INFORMATION RESOURCE

MANAGEMENT
AY 2017 - 2018
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY

National Privacy Commission

is the country's privacy watchdog;
an independent body mandated to administer and implement the
Data Privacy Act of 2012,
monitors and ensures compliance of the country with international
standards set.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY

Under RA10173, people whose personal information is collected,

stored, and processed, are called data subjects.
Organizations who deal with your personal details, whereabouts, and
preferences are dutybound to observe and respect your data privacy
right.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
Data Privacy Right:
The right to be informed
The right to access
The right to object
The right to erasure or blocking
The right to damages
The right to file a complaint
The right to rectify
The right to data portability
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to be informed
your personal data is treated almost literally in the same way as your own
personal property.
it should never be collected, processed and stored by any organization
without your explicit consent.
as a data subject, you have the right to be informed that your personal data
will be, are being, or were, collected and processed
this right also requires personal information controllers (PICs) to notify you if
your data have been compromised, in a timely manner.
most basic right as it empowers you as a data subject to consider other
actions to protect your data privacy and assert your other privacy rights.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
To protect your privacy, the Philippine data privacy law explicitly
require organizations to notify and furnish you the following
information before they enter your personal data into any processing
system:

Description of the personal data to be entered into the system

Exact purposes for which they will be processed (such as for direct
marketing, statistical, scientific etc.)
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
(continuation)
Basis for processing, especially when it is not based on your consent
Scope and method of the personal data processing
Recipients, to whom your data may be disclosed
Methods used for automated access by the recipient, and its
expected consequences for you as a data subject
Identity and contact details of the personal information controller
The duration for which your data will be kept
You also have to be informed of the existence of your rights as a data
subject.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY

In recording a conversation or interview with someone, it is enough to

verbally ask for a direct consent from an individual data subject. If the
subject yields, it would be useful to also mention as part of the
recorded conversation that the subject knows the conversation is being
recorded and that you asked and were given the consent. It would even
be better if you could get the subject to verbally confirm his consent.
Eg. phone banking
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to access
your right to find out whether an organization holds any personal
data about you and if so, gain reasonable access to them.
you may also ask them to provide you with a written description of
the kind of information they have about you as well as their
purpose/s for holding them.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
You may demand to access the following:

The contents of your personal data that were processed.

The sources from which they were obtained.
Names and addresses of the recipients of your data.
Manner by which they were processed.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
(continuation)
Reasons for disclosure to recipients, if there were any.
Information on automated systems where your data is or may be
available, and how it may affect you.
Date when your data was last accessed and modified
The identity and address of the personal information controller.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
How to exercise your right to access your personal data

execute a written request to the organization, addressed to its Data

Protection Officer (DPO). In the letter, mention that your request is
being made in exercise of your right to access under the Data Privacy
Act of 2012. The DPO is required to respond to your written request.
prepare to provide evidence of your identity to ensure that
information is not given to the wrong person.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
(continuation)
if your request was not granted, or if you feel your request was not
sufficiently addressed, you may file a formal complaint with the NPC.
Before doing so, you must inform the organization and its DPO of your
intention to formally complain to the NPC.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
Some exceptions may disallow the exercise of an individuals right to
access. This is to balance the right to privacy of an individual versus the
needs of civil society. Here are some examples:

A criminal suspect is not allowed access to the personal data held

about him by law enforcement agencies as it may impede
investigation.
You are not allowed access to information about you as contained in
communications between a lawyer and his or her client, if such
communication is subject to legal privilege in court.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
(continuation)
Your right to access your own medical and psychological data may be
denied you in the rare instance where is is deemed that your health
and well-being might be negatively affected.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to object

consent is necessary before any organization can LAWFULLY collect

and process your personal data.
in case you already gave your consent by agreeing to an organizations
privacy notice, you can withdraw consent if the personal
information processor decided to amend said notice. In fact, the
personal information processor has the obligation to notify you of
changes to their privacy notice and must explicitly solicit your consent
once again.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
Application of right to object:

Direct marketing purposes

Profiling purposes
Automated pocessing purposes
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
How to exercise your right to object?
verbally
written then to DPO
if request is not granted, you may file a formal complaint to NPC
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
Personal data collectors, collectors and processors must stop
processing your data when you assert your right to object unless they
can cite legitimate grounds for overriding it such as the following:

When the personal data is needed in pursuant to a subpoena.

