Artria Grace Alimurung

Information Privacy

Privacy involves the policies, procedures, and other controls that determine which

personal information is collected, how it is used, with whom it is shared, and how individuals

who are the subject of that information are informed and involved in this process. 1 Even though

Information Privacy is not a technological concept, discussions about privacy are intertwined

with the use of technology.2

The Information Age, despite all of its benefits, must be looked upon as having been

disastrous from the perspective of protecting one’s personal privacy. Sharing private

information has become such a common activity that many people share highly sensitive

information freely about themselves, their lives, and their preferences without ever considering

the consequences. Moreover, access to private information is easily threatened with the use of

technology and the consumer’s negligence of informed consent.

To prevent data leaks and protect people’s identity and safety, countries around the

world have developed regulations, such as the Health Insurance Portability and Accountability

Act in the U.S, and the EU General Data Protection Regulation, to oblige businesses that work

with data to employ certain security measures. However, it is somewhat paradoxical in that

organizations and governments are also asking for and collecting more private or sensitive

personal information (e.g Foreign Account Tax Compliance Act in the U.S, and China’s

Surveillance and Social Credit system).

Artria Grace Alimurung

One caveat in implementing privacy laws is the requirement for personal data to be

protected but simultaneously be readily available for monitoring of illegal activities. The two

juxtaposed requirements differ in severity depending on the country and the context of how

data is used.

In the Socialist Republic of Vietnam, where I am currently residing, there is no particular

definition of "sensitive personal data" specified in the laws. Vietnamese law does not

differentiate between general personal information and sensitive personal information, except

for highly controlled industries such as banking and finance. Vietnam does not have a

consolidated piece of legislation on the protection of personal data. 3 Instead, rules and

regulations on personal data protection can be found in several laws, including general laws

such as the Civil Code and the Law on Cyberinformation Security and sectoral laws such as the

Law on Electronic Transactions and the Law on Telecommunications. In general, protection of

privacy and personal data are under the responsibility of the Ministry of Information and

Communications (MIC). 4

The legal framework for privacy remains underdeveloped and in practice, privacy,

confidentiality and anonymity are not seen as important. Without data privacy legislation and a

single national data protection authority in the country, my personal data is easily collected and

used. Companies can disclose personal information to third parties for the purpose of

marketing without obtaining consent. Mobile users in Vietnam are plagued with frequent

invasive spam text messages, random alerts, gambling services advertisements, and cold calls

as a consequence of no data protection jurisdiction.5

Artria Grace Alimurung

With the rise of foreign investors in Vietnam, The Ministry of Public Security has issued a

Draft Decree on Personal Data Protection last year to consolidate all data protection laws and

regulations into one comprehensive data protection law.6 The draft decree covers other issues

as well. It addresses the processing of children’s data.

As an educator, the kinds of information we collect from students in school can be very

detailed. It can range from behavioral and disciplinary information, health declaration (in

regards to CoVid-19) and traditional aspects like grades and classroom performance. Since the

laws regarding the collection, processing, and publication of children’s data are minimal, it is

the teacher’s responsibility to treat the data privacy of the students following one of the

principles in the Draft Decree - Principle of Simplification. Personal data shall only be collected if

it is necessary to serve for a predetermined purpose.

Teachers also need to have an active role in imparting students the importance of

information privacy. With students’ awareness of their digital behavior, and the knowledge of

internet service providers & cloud storage having access to their information and activity, they

can apply online security practices such as using VPN, and limiting social network information

sharing. Teaching and modeling responsible digital behavior support the school in safe digital

practice.

.
Artria Grace Alimurung

Health Insurance Portability and Accountability Act

The HIPPA is a United States federal law that protects the privacy and security of

patients’ health-related data and personal information. Regulations are conducted by the Office

for Civil Rights of the U.S Department of Health and Human Services. HIPAA has 3 main rules:

(1) The Privacy Rule safeguards people’s health information (PHI) and medical records of

individuals - with limits and conditions on the various uses and disclosures that can and cannot

be made without patient authorization. (2) The Security Rule, on the other hand, describes

steps an organization has to take to protect patient data. That includes administrative,

technical, and physical aspects of data security measures. Finally, the (3) Breach Notification

Rule establishes protocols on how to react and who to notify if a data leak happens. 7

Private or sensitive health information is commonly sold or shared for research and case

study. Patients typically have little knowledge or control over such exchanges. HIPPA

regulations dictate institutions how to use and disclose personal information, how to manage

security and assess risks, and how to respond to security incidents. HIPPA compliance lowers

the chances of customers’ data being compromised.

