The Philippines Data Privacy Act (RA 10173) was enacted in 2012 but the

Implementing Rules and Regulations (IRR) were only issued in 2016 and became
enforceable on September 9, 2016. The majority of the provisions are actually
based on the European Union (EU) directive including the reform initiatives which
led to the EU General Data Protection Regulation (GDPR). All references to the
Philippines Data Privacy Act (RA 10173) in this article includes the IRR aThe National
Privacy Commission (NPC) is a body that is mandated to administer and implement
this law. The functions of the NPC include rule-making, advisory, public education,
compliance and monitoring, investigations and complaints, and enforcement.

In general, the Philippines Data Privacy Act (RA 10173) applies to the processing of
personal data by any natural or juridical person in the government or private
sector. The Philippines Data Privacy Act (RA 10173) would apply to an act done or
practice engaged in and outside of the Philippines in the instances described below.

First, the natural or juridical person involved in the processing of personal data is
found or established in the Philippines.

Secondly, the Philippines Data Privacy Act (RA 10173) would affect an entity if the
processing of personal data is done or engaged by an entity with links to the
Philippines. This can include, among others, organisations that have equipment
located in the Philippines that is used to process personal data or entities who have
branches or subsidiaries, affiliates and even affiliates in the country which has
access to that personal data.

The third instance is if the processing of personal data is done in the Philippines.
Lastly, if the processing relates to personal data about a Philippine citizen or
Philippine resident.

Definitions – Philippines Data Privacy Act (RA 10173)

The Philippines Data Privacy Act (RA 10173) contains some important definitions.
You have the data subject, the data processing system, data sharing, personal
information controller and processor, among others. Personal data which includes
personal information, where the identity of the individual is apparent, as well as
sensitive personal information, which includes, among others, information issued
 by government agencies such as tax identification numbers, social security
numbers, and other related information. The Philippines Data Privacy Act (RA
10173) likewise describes the general data privacy principles of transparency,
legitimate purpose, and proportionality.

There are also some general principles regarding collection, processing and
retention. One of the most important revolves around consent. Consent must be
time-bound in relation to the declared, specified and legitimate purpose. What
does this mean? You can’t get consent in perpetuity or if it’s for a use that has not
yet been determined at the time consent is obtained. Another requirement is that
consent given can be withdrawn by the data subject.

The general principles also state that data sharing shall be allowed in the private
sector if the subject consents to the data sharing. Importantly, consent for data
sharing shall be required even if the data to be shared will be shared with an
affiliate or mother company.

Security measures for personal data

As far as security measures are concerned, there are basically three types. The
organisational security measures, the physical security measures and the technical
security measures. The NPC can actually determine the appropriate level of security
based on the following criteria:

1. Nature of the personal data that requires protection;

2. Risks posed by the processing;
3. Size of your organisation and complexity of its operations;
4. Current data privacy best practices; and
5. Cost of implementation of the security measures.

The Philippines Data Privacy Act (RA 10173) also outlines the rights of the data
subject. They have the rights to be informed, object, access, rectification, erasure
or blocking, lodging a complaint, damages and data portability.
 Organisations are supposed to register their personal data processing system with
the NPC, which basically is the structure and procedure by which personal data is
collected and further processed.

The IRR mentions four instances where registration is required:

1. If the personal information controller or processor employs at least 250 persons;

2. If less than 250 persons are employed but the processing is not occasional;
3. If less than 250 persons are employed but the processing of the information
might pose a risk to the rights and freedoms of the data subject; and
4. If sensitive personal information of at least 1,000 individuals is processed.

Data breach reporting

One of the requirements under the IRR is that the organisation keeps records of all
security incidents and data breaches. At the end of the year, a report with a
summary of these security incidents and data breaches should be submitted to the
NPC.

A security incident management policy is also required, which basically refers to

policies and procedures implemented to govern the actions to be taken in case of
a security incident or personal data breach. This includes, among others, the
creation of a data breach response team and the implementation of an incident
response procedure.

