DPA, DPO and

Government
Ivy D. Patdu, MD, JD
Deputy Privacy Commissioner
NATIONAL PRIVACY COMMISSION
Right to Privacy
01
11
00
00

01
10
00
01

01
11
01
00

01
10
01
00

01
11
01
01
Which of the Following will you be willing to share 01
11
with someone you just met? 00
00

01
Credit 10
Home
Address Diary Card
Billing
00
01
Statement
01
11
01
00

01
10
01
00
Browsing Phone Facebook
History Messages Password 01
11
01
01
WHO IS WATCHING YOU?
 01
11
00
00

01
10
00
01

01
11
01
00

01
10
01
00

01
What can you “buy” with your personal data? 11
01
01
 01
11
00
00

90% of the world’s 01

10

data have been

00
01

generated only in 01
11

the last few years.

01
00

01
10
01
00

01
SINTEF, Big Data, for better or worse: 90% of world's data generated over 11
last two years (May 22, 2013) available at
01
https://www.sciencedaily.com/releases/2013/05/130522085217.htm (last
accessed Dec. 27, 2016). 01
“In this digital era,
information is the
currency of power
– valuable,
coveted, but at a
very high risk.”
-Senator Edgardo Angara,
sponsorship speech
for the Data Privacy Act
RIGHT TO INFORMATION PRIVACY
01
11
00
00

The individual’s ability to control the flow of 01

10
information concerning or describing him, 00
01
which however must be overbalanced by 01
legitimate public concerns. To deprive an 11
01
individual of his power to control or determine 00

whom to share information of his personal details 01

10
would deny him of his right to his own 01
00
personhood.
Dissenting Opinion of Justice Consuelo Ynares-Santiago in G.R No 167798 Kilusang Mayo Uno, et al., v. 01
The Director General, National Economic Development Authority, et al., and G.R No. 167930 Bayan Muna Representatives Satur C. 11
Ocampo, et al., v. Eduardo Ermita, et al. (19 April 2006) 01
01
Data Privacy Act
01
Data 11
Free Flow 00
Privacy 00

It is the policy of the 01

10
State to protect the 00
01
fundamental human
01
right of privacy of 11
01
communication while 00

ensuring free flow of 01

10
information to 01
00
promote innovation
01
and growth. 11
01
01
 Scope of the Data Privacy Act 01
11
00
00
Data Subjects
01
PEOPLE 10
00
Those who National 01
process Privacy
Personal Data Commission 01
11
01
GOVERNMENT 00
Processing 01
of Personal 10
Data 01
00

01
Data Privacy Act applies to the processing of personal data by any 11
01
natural and juridical person in the government or private sector. 01
 Which are personal data?
01
11
00
00

D. 01
A. “Man born on June 19, 10
00
1861” 01

B. “Philippine national
01
11

hero born on June 19,

01
00

1861” 01
10
C. “Jose Protacio Rizal” 01
00

01
11
Jose Rizal, available at 01
https://en.wikipedia.org/wiki/Jos%C3%A9_Rizal
01
 Data
Privacy
DATA Principles

PRIVACY Security
Measures

ACT Uphold
Rights of
Data Subject
01110000

01100001

01110100

01100100

01110101

DATA PRIVACY PRINCIPLES

TRANSPARENCY

LEGITIMATE PURPOSE

PROPORTIONALITY
Rights of Data Subjects 01
11
00
00

1. Right to Information 01

2. Right to Object 10
00

3. Right to Access 01

4. Right to Correct 01
11

5. Right to Erase
01
00

6. Right to Damages 01
10
7. Right to Data Portability 01
00
8. Right to File a Complaint
01
11
01
01
 01
11
00

CLEAR
00

01
10
00
01

01
• CONSENT refers to any freely given, specific, informed 11
indication of will, whereby the data subject agrees to 01
00
the collection and processing of personal information
about and/or relating to him or her 01
10

• The consent shall be evidenced by written, electronic or 01

00
recorded means. 01
11
01
01
 01
11
00

TAXES 00

01
10
00
01

Sometimes, Consent is NOT 01

11

necessary.
01
00

01
10
01
00

01
11
01
01
 So, you
want to buy a Application to Buy a Dog 01
11
dog?
• Name:_____________ 00
Fill in the form 00

please. • Birthday:___________ 01

• Address:___________ 10
00
01
• TIN No.:____________
01
• SSS No.:____________ 11
01
• PRC ID No.:__________ 00

• No. of Cars owned:___ 01

10
• Father’s name:_______ 01
00
• Mother’s maiden name: 01
_____________ 11
01
01
01110000

