Bryan Paul B. Gatmaitan

 Transcription - Meeting with PSA and NPC on Use Cases Via Zoom Teleconference 21 September 2020 4:00 p.m. – 5:00 p.m Marc: Thank you for joining the call, basically the reason why we ask for this meeting, this is an offshoot of our consultative meeting with our development partners last Tuesday and in that meeting we had some discussion on the privacy stand point on the items being raised by our development partners. Probably from here I’ll be giving the floor to our partners from Worldbank to facilitate the meeting for this afternoon. Jonathan: *greetings* Providing with the background we are supporting PSA to start developing the elements of the authentication and EKYC ______ and we have a bunch of questions to PSA and there is two specific issues that we would like to receive guidance from ???, before I get into that I just wanna emphasize the two principles that we wanna emphasize here are simplicity and privacy. Simplicity particularly refers to how the relying parties are onboarded? To access the philsys, to consume the philsys to verify the on boarded costumers. So the first issue is with respect to the legal agreement between the PSA and the relying parties……. *sharing screen* So we’re proposing to PSA to have a Ts approach to the level of access that the relying parties have to the philsys and on the left you see the Ts explained this 4Ts and on the right you’ll see the what we are suggesting as the onboarding requirements or the process. So T0 is obviously is offline where there is no onboarding requirements except ???? PSA wanted to limit who can download the app to validate the digital signature in the Phil ID Card. We don’t feel that that is necessary because its just data that is already on the ????. The first T, involves only a yes no verification so a philsys number or a aliens philsys number plus an authenticated such as one time password, or demographic or biometric and plus getting backed in a PSN Token, we don’t feel that any personal information is being shared. The Philsys number is just a calculations or its generated by an algorithm based on philsys number and the relaying parties are ????????. and there would be an agreement signed to essentially ??? an agreement, we stand the terms and conditions but the only difference might be the number of hits that this relying parties ???????. Then ofcource T2 and T3 involved the sharing the age and their response and that requires much more security. I mean sharing data from the philsys sysmtem to the relying parties. The first question that we had was, is the memo of agreement and the data sharing agreement can this just be one agreement or is a two (2) separate agreement? And if its two separate agreement is there a sequencing? Or what is the difference how do PSA treat this and bear in mind we’re trying to make this as simple as possible for the relying parties. So that’s the first question. ATTY: Thanks Jonathan. Just to be clear, the DPA itself does not provide that data sharing agreement will be separate from the main agreement so this can actually be integrated into the main agreement so the MOA. What is required are the required provisions under the IRR and the DPA, so it’s the option of PSA whether to execute separate agreements but in the part of the DPA its not a requirement so that will aldo go into the question of the sequence so if PSA would opt to execute the two agreements so the MOA and the DSA then we should assume that the MOA being the main agreement be the first one to be executed since the DSA will mainly be dependent on the main agreement or the MOA. Jonathat: That’s very clear to me, as I understand it the data sharing agreement can be integrated into the MOA. PSA do you have any follow questions on this issue? Mark: Yes Jonathan, on the ????? on our privacy impact assessment the SGV who conducted the PIA, already gave us the template of the DSA and on that DSA, they stipulated there that there should be a master agreement which I supposed refers to the MOA which we have with the relying party. So are we going for just a MOA or we’ll have a separate DSA for this one? ATTY: Marc this is entirely operational issue so its really up to PSA to decide whether you will go with two separate agreement. Marc: Noted on that. Jonathan: You can integrate the DSA the template into the MOA, right? So it can be a section or a chapter of the MOA and I think as a ???? stand point, it will make sense to have just one agreement but if you have a reasons by which you want to have a master agreement and separate DSA its fine we can discuss that. Before we move on to the next issue, is there anymore question for this one? So I just wanted this Td framework so this is a work in progress I want to be clear and I just want to give you an opportunity to share your feedback if you have any as we develop this further for the review of the broader interagency committee on USE case. Otherwise we can move on to the next issue. USEC Dennis: May be for NTC to comment on, for instance here in Tier 1, biometric and demographic data would be submitted to Philsys but that’s part of the transaction. It wont be stored by Philsys its simply that its use to be able to do the match one to one match and the response of philsys will either be a yes or a no. so is that consider data sharing of personal information? ATTY: In this case yes because you will still be transmitting information