With regard to reporting of data breach, the personal information controller is

responsible even if the processing is outsourced or subcontracted to a third party.
As to who is to be notified – it would be the NPC and the affected data subjects.
Notification must take place within 72 hours from knowledge of the personal data
breach. Notification of the breach shall be required when sensitive personal
information or any other information that may be used for identity fraud are
reasonably believed to have been acquired by an unauthorised person, and the
personal information controller or the NPC believes that it will give rise to a real
risk of serious harm to the affected data subject.
Appointment of Data Protection Officer

Another requirement under the Philippines Data Privacy Act (RA 10173) is for the
company to appoint a data protection officer (DPO), who must be an organic
employee of the personal information controller or processor. In addition, a
compliance officer for privacy (COP), which is an individual who performs some of
the functions of a DPO in a related entity or agency, can likewise be designated.
Although the DPO is required to be an organic employee of the company, its
functions may be outsourced to a third party service provider, subject to the DPO
overseeing the outsourced functions and remaining to be the contact person for
the personal information controller or processor.

Other things to note

The organisation should also have data protection policies, which includes security
measures. The Philippines Data Privacy Act (RA 10173) also stipulates that
outsourcing agreements, data transfer agreements or data sharing agreements
should also be in place in relation to disclosure or transfer of personal data to third
parties. Lastly, personnel must be trained regarding the Philippines Data Privacy
Act (RA 10173).

Procedures

The NPC has likewise issued rules of procedure in relation to complaints that may
be filed by affected parties and the process of the proceedings that may be
conducted. Either on its own or because of a complaint, the NPC may conduct an
investigation, and then it can impose administrative fines and penalties. Advisory
opinions may likewise be issued by the NPC in relation to data privacy or personal
data protection.

r relevant issuIn addition, they can also recommend criminal prosecution to the
Department of Justice. The penalties may include fines plus imprisonment. Thus,
the organisation can be liable twice, both for the administrative fines and the
criminal prosecution.
 Culture of privacy

Admittedly, the IRR is new. Therefore, the implementation and the enforcement of
the rules have not yet been tested in the courts. There’s no reported case yet but
we understand that the NPC is currently investigating several complaints and has,
in fact, released their findings on some of them. One of the main goals of the NPC,
which they have emphasized from the beginning, is that they want to develop a
culture of privacy in the Philippines.

The law has 3 personas covered. They are:

 Data subject – an individual whose personal information is being processed.

 Personal information controller – a person or organization who controls the

collection, holding, processing or use of personal information, including a person
or organization who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or her behalf.

 Personal information processor – any natural or juridical person qualified to act as

such under this Act to whom a personal information controller may outsource the
processing of personal data pertaining to a data subject.
2. It applies to processing of personal information (section 3g) and sensitive
personal information (Section 3L).

3. Created the National Privacy Commission to monitor the implementation of this

law. (section 7)

4. Gave parameters on when and on what premise can data processing of personal
information be allowed. Its basic premise is when a data subject has given direct
consent. (section 12 and 13)

5. Companies who subcontract processing of personal information to 3rd party

shall have full liability and can’t pass the accountability of such responsibility.
(section 14)

6. Data subject has the right to know if their personal information is being
processed. The person can demand information such as the source of info, how
their personal information is being used, and copy of their information. One has
the right to request removal and destruction of one’s personal data unless there is
a legal obligation that required for it to be kept or processed. (Section 16 and 18)

7. If the data subject has already passed away or became incapacitated (for one
reason or another), their legal assignee or lawful heirs may invoke their data
subject’s data privacy rights. (Section 17)

8. Personal information controllers must ensure security measures are in place to

protect the personal information they process and be compliant with the
requirements of this law. (Section 20 and 21)

9. In case a personal information controller systems or data got compromised, they

must notify the affected data subjects and the National Privacy Commission.
(Section 20)

