Documente Academic
Documente Profesional
Documente Cultură
Implementing Rules and Regulations (IRR) were only issued in 2016 and became
enforceable on September 9, 2016. The majority of the provisions are actually
based on the European Union (EU) directive including the reform initiatives which
led to the EU General Data Protection Regulation (GDPR). All references to the
Philippines Data Privacy Act (RA 10173) in this article includes the IRR aThe National
Privacy Commission (NPC) is a body that is mandated to administer and implement
this law. The functions of the NPC include rule-making, advisory, public education,
compliance and monitoring, investigations and complaints, and enforcement.
In general, the Philippines Data Privacy Act (RA 10173) applies to the processing of
personal data by any natural or juridical person in the government or private
sector. The Philippines Data Privacy Act (RA 10173) would apply to an act done or
practice engaged in and outside of the Philippines in the instances described below.
First, the natural or juridical person involved in the processing of personal data is
found or established in the Philippines.
Secondly, the Philippines Data Privacy Act (RA 10173) would affect an entity if the
processing of personal data is done or engaged by an entity with links to the
Philippines. This can include, among others, organisations that have equipment
located in the Philippines that is used to process personal data or entities who have
branches or subsidiaries, affiliates and even affiliates in the country which has
access to that personal data.
The third instance is if the processing of personal data is done in the Philippines.
Lastly, if the processing relates to personal data about a Philippine citizen or
Philippine resident.
The Philippines Data Privacy Act (RA 10173) contains some important definitions.
You have the data subject, the data processing system, data sharing, personal
information controller and processor, among others. Personal data which includes
personal information, where the identity of the individual is apparent, as well as
sensitive personal information, which includes, among others, information issued
by government agencies such as tax identification numbers, social security
numbers, and other related information. The Philippines Data Privacy Act (RA
10173) likewise describes the general data privacy principles of transparency,
legitimate purpose, and proportionality.
There are also some general principles regarding collection, processing and
retention. One of the most important revolves around consent. Consent must be
time-bound in relation to the declared, specified and legitimate purpose. What
does this mean? You can’t get consent in perpetuity or if it’s for a use that has not
yet been determined at the time consent is obtained. Another requirement is that
consent given can be withdrawn by the data subject.
The general principles also state that data sharing shall be allowed in the private
sector if the subject consents to the data sharing. Importantly, consent for data
sharing shall be required even if the data to be shared will be shared with an
affiliate or mother company.
As far as security measures are concerned, there are basically three types. The
organisational security measures, the physical security measures and the technical
security measures. The NPC can actually determine the appropriate level of security
based on the following criteria:
The Philippines Data Privacy Act (RA 10173) also outlines the rights of the data
subject. They have the rights to be informed, object, access, rectification, erasure
or blocking, lodging a complaint, damages and data portability.
Organisations are supposed to register their personal data processing system with
the NPC, which basically is the structure and procedure by which personal data is
collected and further processed.
One of the requirements under the IRR is that the organisation keeps records of all
security incidents and data breaches. At the end of the year, a report with a
summary of these security incidents and data breaches should be submitted to the
NPC.
Another requirement under the Philippines Data Privacy Act (RA 10173) is for the
company to appoint a data protection officer (DPO), who must be an organic
employee of the personal information controller or processor. In addition, a
compliance officer for privacy (COP), which is an individual who performs some of
the functions of a DPO in a related entity or agency, can likewise be designated.
Although the DPO is required to be an organic employee of the company, its
functions may be outsourced to a third party service provider, subject to the DPO
overseeing the outsourced functions and remaining to be the contact person for
the personal information controller or processor.
The organisation should also have data protection policies, which includes security
measures. The Philippines Data Privacy Act (RA 10173) also stipulates that
outsourcing agreements, data transfer agreements or data sharing agreements
should also be in place in relation to disclosure or transfer of personal data to third
parties. Lastly, personnel must be trained regarding the Philippines Data Privacy
Act (RA 10173).
Procedures
The NPC has likewise issued rules of procedure in relation to complaints that may
be filed by affected parties and the process of the proceedings that may be
conducted. Either on its own or because of a complaint, the NPC may conduct an
investigation, and then it can impose administrative fines and penalties. Advisory
opinions may likewise be issued by the NPC in relation to data privacy or personal
data protection.
r relevant issuIn addition, they can also recommend criminal prosecution to the
Department of Justice. The penalties may include fines plus imprisonment. Thus,
the organisation can be liable twice, both for the administrative fines and the
criminal prosecution.
