policy” according to needs, it failed to mention that changes should be made public and data subjects should be informed.

d. ITBS also failed to indicate its data disposal policy, the data subject’s access right mechanism, and cookie policy. At the very least, the operator should declare the presence of cookies in the app, explain its purpose (why it is there and what it does), and get the person’s consent to store the cookies in their device.

e. ITBS stated in its Privacy Statement that non-personal information can be used for “whatever purpose it may serve as long as it is legitimate and beneficial to the government.” This runs contrary to the DPA 2012 provision, which states that the processing of an individual’s data should have a specific purpose.

2. Absence of Privacy Statement/Notice in the Baguio VISITA and the online health declaration portal. The online health declaration portal (hdf.baguio.gov.ph) and Baguio Visita have no Data Privacy Statement/Notice. While different and independent from the ICCC and BIMP, these portals remain part of the City’s entire digital ecosystem and e-governance and are used to collect and process personal information. Under the DPA 2012, privacy notice is part of the data processor’s responsibility to maintain transparency. For example, Pasig City has a Privacy Policy when an individual registers to its local travel pass system Pasig Pass. The national tracking system SPass also has its Privacy Policy.

 

3. Excessive personal information generated. The principle of proportionality maintains that information processing shall be adequate, relevant, suitable, necessary, and not excessive with the declared and specified purpose. However, the Smart City System collects many unrelated information or data obtained and/or readily available from other means.

 

The City Council also deemed the data collected excessive, which made them pass a resolution to trim down the information to the basics and make other sensitive information as defined by DPA optional.

In fact, for the purpose of updating the Registry of Barangay Inhabitants, the DILG has specifically ordered the use of its RBI forms that only require “the name, address, place and date of birth, civil status, citizenship and occupation of the inhabitants.”

The one-app-all-services concept promoted for the BIMP also exposes users to other privacy risks like behavioral patterns (e.g., product preferences and spending). Even without using the processed, identifiable data, this information remains a privacy issue and can be exploited for commercial use.

One of the significant features of Baguio’s Smart City System is its facial recognition capability. In principle, the system reinforces law enforcement and safety management in the city, but it also risks individual’s privacy and security.

Meanwhile, the extent of information being gathered through the City’s network of CCTV cameras and AI system puts the residents in a perpetual state of surveillance. While the City has yet to activate the facial recognition feature, its daily collection of footages, which include the faces of individuals, threaten privacy once the system starts in full swing.

With the integration of BIMP, AI facial recognition further increases the ability of the system to track individual movements in real time which can be used illegally.

In conclusion, given the cited flaws and non-compliance on legitimate purpose, transparency and proportionality, Baguio City is not prepared to transform into Smart City that fully respects the right to privacy of individuals.

While the Baguio in My Pocket, Baguio Bakuna and Baguio Visita have defined purposes, integrating these with the Integrated Command and Control Center under the Smart City system made the purposes complex and overly ambitious.

A secure system and safeguard of sharing a wide range of data on a wide range of uses need to be put in place. The basic requirement of data subject consent has yet to be established.  And ultimately, for the Smart City system to offer an efficient and effective governance, public service infrastructures and services that are as effective and efficient must be in place.

 

Recommendations

With the substantial flaws and non-compliance with the Data Privacy Act 2012, this report recommends to suspend the implementation of the Baguio Smart City.  In particular, this report offers the following recommendations:

1. Immediate suspension of data collection by the BIMP and destruction of collected data pending the following:

a. Conduct of the Privacy Impact Assessment

b. Crafting of the Privacy Management Program (PMP) and Privacy Manual

 

2. The City must provide a venue for the participation of stakeholders in the conduct of the Privacy Impact Assessment and review of its report, and the crafting of the Privacy Management Program and its codification as prescribed under the NPC Advisory 2017-03 that stakeholders’ participation in the PIA is important.

 

3. Review data-sharing agreements with government agencies and private entities. Mandatory non-disclosure agreement for individuals with access credentials with the data contained in the different online platforms.

 

4. Institute a system on personal consent management where citizens can give or withhold consent on specific use of data.

 

5. The City should immediately adopt its own privacy policy and use it for all its online platforms and services or review and amend the BIMP policy statement to make its provisions more specific and understandable for all users.

a. Specify offices and individuals who can access the information and the allowable use of the stored data.

b. Users of the application should be notified and provide their consent before any change in the privacy policy is made.

c. Indicate the disposal procedure and mechanism for data subjects’ access rights.

 

6. Ensure hardening of the security of system and data storage facility against hacking and accidental breaches. Institute multiple security measures such as firewalls and encryption, and logs for all access made in the system.

 

7. Allow a third-party review of the security of the BIMP/Smart City Command Center data collection, processing, storage, and transmission.

The City should use open-source technology to allow people to review the source code to make the system more transparent. Such a system is now in use in Barcelona. While this does not provide full-proof human rights protection, it encourages civic participation and collective ownership of the data collected.

8. Minimize the collection of identifiable data. The DILG directive cited by the City for the use of BIMP limits the information to the name, address, place and date of birth, sex, civil status, citizenship and occupation of the resident.  This report further recommends not to provide full date of birth but only the year of birth and to exclude the place of birth, informations which will not contribute to the efficient delivery of government service.

 

9. The system automatically deletes raw data after it has been processed and used for its intended purpose to minimize privacy risk. Data with prolonged use should be modified after a certain period to make it less identifiable.

 

10. Uphold the City Council’s resolution to make BIMP and its integrated application (e.g., COVID contact tracing feature) voluntary. Improve existing data collection procedure that does not require the app to update the registry of the resident.

 

11. Strengthen the Smart City Council by involving human rights advocacy groups and data privacy experts. Authorize the body to ensure regular audit of the City’s compliance with the DPA 2012 and report their findings to the public.

 

12. The City must engage the community and make them understand the Smart City technology, the risk that comes with it, and their data rights under existing laws and other statutes. Information and education campaigns must emphasize the rights of data subjects and the mechanism by which they can access and have full control of their personal data and lodge complaints for any violation. eof/3March2022

 

Endnotes:

[1] Advisory No. 2021-001 – PNS ISO/IEC 29100 – Information technology – Security techniques – Privacy framework

[2] Advisory No. 2021-002 – PNS ISO/IEC 29151 – Information technology – Security techniques – Code of practice for personally identifiable information protection

[3] Advisory No. 2021-003 – PNS ISO/IEC 24760-series – Information technology – Security techniques – A framework for identity management

[4] Advisory No. 2021-004 – PNS ISO/IEC 29134 – Information technology – Security techniques – Guidelines for privacy impact assessment

[5] Section 2, Republic Act No. 10173 or the Data Privacy Act of 2012

[6] Section 7, Republic Act No. 10173 or the Data Privacy Act of 2012

[7] Section 14, Republic Act No. 10173 or the Data Privacy Act of 2012

[8] ibid

[9] ITBS Smart Ecosystem App Privacy Policy, https://baguioinmypocket.ph/privacy-policy.php

[10] Sections 3(c), 19(a1), 21(a)

[11] Section 19a, Data Privacy Act of 2012

*Study conducted and written by Sherwin De Vera, Audrey Beltran and Rhoda Dalang under the auspices of the Center for Development Programs in the Cordillera (CDPC) and funded by the International Center for Not-for-Profit Law (ICNL).  The content are that of the writers and do not reflect the views of  CDPC and ICNL.  The information provided here in are for general information.