10. Heads of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Section 22)
 11. Government contractors who have existing or future deals with the
government that involves accessing of 1000 or individuals should register their
personal information processing system with the National Privacy Commission.
(Section 25)

12. Provided penalties (up to 5 million as per sec. 33) on the processing of personal
information and sensitive personal information based on the following acts:

 Unauthorized processing (sec. 25)

 Negligence (sec. 26)

 Improper disposal (sec. 27)

 Unauthorized purposes (sec. 28)

 Unauthorized access or intentional breach (sec. 29)

 Concealment of security breaches (sec. 30)

 Malicious (sec. 31) and unauthorized disclosure (sec. 32)

If at least 100 persons are harmed, the maximum penalty shall apply (section 35).

13. For public officers (working in government), an accessory penalty consisting in

the disqualification to occupy public office for a term double the term of criminal
penalty imposed shall he applied. (sec. 36)
They shall be appointed by the president for a term of three years and In its
declaration of policy, the law states that, although the free flow of information
promotes innovation and growth, it is essential that personal information in the
government’s and private sector’s information and communications systems are
secured and protected.
Personal information is defined as “any information whether recorded in material
form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information.”
It includes facts and figures about a person’s race, ethnic origin, marital status, age,
color and religious, philosophical and political affiliations. Or practically his life
story.
Requirements
The most significant aspects of the law are: the procedures to be followed in the
collection, processing and handling of personal information; the rights of data
subjects; and the creation of a National Privacy Commission.
The law requires information collectors, holders and processors to follow strict
rules on transparency, legitimacy and proportionality in the conduct of their
activities.
Among others, the collection should be conducted for “specific and legitimate
purposes determined and declared before, or as soon as reasonably practicable
after collection, and later processed in a way compatible with such declared,
specified and legitimate purposes only.”
Accuracy, relevance and essentiality of purpose must likewise be observed during
the collection stage.
Inaccurate or incomplete data should be corrected, supplemented, destroyed or
their further processing restricted.

Read more: https://business.inquirer.net/79534/data-privacy-act-of-

2012#ixzz65ReEtcYB
Follow us: The information can be stored only as long as needed for the purpose
for which it was obtained, or “for the establishment, exercise or defense of legal
claims, or for legitimate business purposes, or as provided by law.”
Once collected, the information can be processed or used only if it is not prohibited
by law and the person who provided the information (or data subject) has given his
consent; if no such consent is given, the processing can still go on provided it meets
the “necessity” test.
Necessary
The data subject’s lack of consent will not bar the processing if it is related to the
fulfillment of a contract with him or in order to take the steps he requested prior
to entering into the contract.
It may also be conducted in the following instances: to comply with a legal
obligation that the information collector has to obey; to protect the data subject’s
vital interests, such as life and health; to respond to the exigencies of a national
emergency or public order and security; and to serve the legitimate interests of the
entity to which the information has been disclosed as long as no constitutional
rights are violated.
In the latter cases, the processing is allowed to continue even in the face of the
data subject’s opposition due to legal considerations (either on the part of the data
subject or the party that collects the information) or in order to serve the greater
interests of the public.
Such liberality, however, is tempered by the rights that the law gives to data
subjects to protect their privacy.
They have the right to know whether their personal information “shall be, are being
or have been processed.”
Before any such data are included in the collector’s information system, or at the
next practical opportunity, they can demand information about, among others, the
purpose for which it is processed, the scope and methodology of the process, the
length of information storage, and the identity of the people to whom their
personal information shall be disclosed.