Culture of privacy
Admittedly, the IRR is new. Therefore, the implementation and the enforcement of
the rules have not yet been tested in the courts. There’s no reported case yet but
we understand that the NPC is currently investigating several complaints and has,
in fact, released their findings on some of them. One of the main goals of the NPC,
which they have emphasized from the beginning, is that they want to develop a
culture of privacy in the Philippines.
4. Gave parameters on when and on what premise can data processing of personal
information be allowed. Its basic premise is when a data subject has given direct
consent. (section 12 and 13)
6. Data subject has the right to know if their personal information is being
processed. The person can demand information such as the source of info, how
their personal information is being used, and copy of their information. One has
the right to request removal and destruction of one’s personal data unless there is
a legal obligation that required for it to be kept or processed. (Section 16 and 18)
7. If the data subject has already passed away or became incapacitated (for one
reason or another), their legal assignee or lawful heirs may invoke their data
subject’s data privacy rights. (Section 17)
10. Heads of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Section 22)
11. Government contractors who have existing or future deals with the
government that involves accessing of 1000 or individuals should register their
personal information processing system with the National Privacy Commission.
(Section 25)
12. Provided penalties (up to 5 million as per sec. 33) on the processing of personal
information and sensitive personal information based on the following acts:
Save
Sh
are65
Republic Act 10173 or The Data Privacy Act of 2012 was approved into law last
August 15, 2012. Here are its salient features:
3. Gave parameters on when and on what premise can data processing of personal
information be allowed. Its basic premise is when a data subject has given direct
consent. (section 12 and 13)
5. Data subject has the right to know if their personal information is being
processed. The person can demand information such as the source of info, how
their personal information is being used, and copy of their information. One has
the right to request removal and destruction of one’s personal data unless there is
a legal obligation that required for it to be kept or processed. (Section 16 and 18)
6. If the data subject has already passed away or became incapacitated (for one
reason or another), their legal assignee or lawful heirs may invoke their data privacy
rights. (Section 17)
9. Heads of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Section 22)
10. Government contractors who have existing or future deals with the
government that involves accessing of 1000 or more records of individuals should
register their personal information processing system with the National Privacy
Commission. (Section 25)
11. Provided penalties (up to 5 million as per sec. 33) on the processing of personal
information and sensitive personal information based on the following acts:
– Unauthorized processing (sec. 25)
– Negligence (sec. 26)
– Improper disposal (sec. 27)
– Unauthorized purposes (sec. 28)
– Unauthorized access or intentional breach (sec. 29)
– Concealment of security breaches (sec. 30)
– Malicious (sec. 31) and unauthorized disclosure (sec. 32)
If at least 100 persons are harmed, the maximum penalty shall apply (section 35).
The Data Privacy Act (DPA), or Republic Act No. 10173 was passed by the Philippines
Congress in 2012 and finally implemented five years later in 2016. RA 10173 assures
the “free flow of information to promote innovation and growth”(Republic Act. No.
10173, Ch. 1, Sec. 2) while protecting the users’ fundamental rights to privacy.
How is it implemented?
The Act applies to any process of personal data by anyone in government or private
sectors.
All personal data must have legitimate reasons for collection as well as should be
clear to both parties giving and receiving information. With that being said, all
collection must be done with the customer the customers’ proper consent.
All personal information used must also be relevant solely used for its intended and
state purposes. Companies must protect customer information from collection to
proper disposal, avoiding access from unauthorized parties.
“(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in such
proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or cm-rent health records, licenses or
its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.”
(Republic Act. No. 10173, Ch. 1, Sec. ).
What is “consent?”
Consent of the data subject refers to any freely given, specific, informed indication
of will, whereby the data subject agrees to the collection and processing of
personal information about and/or relating to him or her. Consent shall be
evidenced by written, electronic or recorded means. It may also be given on behalf
of the data subject by an agent specifically authorized by the data subject to do
so (Republic Act. No. 10173, Ch. 1, Sec. 1).
The data subject or the individual sharing his/her personal information has to be
fully informed of several factors of the data collecting process. This list includes,
but isn’t limited to:
(1) the reason for use
(2) methods for access
(3) the identity and contact details of the personal information controller
(4) how long the information will be stored for
(5) access to their rights.
What steps do I need to take in compliance with the Act?
Companies essentially have to ensure that their data collection methods are
flawless as well as consistently share the entire process with data subjects,
including a breach of security, should there be any.
To do this, companies should appoint a Data Protection Officer and create privacy
knowledge programs and privacy and data policies to regulate the handling of
information, as well as routine assessments to ensure quality data protection.
In addition, companies must also have a proper procedure for breach notification
to its customers.