Documente Academic
Documente Profesional
Documente Cultură
AWARENESS SESSION
MARCH 16, 2018
OBJECTIVES
Mandatory Mandatory
Compliance Registration
DICT
Sept 2017 –
2012 Mar 2016 May 2016 Aug 2016
Mar 2018
Data Collection
Data Retention
Data Privacy Data Storage
and Disposal/ Principles & Transmission
Destruction
Disclosure and
Distribution/ Data Data Usage
Sharing
TERMINOLOGIES
Concept: Processing
ECOSYSTEM
Personal
Personal Information Information
Data Subject
Controller (PIC) Processor (PIP)
provide outsources
personal data the
processing
• Personal Information
• Sensitive Personal
Information Third Parties
• Privilege Information shares data sub-contracts
TYPES OF DATA
Personal information Sensitive personal information Privileged information
► Information, whether recorded in ► Personalinformation whose ► Anyand all forms of data which
a material form or not, from leakage could impact the material under the Rules of Court or
which the identity of an well being of an individual (EU other pertinent laws
individual: GDPR). constituted privileged
► is apparent, or ► Race, ethnic origin, marital communications. (IRR)
status, age, color, religious, ► Attorney-client privileged
► can be reasonably and directly
philosophical or political information
ascertained by the entity
affiliation.
holding the information, or ► Doctor-patient privileged
► Health, education, genetic or information
► when put together with other
sexual life, offenses committed
information would directly and
or alleged, disposal of such, or
certainly identify an individual
(IRR)
sentences of any court.
► Issued by any government
► Name
agency peculiar to an individual
► Home address such as SSS numbers, previous
► Phone number and current health records,
licenses, denials, suspension or
revocation, and tax returns.
► Specifically
established by an
executive order or an act of
Congress to be kept classified.
(IRR)
KNOWLEDGE CHECK
DATA PI or SPI or N/A?
Under R.A. 10173, your personal data is treated almost literally in the same
way as your own personal property. Thus, it should never be collected,
processed and stored by any organization without your explicit consent,
unless otherwise provided by law.
Consent
As a data subject, you have the right to be informed that your personal data will be, are being, or were,
collected and processed.
The Right to be Informed is a most basic right as it empowers you as a data subject to consider other
actions to protect your data privacy and assert your other privacy rights.
RIGHTS OF DATA SUBJECT
Under the Data Privacy Act of 2012, you have a right to obtain from an
organization a copy of any information relating to you that they have on their
computer database and/or manual filing system. It should be provided in an
easy-to-access format, accompanied with a full explanation executed in plain
Access
language.
Your consent is necessary before any organization can LAWFULLY collect and process your
personal data. If without your consent, any such collection and processing of personal
Object information by any organization can be contested as unlawful or ILLEGAL, and would
therefore be answerable to the Data Privacy Act of 2012.
The right to object is most specifically applicable when organizations or personal information controllers
are processing your data without your consent.
RIGHTS OF DATA SUBJECT
Erase or
Blocking
Under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of
your personal data. You can exercise this right upon discovery and substantial proof of the following:
Write or speak to the organization which mishandled your personal information to see if you can
reach an agreement and claim compensation.
If you feel that your concern has not been satisfactorily addressed, you should write to the
organization and inform them of your intent to take the matter to the court, before you start court
proceedings. Talk to a legal adviser if you want to make a claim in court.
If you feel that your personal information has been misused, maliciously disclosed, or improperly
disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint
with the NPC.
RIGHTS OF DATA SUBJECT
Data Portability
Data portability allows you to obtain and electronically move, copy or transfer your data in a secure
manner, for further use. It enables the free flow of your personal information across the internet and
organizations, according to your preference. This is important especially now that several organizations
and services can reuse the same data.
CONSENT FORM
5
COMPLIANCE Data Breach Notification
Notify data subject/s
(if likely to result in risk to
individuals)
Notify NPC and ► Data processors must report
local authorities
(if likelihood of risk to personal data breaches to FPH
individuals) through its Data Breach Response
Team (DBRT).
► First Balfour must report personal
data breaches to NPC, local
Investigate
breach authorities and in some cases,
affected data subjects.
► First Balfour maintains a personal
data breach tracker.
Awareness of
breach ► Depending on the nature of the
Without incident, or if there is delay or
undue
Without failure to notify, NPC may
delay
undue delay investigate the circumstances
(no later than surrounding the personal data
Breach 72 hrs) breach. Investigations may include
on-site examination of systems and
procedures.
Improper Disposal of :
a. Personal Information 100 thousand to 500 thousand 6 months to 2 years
b. Sensitive Personal Information. 100 thousand to 1 million 1 year to 3 years
Data Collection
Employees Employment Req. Employer
Can the employer collect
both the personal
information and sensitive
personal information?
Lawful Processing
The processing involves the personal information of a data subject who is a party to a contractual agreement and
the processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a
public authority (e.g., BIR, SSS, Pag-IBIG and PhilHealth). Meanwhile, the processing of the sensitive personal
information is provided for by existing laws and regulations, thus no consent is needed for the aforementioned
government-issued IDs.
SCENARIO
Data Storage
Employee Address System Limitation
Can the Company
continually refuse the
updating request of its
employee?
Right to Rectification
The Company should rightfully update the inaccurate home address of its customer as requested.
SCENARIO
Data Sharing
Fun Run Consent Company
Can the personal data be
used and shared by the
Company to its sister
company?
Data Usage
Personal data must be used only for the purpose for which the data subjected consented to. Data Subject must be
informed and explicitly consent the sharing of his/her data to a third party for direct marketing purposes.
FAQs
Q: What procedural changes do I expect from First Balfour in compliance with Data Privacy Act?
A: Changing of ID, consent forms to be given out, strengthening of controls on the IT side
Q: Are we allowed to access social media, download pictures of whoever we want to and publish them even
for good purpose?
A: Social media is a public platform. Yes, we can view and download available media but use them for other
purposes outside of what is typically associated with the use of Social media platforms without consent of
owner is not allowed
Q: What if I don’t want to sign the consent forms being distributed by HR as part of Data Privacy
compliance?
A: It may result in delay of processing of your data (i.e. payroll) since company has to develop special means
to cater exemptions.
Q: How about publication? Can media telecast or publish article about me (i.e. accident, crime-related,
events) regardless if it’s good or bad without my consent?
A: There are exemptions to the Data Privacy Act. For historical, statistical, or journalistic purpose consent is
typically not required even if the information is sensitive. It is still expected however that the data is treated
Q: Is someone spreading fake news on me in social media covered by data privacy? Is this something I can
report to NPC?
A: This is covered by the Cybercrime law. Different from the scope of the NPC.
FAQs
Q: Can public (still) demand for private records of politician because of this law (i.e. SALN)?
A: This is covered by the Freedom of Information Act. This law does not enable it. However, it does exempt a
public official’s record so as long as it is related to their employment with the government.
Q: Can I complain directly to NPC for my non-work data privacy related concern? If yes, how?
A: Yes. Go to NPC website (https://privacy.gov.ph/mechanics-for-complaints/). However, NPC will ask whether
you have tried to resolve any issues with the data processor first before they entertain any complaints.
For more information visit:
www.privacy.gov.ph