Read more: https://business.inquirer.net/79534/data-privacy-act-of-

2012#ixzz65RecSE6O
Follow us: @inquirerdotnet on Twitter | inquirerdotnet on
Facebook@inquirerdotnet on Twitter | inquirerdotnet on Facebook
In case the data subject finds that the information stored in the information system
is incomplete, outdated, false, unlawfully obtained, used for unauthorized
purposes, or no longer necessary, he can demand its withdrawal, blocking or
removal of the subject information.
And if the harm caused to him is grave, he can sue the erring parties for whatever
damages he may have sustained as a consequence of the mishandling or misuse of
his information.
The law lists nine violations that can give rise to fines and prison terms. In what
appears to be a concession to inflationary times, except for two offenses, the
average fine imposable is a minimum of P500,000 and a maximum of P2,000,000.
The task of administering and implementing this law has been assigned to a still to
be created National Privacy Commission, which shall consist of three members: a
Privacy Commissioner who shall act as its chair and two Deputy Privacy
Commissioners.
may be reappointed for another term of three years. The members of the
commission have to be experts in information and communications technology and
data privacy.
Although the law is complete in all respects, its implementation will have to await
the promulgation by the commission of its implementing rules and regulations.

Read more: https://business.inquirer.net/79534/data-privacy-act-of-

2012#ixzz65Retquy3
Follow Salient features of Data Privacy Act of 2012 – Republic Act 10173

By Janette Toral E-Commerce 1 Comment

Save
Sh
are65
Republic Act 10173 or The Data Privacy Act of 2012 was approved into law last
August 15, 2012. Here are its salient features:

1. It applies to processing of personal information (section 3g) and sensitive

personal information (Section 3L).
2. Created the National Privacy Commission to monitor the implementation of this
law. (section 7)

3. Gave parameters on when and on what premise can data processing of personal
information be allowed. Its basic premise is when a data subject has given direct
consent. (section 12 and 13)

4. Companies who subcontract processing of personal information to 3rd party

shall have full liability and can’t pass the accountability of such responsibility.
(section 14)

5. Data subject has the right to know if their personal information is being
processed. The person can demand information such as the source of info, how
their personal information is being used, and copy of their information. One has
the right to request removal and destruction of one’s personal data unless there is
a legal obligation that required for it to be kept or processed. (Section 16 and 18)

6. If the data subject has already passed away or became incapacitated (for one
reason or another), their legal assignee or lawful heirs may invoke their data privacy
rights. (Section 17)

7. Personal information controllers must ensure security measures are in place to

protect the personal information they process and be compliant with the
requirements of this law. (Section 20 and 21)

8. In case a personal information controller systems or data got compromised, they

must notify the affected data subjects and the National Privacy Commission.
(Section 20)

9. Heads of government agencies must ensure their system compliance to this law
(including security requirements). Personnel can only access sensitive personal
information off-site, limited to 1000 records, in government systems with proper
authority and in a secured manner. (Section 22)

10. Government contractors who have existing or future deals with the
government that involves accessing of 1000 or more records of individuals should
register their personal information processing system with the National Privacy
Commission. (Section 25)

11. Provided penalties (up to 5 million as per sec. 33) on the processing of personal
information and sensitive personal information based on the following acts:
– Unauthorized processing (sec. 25)
– Negligence (sec. 26)
– Improper disposal (sec. 27)
– Unauthorized purposes (sec. 28)
– Unauthorized access or intentional breach (sec. 29)
– Concealment of security breaches (sec. 30)
– Malicious (sec. 31) and unauthorized disclosure (sec. 32)

If at least 100 persons are harmed, the maximum penalty shall apply (section 35).

12. For public officers (working in government), an accessory penalty

consisting in the disqualification to occupy public office for a term double the
term of criminal penalty imposed shall he applied. (sec. 36)

Share this post

us: @inquirerdotnet The Data Privacy Act (RA 10173): Here’s What You Need To
Know

April 11, 2018

Sabina Yulo
Around 2.5 quintillion bytes of data are created daily. We now live in an age where
digital data is part of our daily lives — part of our personalities and identities. Given
this fact, there is a real need to change the way organizations handle data and
workflows to ensure the protection of private information.
All companies handle some form of personal information — from employee to
client to end-user data — therefore all companies are now responsible to protect
the confidentiality, preserve the integrity, and promote the availability of data for
authorized use.
What is The Data Privacy Act of the Philippines?