of the individual. USEC Dennis: Alright and to what extent would for instance what kind of provisions on data sharing would be required? Or would be in the agreement? ATTY: Sorry its not clear that there should be a separate agreement on Tier 1 or against the other Tiers. USED Dennis: So I guess the difference between Tier 1 vs Tier 2, in Tier 1 it’s a transactional requirement to submit personal info so that the matching will occur but the Philsys will not be sharing any personal info, its simply a yes or a no response. In Tier 2 so the philsys will be providing the relying party with the personal information on their client so theres more information and information is actually coming out personal information will be provided by philsys. ATTY: Okay USEC so that’s noted. So just to be clear, relying parties will be categorized I guess you can see that either belonging to Tier 1, Tier 2 or Tier 3 and the provisions of the DSA will be dependent on that nature of relationship. USED Dennis: That’s correct and I would say the relying party could actually upgrade in terms of the tiering because there would be transactions for instance that they would need to be Tier 0 later on they will need to go up to a Tier 1, and in certain cases for instance bank, where they would leverage identity information of philsys, they would have to go upto a Tier 2 to be able for instance to create to issue a bank account to a citizen. So that’s what we foresee in this scenario. ATTY: Okay we understand. The required provision USEC are still the standard ones in the IRR on the data sharing as well on the issuance of data sharing so the contents will be the one that will differ given the specific nature of Tier1, T2 and T3. So that will be the only difference really the content of lets say the info that will be shared, the storage or retention of those personal data so really the standard clauses are there its really just up to the parties and PSA to fill up those clauses. USEC Dennis: Noted on that. So theres no further guidance from NTC for instance we noted the agreements could be lighter on the Tier 1 vs T2 so what you’re saying is that it could be the same provisions? ATTY: Yes USEC its really up to the parties to determine the provisions or atleast the interfaces of the contract between two of you so if it’s a simple as collecting data and not storing and if that’s enough to comply with the provisions that are required by the DPA and the IRR then that’s okay. Its really more of just having those basic requirements then if it’s a more complex transaction then it will be up to the parties to determine what provisions should be added into the DSA or into the MOA. USEC Dennis: So I think that’s important for the PSA to take note of that its actually ??? so that we can have a simpler agreement for T1 vs T2 because some of the require provisions would not apply to for instance T1 because the risk in the transactions under T1 or T0 would not be there. That’s all. Jonathan: Thank you so much USEC Dennis, we are on the same page there. And so I think maybe one way to classify this T1, it may not be a DSA it will be a MOA with elements of data protection requirements and data handling requirements but we’ll resolve this issue as we go along and I think the principles remain the same. So are there anymore issues before I move on to the next issue which is a bit more complicated? ATTY: You mention that in T1 there is no data sharing but I think it would be proper to say that there still is even if lets say PSA will not be storing data given by relying party but the relying party still has transferred personal information for PSA to be verified and that is still considered as sharing data. So like I said earlier the name of the contract whether it is a DSA or if the DSA be integrated to the MOA. That’s just really upto PSA as an operational issue like I said the requirements regarding data sharing should be integrated into the contract that would be executed. JOYCE: I was just wondering on your last point atty. Considering that the function the authentication function where the relying party would provide the PSA the other demographic information needed to the authentication would that not be covered already by the actual philsys law which I’m just thinking whether that’s necessarily a data sharing should be seen from a data sharing framework because thats exactly what the philsys law requires PSA to do. ATTY: Yes senator Joyce I see your point but I think yes it is part of the philsys law but it’s still a data sharing in itself so that we require other implementation on the part of the PSA so that as also they have to comply with data sharing requirements under the DPA as well so there are two laws to be considered and I think also that PSA wanted to implement the data sharing agreement as means of security measure so on the part of the PSA also on the part of relying party. JOYCE: OK because if using that principle will for consistency, we might also need to check its applicability to Tier 0 so that my concern. Jonathan: and that issue can be further analyzed further, I believe. Including by the updated ??? of the PSA so please take note to that. So moving on to the 2nd issue, we’re proposing this as a question which is, the really risky data in ID system is a cost of biometrics but is also the transactional data where people have authenticated themselves and when and perhaps why, then