When the collection and processing are for obvious purposes such
as in contracts where you are a party.
And when the information being collected and processed is due to a
legal obligation on the part of the Personal Information Controller
(such as for employment records purposes).
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to erasure or blocking

Under the law, you have the right to suspend, withdraw or order the
blocking, removal or destruction of your personal data.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
You can exercise the right to erasure or blocking on the following:

Your personal data is incomplete, outdated, false, or unlawfully

obtained.
It is being used for purposes you did not authorize.
The data is no longer necessary for the purposes for which they were
collected.
You decided to withdraw consent, or you object to its processing and
there is no overriding legal ground for its processing.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
(continuation)

The data concerns information prejudicial to the data subject

unless justified by freedom of speech, of expression, or of the press;
or otherwise authorized (by court of law)
The processing is unlawful.
The personal information controller, or the personal information
processor, violated your rights as data subject.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
How to exercise your right to erasure or blocking?

write a written request to DPO

if not properly addressed, then file a complaint to NPC attaching your
letter to DPO
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to damages

You may claim compensation if you suffered damages due to

inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal data
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
How to exercise your right to damages?

* speak to the organization who mishandled your information to see if

you can reach an agreement, otherwise;
* write to the organization and inform them of your intent to take the
matter to court.
* NPC has no role in dealing with compensation claims, they can only
assess the situation.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to file a complaint with the National Privacy Commission

If you feel that your personal information has been misused,

maliciously disclosed, or improperly disposed, or that any of your data
privacy rights have been violated, you have a right to file a complaint
with the NPC.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to rectify

You have the right to dispute and have corrected any inaccuracy or
error in the data a personal information controller (PIC) hold about you.
The PIC should act on it immediately and accordingly, unless the
request is vexatious or unreasonable. Once corrected, the PIC should
ensure that your access and receipt of both new and retracted
information. PICs should also furnish third parties with said
information, should you request it.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
How to exercise your right to rectify?

* if the organization has no system for data rectification, write a

request to DPC
* attach documents to support your claim
* If the organization ha already a system for data rectification,
accomplish only the needed forms. eg. SSS Form E or the Member Data
Change Request Form
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The right to data portability

This right assures that YOU remain in full control of YOUR data. Data
portability allows you to obtain and electronically move, copy or
transfer your data in a secure manner, for further use. It enables the
free flow of your personal information across the internet and
organizations, according to your preference. This is important especially
now that several organizations and services can reuse the same data.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
Data portability allows you to manage your personal data in your
private device, and to transmit your data from one personal
information controller to another. As such, it promotes competition
that fosters better services for the public.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
Example:
You want to close your Facebook account and leave the service, or
simply feel like youve shared a lot of information about your life and
want a backup of all your Facebook data, you may exercise your right to
data portability.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
How to exercise your right to data portability?

Various online platforms have been making data portability an

available and instant option for its users. For instance, Facebook
enabled its users to readily download all their personal content and
information, including wall posts, status updates, photos, videos, and
conversation threads.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
Transmissibility of Data Subject Rights:

* You can assign your rights as a data subject to your legal assignee or
lawful heir. Similarly, you may assert another persons rights as a data
subject, provided he or she authorized you as a legal assignee.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
(continuation)

* You may also invoke another persons data privacy rights after his or
her death if you are his or her legal heir. This same principle applies to
parents of minors, or their legal guardian, who are responsible for
asserting their rights on their behalf.

* This right, however, is not applicable in case the processed personal

data being contested are used only for scientific and statistical research
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
The Practical Need for Transmissibility of Right

An individuals personal data lives on even after his death. As such, they
could still be subject to privacy violations whether intentional or
otherwise. The Data Privacy Act of 2012 included this provision to
protect their privacy rights through a living person willing to assume
the responsibility on their behalf
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
(continuation)

The transmissibility of data privacy rights has been extended to living

adults who are unable to protect their own rights and wish to assign
the responsibility to someone else.
CHAPTER 3 - PRIVACY AND INFORMATION
SECURITY
How to execute?

Data subjects who are alive but incapacitated, for some reason unable to to
assert their own personal privacy rights and wish to authorize a legal assignee
to act as their proxy may do so by executing a legal notice to the effect, such as
through a Special Power of Attorney.

In case of a deceased data subject, the legal heir must be prepared to show
legal evidence to back their claim. Parents or guardians automatically assume
the responsibility of protecting the privacy rights of minors under their care.