Artria Grace Alimurung

Foreign Account Tax Compliance Act

The FATCA is a United States federal law, with extraterritorial effects, that enforces the

requirement for American citizens, including those living outside the U.S., to file yearly reports

on their non-U.S. financial accounts to the Financial Crimes Enforcement Network. This citizen-

based taxation was implemented as a reaction to banking scandals where wealthy Americans

were hiding money in secretive offshore accounts. It is a requirement placed on foreign

financial institutions to report back to the Internal Revenue Service (IRS) details of any

American that has accounts outside the U.S. If these banks don’t comply, they face harsh severe

penalties such as 30% tax and exclusion from the U.S financial system. 8

With regard to information privacy, the banks need to be transparent and tell the

customers what they’re going to do with their data. Personal data should only be processed to

the extent that it’s necessary, to achieve the objective. Although it is a deterrent to banking

secrecy, there remains a critical threat: data collection. The FATCA allows massive amounts of

private financial data to be collected, shared, and analyzed across countries via the internet.

The information is also routinely collected without the explicit consent of individuals

themselves. And because that is how data is exchanged, it exposes a compliant citizen to huge

risks of hacking. The government cannot provide any reliable assurance that the private

financial information obtained on millions of U.S. and non-U.S. citizens can be in any meaningful

sense be considered secure.

Artria Grace Alimurung

Anti-Money Laundering Act

The AMLA (Republic Act 9160) was passed by Congress in order to protect and preserve

the integrity and confidentiality of bank accounts and to ensure that the Philippines shall not be

9
used as a money-laundering site for the process of any unlawful activity. Republic Act 11521

introduces amendments to the Anti-Money Laundering Act to strengthen its provisions. Section

3 of the same Act adds two new covered persons: (1) offshore gaming operators and their

service providers that are regulated by PAGCOR, and (2) real estate developers and brokers.

These covered persons are now required to report covered and suspicious single cash

transactions exceeding Php 5 million and Php 7.5 million respectively to the Anti-Money

Laundering Council. 10

When it comes to real estate, there are many ways to finance the purchase of a

property - the most common is bank financing and cash. Real estate has been used in the past

to clean up “dirty money”. Funds are acquired illegally, and then real estate is bought and

resold to legitimate funds. In disclosing the transactions to the council, the two new covered

persons should follow the principles of limited use, purpose specification, and safeguarding

security. Personal data should only be collected for specified, explicit, and legitimate purposes

and not further processed in a manner that is incompatible with those purposes. Procedures

11
must be established to protect sensitive information from being lost, damaged, or misused.
Artria Grace Alimurung

References:

1 Lauren Steinfeld and Kathleen Sutherland Archuleta, "Privacy Protection and Compliance in

Higher Education: The Role of the CPO," EDUCAUSE Review, vol. 41, no. 5 (September/October

2006), pp. 62–71.

2 Stanford Education

https://plato.stanford.edu/entries/it-privacy/

3 Ministry of Public Security of Socialist Republic of Vietnam

http://en.bocongan.gov.vn/news-events/pm-requests-stepping-up-national-digital-

transformation-project-t8739.html

4 Ministry of Information and Communications

https://www.mic.gov.vn/mic_2020/Pages/VanBan/danhsachvanban.aspx?LVB=100

5 Ministry of Information and Communications

http://english.mic.gov.vn/Pages/TinTuc/144407/OTT-messages-advertising-illegal-gambling-

are-harassing-mobile-phone-users.html

6 Ministry of Public Security of Socialist Republic of Vietnam

Artria Grace Alimurung

http://en.bocongan.gov.vn/news-events/workshop-on-personal-data-protection-on-

cyberspace-t7542.html

7 Centers for Disease Control and Prevention

https://www.cdc.gov/phlp/publications/topic/hipaa.html

8 Internal Revenue Service

https://www.irs.gov/businesses/corporations/foreign-account-tax-compliance-act-fatca

9 Republic of the Philippines Anti-Money Laundering Council

http://www.amlc.gov.ph

10 http://www.amlc.gov.ph/images/PDFs/RA%2011521.pdf

11 UK Legislation

https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted