The Beginner’s Guide to RA

10173 (Data Privacy Act of 2012)

In 2012, the Congress of the Philippines passed Republic Act No. 10173, also known as the Data
Privacy Act (DPA) of 2012. Five years later, the DPA’s Implementing Rules and Regulations was
put in effect on September 9, 2016, thus mandating all companies to comply.

The act is a necessary and important precaution in a world economy that’s swiftly going digital. In
2014, it was estimated that 2.5 quintillion — or 2.5 billion billion — bytes of data were created
everyday. This includes unprecedented knowledge about what real individuals are doing, watching,
thinking, and feeling.

Companies must be held accountable not only for what they do with customer data — but how they
protect that data from third parties. The past few years of security breaches, system errors, and ethical
scandals within some of the country’s major banks have reminded us that there is much work to be
done.

So, where to begin for institutions who want to comply with RA 10173 and be proactive about their
consumers’ digital privacy?

What is RA 10173?
RA 10173, or the Data Privacy Act, protects individuals from unauthorized processing of personal
information that is (1) private, not publicly available; and (2) identifiable, where the identity of the
individual is apparent either through direct attribution or when put together with other available
information.

What does this entail?

First, all personal information must be collected for reasons that are specified, legitimate, and
reasonable. In other words, customers must opt in for their data to be used for specific reasons that
are transparent and legal.

Second, personal information must be handled properly. Information must be kept accurate and
relevant, used only for the stated purposes, and retained only for as long as reasonably needed.
Customers must be active in ensuring that other, unauthorized parties do not have access to their
customers’ information.

Third, personal information must be discarded in a way that does not make it visible and accessible
to unauthorized third parties.
Unauthorized processing, negligent handling, or improper disposal of personal information is
punishable with up to six (6) years in prison or up to five million pesos (PHP 5,000,000) depending
on the nature and degree of the violation.

Who needs to register?

Companies with at least 250 employees or access to the personal and identifiable information of at
least 1,000 people are required to register with the National Privacy Commission and comply with
the Data Privacy Act of 2012. Some of these companies are already on their way to compliance —
but many more are unaware that they are even affected by the law.

How do I remain in compliance of the

Data Privacy Act?
The National Privacy Commission, which was created to enforce RA 10173, will check whether
companies are compliant based on a company having 5 elements:
1. Appointing a Data Protection Officer
2. Conducting a privacy impact assessment
3. Creating a privacy knowledge management program
4. Implementing a privacy and data protection policy
5. Exercising a breach reporting procedure