The Data Privacy Act (DPA), or Republic Act No. 10173 was passed by the Philippines
Congress in 2012 and finally implemented five years later in 2016. RA 10173 assures
the “free flow of information to promote innovation and growth”(Republic Act. No.
10173, Ch. 1, Sec. 2) while protecting the users’ fundamental rights to privacy.
How is it implemented?

RA 10173 protects and maintains the right of customers to confidentiality by setting

a legal list of rules for companies to regulate the collection, handling, and disposal
of all personal information.
Companies legally responsible for keeping their customers’ data protected from
third parties or any form of misuse, internally or externally.

What does that mean for data collectors/companies?

The Act applies to any process of personal data by anyone in government or private
sectors.
All personal data must have legitimate reasons for collection as well as should be
clear to both parties giving and receiving information. With that being said, all
collection must be done with the customer the customers’ proper consent.
All personal information used must also be relevant solely used for its intended and
state purposes. Companies must protect customer information from collection to
proper disposal, avoiding access from unauthorized parties.

What is “personal information?”

“‘Personal information’” refers to any information, whether recorded in a material

form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an
individual” (Republic Act. No. 10173, Ch. 1, Sec. 3).
What is “sensitive personal information?”

“(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in such
proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or cm-rent health records, licenses or
its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.”
(Republic Act. No. 10173, Ch. 1, Sec. ).

What is “consent?”

Consent of the data subject refers to any freely given, specific, informed indication
of will, whereby the data subject agrees to the collection and processing of
personal information about and/or relating to him or her. Consent shall be
evidenced by written, electronic or recorded means. It may also be given on behalf
of the data subject by an agent specifically authorized by the data subject to do
so (Republic Act. No. 10173, Ch. 1, Sec. 1).

What are the rights of the data subject?

The data subject or the individual sharing his/her personal information has to be
fully informed of several factors of the data collecting process. This list includes,
but isn’t limited to:
(1) the reason for use
(2) methods for access
(3) the identity and contact details of the personal information controller
(4) how long the information will be stored for
(5) access to their rights.
What steps do I need to take in compliance with the Act?

Companies essentially have to ensure that their data collection methods are
flawless as well as consistently share the entire process with data subjects,
including a breach of security, should there be any.
To do this, companies should appoint a Data Protection Officer and create privacy
knowledge programs and privacy and data policies to regulate the handling of
information, as well as routine assessments to ensure quality data protection.
In addition, companies must also have a proper procedure for breach notification
to its customers.

What happens if I do not comply?

Improper/unauthorized processing, handling or disposal of personal information

can be penalized by imprisonment up to six years and a fine of not less than Five
hundred thousand pesos (PHP 500,000).
Sprout Solutions puts data privacy with the utmost priority and takes advanced
measures to maintain confidentiality in information handling.
We encourage all companies to look through the Data Privacy Act and secure the
safety of their own data privacy processes.
Sources:
Republic Act 10173 – Data Privacy Act of 2012. (n.d.). Retrieved April 11, 2018,
from https://privacy.gov.ph/data-privacy-act/#3
The Beginner’s Guide to RA 10173 (Data Privacy Act of 2012). (n.d.). Retrieved April
11, 2018, from https://amihan.net/2017/07/10/beginners_guide_to_ra_10173/
Privacy Tracker | Summary: Philippines Data Privacy Act and implementing
regulations Related reading: Countdown to GDPR: Part 1 – Essential structures for
GDPR compliance. (n.d.). Retrieved April 11, 2018,
from https://iapp.org/news/a/summary-philippines-data-protection-act-and-
implementing-regulations/

on Twitter | inquirerdotnet on Facebook