01100001

01110100

01100100

01110101

SECURITY MEASURES
SECURITY MEASURES
01110000

01100001

01110100

01100100

01110101
ORGANIZATIONAL SECURITY
MEASURES
 Data Protection Officer
01
11
00
00

• Expertise in relevant THE DPO SHOULD POSSESS SPECIALIZED

KNOWLEDGE AND DEMONSTRATE
01
10
privacy or data RELIABILITY NECESSARY FOR THE 00
protection policies and PERFORMANCE OF HIS OR HER DUTIES
AND RESPONSIBILITIES.
01

practices 01
11
• Understanding of the 01

processing operations
00

being carried out by the 01

10
PIC or PIP 01
00
• Knowledge of Sector 01
Picture from http://www.computerweekly.com/news/450402719/GDPR- 11
will-require-75000-DPOs-worldwide-study-shows 01
01
Privacy Impact Assessment
01
11
00
00
• Personal Data Flow 01
• Source and Collection 10
• Accountable and responsible persons 00
01
• Purpose of processing
• Personal Data Processing 01
• Security measures 11
01
• Transfer outside country 00

• Identify and Assess Privacy Risks 01

• Privacy Risk Identification 10
• Privacy Risk Analysis 01
00
• Privacy Risk Evaluation (Level of Impact
and Likelihood of Risks) 01
11
• Address risks 01
01
 CREATE YOUR DATA PRIVACY 01
11

MANUAL 00
00

• Records of Processing Activities 01

10
(1) Purpose of processing 00
01
(2) Data subjects and Type of Data
(3) Data flow 01
11
(4) Security measures 01
00
(4) Contact persons
01
• Data Protection Policies and Security Measures 10
01
• Rights of Data Subject 00

• Regular review and Monitoring 01

11
01
01
TRAINING AND CAPACITY BUILDING

Villupuram nurses jump on to technological bandwagon at http://www.thehindu.com/news/national/tamil-

nadu/villupuram-nurses-jump-on-to-technological-bandwagon/article5699852.ece
01110000

01100001

01110100

01100100

01110101

PHYSICAL SECURITY MEASURES

Records room and work stations should 01
11
have limited access. 00
00

01
10
00
01

01
11
01
00

01
10
01
00

01
11
Innovative Electronic Medical Record System Expands in Malawi (2014) available at 01
http://www.cdc.gov/globalaids/success-stories/innovativemalawi.html (last accessed June 20, 2016). 01
http://www.scmp.com/news/hong-kong/politics/article/2082566/laptops-containing-37-million-hong-kong-
voters-data-stolen
 Secure against
natural
disasters,
power
disturbances,
external access,
and other
similar threats.

Picture available at http://www.symbianize.com/showthread.php?t=706016&page=3

01110000

01100001

01110100

01100100

01110101

TECHNICAL SECURITY MEASURES

 Technical Security Measures
01
11
00
00

01
• There is a need for 10
00
security measures that 01

can easily be 01
implemented to 11
01
strengthen data 00
processing systems. 01
10
01
00

01
11
01
01
Available at http://thehackernews.com/2017/01/ransomware-hotel-smart-lock.html
 Technical Security Measures

INCIDENT
SECURITY POLICY SAFEGUARDS: RESPONSE,
SYSTEM MONITORING ENCRYPTION, CORRECT AND
AUTHENTICATION MITIGATE BREACH,
PROCESS RESTORE SYSTEM
 01
What should the notification contain? 11
00
00

01
1. Nature of breach 10
00
2. Personal data involved 01
3. Measures taken by the entity to address 01
breach 11
01
4. Measures taken to reduce harm or 00
consequences of breach
01
5. Representatives of PIC from whom the 10
data subjects can inquire about the 01
situation 00

6. Assistance to be provided 01
11
01
01
01110000

01100001

01110100

01100100

01110101
WHY SHOULD PERSONAL
DATA BE PROTECTED?
CRIME IMPRISO FINE 01
NMENT 11
00
Processing of Processing information when purpose not 1yr 6mos Php500,000 to 00
Personal/Sensitive authorized – Php2,000,000
Information for 7 years 01
10
Unauthorized Purpose
00
Access to Persons who provide access due to negligence 1-6 years Php500,000 to 01
Personal/Sensitive shall be liable Php4,000,000
01
Information due to 11
Negligence 01
00
Concealment of Security Duty to notify Privacy Commission in case of 1yr 6mos Php500,000 to
Breach breach – Php1,000,000 01
5 years 10
01
Improper Disposal Negligently dispose, discard or abandon 6 months Php 100,000 to 00
personal data of an in an area accessible to – 3 years Php 1,000,000
the public or placed in its container for trash 01
collection. 11
01
01
Available at https://www.avvo.com/legal-answers/can-i-sue-my-bank-for-privacy-violation---748378.html
 Four people nabbed in Recto for 01
11

