Documente Academic
Documente Profesional
Documente Cultură
Glenn A. Asuncion
MSIT
Systems’ Security
Ethics and Information Systems
Security
The key difference between laws and ethics is that laws carry the authority of a
governing body, and ethics do not. Ethics in turn are based on cultural mores.
Organizational Liability and
the Need for Counsel
The Data Privacy Act is broadly applicable to individuals and legal entities that
process personal information, with some exceptions. The law has extraterritorial
application, applying not only to businesses with offices in the Philippines, but
when equipment based in the Philippines is used for processing. The act further
applies to the processing of the personal information of Philippines citizens
regardless of where they reside.
One exception in the act provides that the law does not apply to the processing of
personal information in the Philippines that was lawfully collected from residents
of foreign jurisdictions — an exception helpful for Philippine companies that offer
cloud services.
Privacy Act of 2012
* Consent must be “freely given, specific, informed,” and the definition further
requires that consent to collection and processing be evidenced by recorded
means. However, processing does not always require consent.
* Consent is not required for processing where the data subject is party to a
contractual agreement, for purposes of fulfilling that contract. The exceptions of
compliance with a legal obligation upon the data controller, protection of the vital
interests of the data subject, and response to a national emergency are also
available.
* An exception to consent is allowed where processing is necessary to pursue the
legitimate interests of the data controller, except where overridden by the
fundamental rights and freedoms of the data subject.
Privacy Act of 2012
The law requires that any entity involved in data processing and
subject to the act must develop, implement and review procedures
for the collection of personal data, obtaining consent, limiting
processing to defined purposes, access management, providing
recourse to data subjects, and appropriate data retention policies.
These requirements necessitate the creation of a privacy program.
Requirements for technical security safeguards in the act also
mandate that an entity have a security program.
Privacy Act of 2012
The law enumerates rights that are familiar to privacy professionals as related to
the principles of notice, choice, access, accuracy and integrity of data.
* The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her personal
data from the filing system of the data controller. Exercising this right requires “substantial
proof,” the burden of producing which is placed on the data subject. This right is expressly
limited by the fact that continued publication may be justified by constitutional rights to
freedom of speech, expression and other rights.
* Notably, the law provides a private right of action for damages for inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal data.
The law defines “security incident” and “personal data breach” ensuring
that the two are not confused. A “security incident” is an event or
occurrence that affects or tends to affect data protection, or may
compromise availability, integrity or confidentiality. This definition includes
incidents that would result in a personal breach, if not for safeguards that
have been put in place.
A “personal data breach,” on the other hand, is a subset of a security
breach that actually leads to “accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed.
Privacy Act of 2012
The law provides separate penalties for various violations, most of which also
include imprisonment. Separate counts exist for unauthorized processing,
processing for unauthorized purposes, negligent access, improper disposal,
unauthorized access or intentional breach, concealment of breach involving
sensitive personal information, unauthorized disclosure, and malicious disclosure.
Any combination or series of acts may cause the entity to be subject to
imprisonment ranging from three to six years as well as a fine of approximately
1,000,000 to 5,000,000 pesos.
Notably, there is also the previously mentioned private right of action for damages,
which would apply.
Privacy Act of 2012
https://iapp.org/news/a/summary-philippines-data-protection-act-and-implementing-regulations/