it becomes a ??22:15?? of information in order to see what banks are people use, transactions they’re doing, which stores they frequent ??22:25??, etc. One option to reduce this risk is obviously is for the philsys not to collect identifying data about the relying parties for each transactions, in other words metadata. So that would completely anonymize the transactions, what would be seem is that ‘Jonathan M. authenticated himself at this time but not who the relying party was and theres a number of different ways this could be done and we’ll discuss this in our meeting on Tuesday. But there is a need for further analysis just because the law may require this depending on the interpretation or can this be done in such a way that the information to identify a relying party can be generated when needed and or could that ‘so theres this trusted service providers who are acting as the inter??23:38?? between the relying parties and the philsys system itself, could it the information on relying parties be just pertained the trusted service provider and not make it back to the philsys registry. Or maybe this thinking is going a bit too far but we wanted to give views of NPC if theres any at this point in time because it would fade in to the 3rd of discussion. JEROME: Where seeing an increasing number of countries in ??24:28?? Double blind mechanism to make sure identity provider is not in the position to identify relying parties. Its becoming the best practice in the field of National ID management. So the question here instead of saying that you should do this, you should do that more like explore ways of setting the ground to adopt this ??25:00?? ADAM: ??25:15?? JEROME: For those who might still wonder why we do this, why should we add complexity here the answer is straight forward because the public is increasingly concerned about all that is related to privacy protection and that does not only apply to the private sector but also to the national id agencies themselves. So the less data the later have wisdom the better and more efficient the communications and the messages that could be sent to the ????. KELVIN FROM NPC: So I think as early as when BIR has been develop this was also been discussed as long as the implementation talk regarding the transaction details and I do agree that transaction history can be use majorly if it is a disclosed to an authorized entity it could create a profile that could violate some of the rights of data subject so I think theres no hindrance regarding data privacy about this. Lein: I just have a questions regarding this double blinding. So in this transaction or scheme. well PSA be able to retain the record history provided for in the Philsys law or the IRR. Jerome: We need this again to answer this question. ADAM: Just talking from some experience, you can return transaction histories as long as you’ve been moved from any of that histories anything that’s not identified as personal information. Transactions number for example, not ID numbers so you know that a certain relying parties has transacted with you at a particular point in time and so you can keep that transaction history at a very high level but you have to strip out any of their personal data and that’s perfectly fine. Its not a reason why you shouldn’t keep that, because there will be disputes where a particular relying party will say an individual here transacted with us, authenticated at this point ?????????28:59?????????????. JEROME: So this double blind feature doesn’t prevent you from storing and building this history its all of matter of which agencies starts ????29:28??????. Its all about how you managed your data. Jonathan: Exactly Jerome. You don’t have to keep that transactions or go in one place so its quite possible to split it so that each ??29:54?? and the transaction so the requester or the application services to request. So this kind of things keep that part of the law. So if theres an investigation required, it then requires special permission as part of the investigation to bring together those laws to build a full picture of the transaction. JEROME: So Jonathan is kind enough to flash the relevant fact of the IRR to us right now so ofcourse we will need to ……….. but what I’m seeing here the requesting entity should be part of the details that should be stored. It all comes down to pseudonymous identifier and who will manage the correspondents table between the pseudonymous identifier of the requesting entity and the relying party and identifier information related to the same relying party. And can NPC play your role here or could it be done by other state agencies or ways to split the governance. That will give the best level of guarantees if you manage to split the governance on the precise aspect and tell to the public that PSA is not in the position to identify the requesting entities at no point in time then it would give the best guarantee for the public. ATTY.: Just to clarify and follow up lets say theres an individual data subject who wants to see or request to the PSA the transactions made so far using their Phil ID, would that be possible still using the double blind thing scheme. Jerome: I do believe so yes. It makes the process of fetching, collecting, aggregating and displaying data a bit more complex because you will need from the data basis manage by a number of factors but technically speaking yes it is. ATTY: Because one