Philippines Philippines SIM registration cyberlibel NPC

Philippines' Draft Privacy Circular Right-Sizes ID Collection for Discount Programs

NPC's draft data-minimization rules for senior, PWD, and solo-parent discounts curb overcollection without weakening fraud checks.

Sizing the Discount-ID Data Trail People of Internet Research · Philippines 2.5M+ Registered PWDs (Jun 2025) Up 35% in one year, per NCDA/DOH d… 20% Senior citizen discount rate Plus VAT exemption on covered good… 10% Solo parent discount rate Plus VAT exemption on child necess… +13.9% PH ID theft cases, YoY rise 2023 increase amid wider concern o… peopleofinternet.com
Sizing the Discount-ID Data Trail People of Internet Research · Philippines 2.5M+ Registered PWDs (Jun 2025) 20% Senior citizen discount rate 10% Solo parent discount rate +13.9% PH ID theft cases, YoY rise peopleofinternet.com

Key Takeaways

A narrow fix for a widespread habit

The National Privacy Commission's public consultation on its draft Guidelines on the Processing of Personal Data for the Availment of Statutory, Government-Mandated, and Other Special Privileges closed on 16 June 2026, following an online consultation session held 25 June. The draft, posted on privacy.gov.ph, targets a practice most Filipinos have experienced without thinking about it: the cashier who photocopies a full senior citizen ID, or the online form that demands a scanned image of a PWD card before a discount is applied.

The circular covers three statutory discount regimes — the 20% VAT-exempt discount for senior citizens under Republic Act 9994 (2010), the parallel discount for persons with disability under RA 10754, and the 10% VAT-exempt discount on child necessities for qualifying solo parents under RA 11861 (2022). Each requires presenting an ID at point of sale; none requires businesses to build a permanent photo archive of that ID. The draft circular's core move is to say so explicitly: any copy or image of an ID that a business retains must be the minimum necessary for the purpose — chiefly, enabling referral or audit — not a default scan-and-store step bolted onto every transaction.

Why businesses started doing this

The steelman case for current practice is real. Establishments granting these discounts are required under joint administrative orders like JAO 24-02 (2024) to log the discount recipient's name and ID number in their official sales records, both to prove eligibility if challenged and to support tax documentation — retailers claiming VAT-exempt sales need a paper trail for BIR audits. Online and phone-order retailers, expanded during the pandemic-era shift to remote purchasing for basic necessities, went further, asking customers to upload a scanned copy or screenshot of their ID at checkout, reasoning that without in-person verification, a photo is the only fraud check available. Given how often discount fraud shows up in retail-compliance discussions — shared IDs, expired cards, borrowed credentials — the instinct to over-verify is understandable, not malicious.

But the scale involved makes the accumulation risk hard to ignore. The National Council on Disability Affairs reported more than 2.5 million registered PWDs as of June 2025, up 35% from 1.8 million a year earlier, with all 17 regions showing growth. Add several million OSCA-registered senior citizens and a fast-growing pool of solo parents newly covered since RA 11861 took effect in 2022, and the discount system generates a very large number of ID-presentation events every day — supermarkets, pharmacies, transit counters, e-commerce checkouts. If even a fraction of those transactions end in a retained photocopy or image file sitting on a merchant's POS system or cloud drive, that is a meaningful, decentralized store of government ID data, held by parties with far less security investment than a bank or telco. This sits against a backdrop of rising identity-theft exposure nationally — Philippine authorities have flagged a 13.9% year-on-year increase in reported ID-theft cases in 2023, part of the same debate that has pushed senators to propose encoding, rather than printing, sensitive data on the national ID.

The right shape of regulation

What makes the NPC's draft worth defending is what it does not do. It doesn't ban ID verification, override JAO 24-02's audit-record requirements, or tell businesses they can't ask a senior citizen for proof of age. It regulates the back end — what gets kept after the transaction, not whether the check happens at all. That is the correct target: the privacy harm isn't the momentary glance at an ID, it's the unmanaged accumulation of copies nobody needs six months later. A blunter rule — say, banning any ID copy or photograph outright — would have forced merchants back onto manual, error-prone verification and likely increased disputes over eligibility, without meaningfully reducing the data actually at risk, since sales records with names and ID numbers would still exist under BIR rules regardless.

The copy or image of an ID retained shall be the minimum necessary to enable referral — not a default archive of every discount transaction.

The open question is whether the final circular gives businesses a bright line or leaves them guessing. "Minimum necessary" is the right principle, but principle without a retention limit — a specified number of days, or "until the transaction is closed out and reconciled," for instance — invites the opposite failure mode: compliance officers at national retail chains erring toward keeping everything longer, precisely because "minimum necessary" is unfalsifiable without a deadline. NPC should pair the minimization principle with (a) an explicit maximum retention window tied to the BIR audit cycle, and (b) a clear statement that logging name-plus-ID-number in the sales record, as JAO 24-02 already requires, fully satisfies the audit function — so retailers stop treating a scanned image as a belt-and-suspenders backup. Get that specificity into the final text, and this becomes a genuinely exportable model: narrow, proportionate, and aimed at the actual point of failure rather than the underlying verification requirement itself.

Sources & Citations

  1. NPC draft circular — Availment of Privileges
  2. DOE — JAO 24-02 discount rules
  3. RA 11861 — Expanded Solo Parents Welfare Act
  4. RA 9994 — Expanded Senior Citizens Act
  5. Inquirer — Registered PWDs in PH now at 2.5M
  6. Biometric Update — PH ID theft and PhilSys reform