January 29, 2023

Lenders operating online apps that can be installed in smartphones are prohibited from harvesting personal information, such as phone and social media contact lists, to harass delinquent borrowers, the National Privacy Commission (NPC) said.

The NPC issued Circular 20-01 on Oct. 19 in response to numerous complaints that online lenders were illegally using the personal data of clients and those in their contact lists, causing damage to reputation and violating the rights of the latter as data subjects.

The harassment and shaming of delinquent borrowers before relatives, friends, and colleagues have persisted despite separate orders last year from the NPC and the Securities and Exchange Commission to shut down errant online creditors.

Upon the effectivity of the circular 15 days after publication, all lending and financing companies in possession of their borrowers’ contact lists in whatever form in violation of the guidelines shall dispose of the information in a manner that would prevent further unauthorized processing, access, or disclosure to any other party or the public, the NPC said.

“The NPC is issuing this circular for the appropriate and respectable treatment of borrower’s personal information,’’ Privacy Commissioner Raymund Liboro said.

He said online lending applications should design their business processes with privacy by design and default, and with complete adherence with the principles of the Data Privacy Act.

“Once again, we remind online lending operators and businesses to take their customers’ data privacy seriously and deploy adequate security measures. For the public, we hope this circular will help them keep an eye out for red flags while they are in the process of borrowing money from online lenders,’’ Liboro added.

He added the circular lays out what online lending operators can and cannot do with borrowers’ personal information to avoid instances of abuse.

Unnecessary permissions include accessing phone contact or e-mail list, harvesting social media contacts, copying or otherwise saving these for use in debt collection, or harassing the borrower or his/her contacts.

Access to the phone camera of the borrower is allowed only for the purpose of know-your-customer policies. In no way shall the borrower’s photo be used to harass or embarrass him or her to collect a delinquent loan.

App permissions are allowed only under suitable, necessary and not excessive purpose of know-your-customer for determining credit worthiness, preventing fraud and collecting debt.

“When such purpose has already been achieved, such online apps shall prompt the data subject to turn off or disallow these permissions,’’ the circular said.

In terms of personal information controllers, lending and financing companies must implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data.

Details concerning the loan must be written in a clear language and in the most appropriate format.

Borrowers must be informed if the loan processing activity involves the use of profiling, automated processing, automated decision-making, or credit rating or scoring.

A separate lawful criterion must be in place pursuant to Sections 12 and/or 13 of the Data Privacy Act, should information be used for marketing, cross-selling, or sharing with third parties for purposes of offering other products or services not related to loans.

Reasonable policies on retention of data must be adopted and implemented for those with denied loan applications and borrowers who have fully settled their loans.

The circular stated lending or financing companies and persons acting like these entities are at all times accountable for personal data under their control or custody.

“They shall not use any personal data to engage in unfair collection practices as defined under SEC Memorandum Circular 18, s.  2019,” the circular stated.

Any lender found in violation of the circular shall be liable under the applicable provisions of the Data Privacy Act, which imposes fines and imprisonment.

The NPC observed that a month after it ordered the shutdown of 26 online lending companies in October last year, the complaints it received from the public declined 90 percent. – Press release