issue what we saw would be the right of the data subject to request their information since this is a right guaranteed by the DPA so if it tampered by this double blinding scheme then I don’t think there will be any privacy issue on it. Jerome: It will depend on the definition of the personal Information those that cover all transactions or is it only the personal data of the individual being stored by the national agency. I would need to read again the IRR. ATTY. Uhm Jerome, this will be what is flashed on the screen, basically specifically what is mentioned in the law that will be required to be presented to the data subject or the individual if they requested. ADAM?: I thought you were hinting at the ??34:05?? part of the IRR. I don’t see why this should be an issue technically providing that kind of information to the data subject, should they request it. The PSA would absolutely know its transactions or history for a particular Philsys number there will have been specific request at specific time, the only question mark from a technically issue is how much do we obscure ?? from the requesting entity. Now that could be completely anonymize as far as PSA concern if you wanted to, and we could then resolve that with the relying parties. So it makes it slightly more difficult to compile data of the individual. Personally I’ve seen other systems that actually just have a unique number for their relying party. Because they will have a MOA, they will have some agreement with PSA anyway, and you can’t anonymize that because it has to be ???? agreement so the PSA does know who its transacting with anyone. The question really here is how it is not stored in the system and how we preventing correlation. So technically I don’t see any problem with it. Jonathan: I’m sure this is gonna be a discussion over the coming weeks and months to be honest with you because I can see huge benefits here and this will be a fantastic privacy preserving measure. The question is whether the additional complexity just suffice that and I want to ask BSP, Joyce and Ceasar do you have any views at this point in time? Joyce: On the double blinding my issue really there is on again whether it will hamper the auditability of the KYC undertaken by Bank, should supervision the supervisor require some that such transaction has been undertaken. I guess this was answered by Adam earlier if I’m not mistaken, Jonathan: That’s a very good question. In addition to what Adam has mentioned but correct me if I’m wrong gentleman but each EKYC pocket is signed. Do you wanna explain to Joyce how this would work if BSP needed to do investigation of one account or audit, how could they validate that they was indeed an EKYC transaction. ADMA: Exactly. So that theres to part, the digital signature on the date it was sent to the bank for example because you can check from that the integrity and the source of the data so you can be sure that it has come from the PSA and that it has not being tampered with between leading PSA and being safe, so that’s a very high level of trust. Secondly if you are concerned about transactional timeliness of the?? Then you can also check when things happen so you know when and the problems. So I don’t see what more do you need on the bank side if this transaction is valid. Jonathan: So Joyce this might be something that you may want to consult with your bank supervision team on how this would work, because I think the compliance element here for the financial sector this is crucial. If what we’re doing does not lying with the practices that required by the regulator of financial sector then obviously there probably a need for the adjustment so perhaps this is an issue that you might want to raise and see how this would work. Joyce: Thanks Jonathan but as explained by Adam, I think more or less that’s the idea we just have to really validated that data really came from the PSA or Philsys and data submitted has not been tampered with so as long as theres that element of assurance I think that will give the supervisors the level of comfort. And you’re right we still have to check just the same with the supervisors. Jonathan: PSA team do you have some views on this? I wanna make clear that theres no need to make a decision right now this is what we wanted to get from this discussion is something that should be considered by the IAC, if there were provisions that will prevent this or if its something that is strongly recommended or what not to. Are there any other views at this point? USEC Dennis or PSA Team? Marc we got all the information that we needed to help with moving forward for creating the slides and this is really helpful. Thank you so much to the NPC and BSP team. Marc: Thanks Jonathan. Basically that’s it for this afternoon call. Anyone who wants to raise anything with regards to the privacy stand point at this moment?................. Just to give a heads up for NPC and other in the call, we are tentatively scheduling the IAC on USE cases and authentication meeting on Tuesday afternoon. We will be sending link for the meeting on IAC on USE cases and authentication. Thank you. Dennis: Just a request if there are meetings in the next two weeks where you will need us or anybody from the technical team from the philsys schedule it in the morning so theres a possibility we could attend because we have training sessions I think the whole of the next two weeks starting 2:30pm.