producing counterfeit documents

00
00

01
10
00
01

01
11
01
00

01
10
01
00

01
11
01
Gerg Cahiles, CNN Philippines, Four people nabbed in Recto for producing counterfeit documents, available at 01
http://cnnphilippines.com/incoming/2017/02/16/Four-people-nabbed-in-Recto-for-producing-counterfeit-documents.html (accessed Mar. 25, 2017)
 Blacklisted workers win
£10m payout from
construction firms
“During 2008/09 the ICO carried out an
investigation into employment
blacklisting in the construction industry.
As part of that investigation, the ICO
seized information from a company
called The Consulting Association. Some
of the information we seized amounted
to a 'blacklist' of individuals who were
considered to pose a risk to their
employers if employed within the
construction industry.”
1. Terry Macalister, Blacklisted workers win £10m payout from construction firms (May 9, 2016) available at
https://www.theguardian.com/business/2016/may/09/blacklisted-workers-win-10m-payout-from-construction-firms (last accessed 2/21/17).
2. Information Commissioner’s Office, Blacklist, available at https://ico.org.uk/for-the-public/construction-blacklist/ (last accessed 2/21/17).
 01
11
00
00

01
10
00
01

01
11
01
Cybercrime-based attacks remain the number one cause 00

of data breaches, and they were up 5% to 50% this year, 01

the report says. The rest were rooted in insider woes: 41% 10
01
via a lost or stolen device and 36% via an “unintentional” 00

employee act. Around 13% cite a malicious insider attack. 01

11
Kelly Jackson. Healthcare suffers estimated 6.2 Billion in Data Breaches. Available at 01
http://www.darkreading.com/threat-intelligence/healthcare-suffers-estimated-$62-billion-in-data-breaches/d/d-id/1325482 01
Available at http://www.independent.co.uk/life-style/health-and-families/health-news/hiv-status-of-nearly-800-patients-accidentally
-disclosed-by-nhs-clinic-10482655.html (last accessed Jan.11, 2017).
 A Violation of Privacy is an affront to 01
11

Human Dignity 00
00

01
Unauthorized use or 10
00
disclosure may put data 01

subjects at risk for 01

11
unwanted publicity, 01
00
discrimination, identity 01
theft and other acts 10
01
prejudicial to the data 00

subjects. 01
11
01
01
 01
11
00
00

01
10
00
01

We are only a little over halfway through 01

2016, and yet according to the latest IBM X- 11
Force data, 200 million government records 01
worldwide were already compromised by July 00
31 of this year. That’s nearly 60 million more
01
than all the records compromised from 2013
10
through 2015 — combined 01
00

01
https://securityintelligence.com/government-data-woes-2016-compromised-records-surpass-total-for-last-three-years-combined/ last accessed 4/1/2017 11
01
01
https://securityintelligence.com/government-data-woes-2016-compromised-records-
surpass-total-for-last-three-years-combined/ last accessed 4/1/2017
 01

GOVERNMENT GOAL
11
00
00

01
10
00

Benefits 01

01
11
01
00

01

Harms
10
01
00

01
11
01
01
 National Privacy 01
11

Commission
16-01 SECURITY OF PERSONAL 00
00
DATA IN GOVERNMENT
AGENCIES
Issuances 01
10
00
01

16-02 DATA SHARING Advisory 17-01 01

AGREEMENTS INVOLVING 11
DESIGNATION OF DATA 01
GOVERNMENT AGENCIES PROTECTION OFFICERS 00

01
10
01
16-04 RULES OF PROCEDURE OF 00
16-03 PERSONAL DATA BREACH
THE NATIONAL PRIVACY
MANAGEMENT 01
COMMISSION
11
01
01
 In August, 2016, in a report titled “Data Danger 01
Zones”, the Philippines is ranked as No. 143 out of over 11
00
170 nations evaluated on the ability “to keep digital 00
information safe, private and secure. 01
10
00
01

01
11
01
00

01
10
01
00

01
Available at http://www.telecomasia.net/content/only-four-asian-nations-safe-data-storage 11
01
01
 01
11
00
00

01
10
00
01

01
11
01
00

01

THE PHILIPPINES IS COMMITTED TO

10
01
00
PRIVACY AND DATA PROTECTION 01

IN THE GLOBAL DIGITAL ECONOMY 11

01
01
Embracing a Privacy Culture
01
11
00
00

01
10
00
01

01
11
01
00

01
10
01
00

01
Source of picture: available at http://www.pmcgregor.com/building-habits-keeping-them/ 11
01
01
Thank
you!