Sunteți pe pagina 1din 36

DEPARTMENT OF EDUCATION

OVERVIEW: DATA PRIVACY ACT OF 2012

Tonisito M.C. Umali, Esq.


Undersecretary for Legislative Affairs,
External Partnerships and Schools Sports
LEGAL BASIS
Article III Sec. 3, 1987 Constitution

The privacy of communication and correspondence


shall be inviolable except upon lawful order of the
court, or when public safety or order requires
otherwise as prescribed by law.
LEGAL BASIS
Article III Sec. 2, 1987 Constitution
The right of the people to be secure in their persons,
houses, papers and effects against unreasonable
searches and seizures of whatever nature and for
any purpose shall be inviolable, and no search
warrant or warrant of arrest shall issue except upon
probable cause to be determined personally by the
judge after examination under oath or affirmation of
the complainant and the witnesses he may produce,
and particularly describing the place to be searched
and the persons or things. o be seized.
Data Privacy Act
Sec. 2 The Data Privacy Act of 2012
(Republic Act No. 10173) was
enacted to protect one’s
fundamental right to privacy of
communication while ensuring free
flow of information in order to
promote innovation and growth.

The State recognizes its inherent


obligation to secure and protect
personal information in the
various systems used by and in the
government and private sector.
Scope of the Data Privacy Act

WHAT:
Processing of all types of personal information

WHO:
Natural or juridical person involved in data personal
information processing

***Juridical Person
refers to the State and its political subdivisions; other corporations,
institutions and entities for public interest or purpose, created by law
whose personality begins as soon as they have been constituted according
to law, and; corporations, partnerships and associations for private interest
or purpose to which the law grants a juridical personality, separate and
distinct from that of each of its shareholder, partner or member as provided
by the New Civil Code of the Philippines.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-021
14 June 2017

Are cooperatives registered under the Cooperative


Development Authority (CDA) covered by the DPA?

The DPA applies to any natural or juridical person involved in the


personal information processing including those personal information
controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines, or those
who maintain an office, branch or agency in the Philippines.

Upon examination of the nature of information handled by


the CDA and cooperatives, it is clear that cooperatives may
be considered as personal information controllers (PICs) who
collect, hold, process and use personal information of its
members.
DPA and its IRR on DepEd
Pursuant to the Implementing Rules and Regulations
(IRR) of DPA and other related issuances, the National
Privacy Commission (NPC) requires the Department of
Education (DepEd) to:
• register its personal information processing
systems;
• regularly conduct privacy impact assessments (PIA)
on the said processes ;
• collate and report data security incidents to the
Commission; and
• establish its own data privacy manual.
Scope of the Data Privacy Act

For the Department of Education:

DPA shall cover all personal data and information


processed in and by the Department and shall
apply to all levels of governance in basic education
as provided under the Governance of Basic Education
Act of 2001 (Republic Act No. 9155) - at the Central
(CO), Region (RO), Division (DO), and District
offices (PSDS), respectively, and in schools.

As mandated by law, private schools are also required to establish their


respective privacy manuals in accordance with the Data Privacy Act of
2012. In the absence of a privacy manual, private schools are
encouraged to adopt this manual and its applicable provisions.
Scope of the Data Privacy Act
DPA does not apply to:
Section 5. Special Cases.
Information processed for purpose of allowing public access
to information that fall within matters of public concern
1. Information about any individual or person who is or
was an officer or employee of the government that
relates to his or her position or function
2. Information about any individual who is or was
performing a service under contract for a
government institution (service, name of the
individual and terms of his or her contract)
3.. Information relating to a benefit of a financial
nature conferred on an individual
upon the discretion of the government
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

What does the following paragraph of Section 5


of the IRR mean? How do we interpret or
implement this?

“Section 5. Special Cases. The Act and these Rules shall not apply
to the following specified information, only to the minimum extent
of collection, access, use, disclosure, or other processing
necessary to the purpose, function, or activity concerned:”

(Items as mentioned in previous slides 9 and 10)


Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

The exemptions are not blanket exemptions. These are limited to


the minimum extent necessary to achieve the specific purpose,
function or activity.

This is interpreted to the effect that there is presumption


that personal data may be lawfully processed by a personal
information controller or processor under the special cases
provided (above), but the processing shall be limited to
achieving the specific purpose, function or activity, and that
the personal information controller or processor remains to
be subject to the requirements of implementing measures to
secure and protect personal data.
Key Roles in the Data Privacy Act

An individual whose, The National Privacy


personal, sensitive Commission as
personal, or privileged established by the Data
information is Privacy Act of 2012.
processed.
e.g. learners, personnel,
stakeholders

Controls the processing of personal


data, or instructs another to process
personal data on its behalf.
e.g. DepEd
Classification of Personal Information
Personal Information

Any information whether recorded in a material form


or not, from which the identity of an individual is
apparent or can be reasonably and directly
ascertained by the entity holding the information, or
when put together with other information would
directly and certainly identify an individual.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-41
14 August 2017

Are publicly available personal data specifically


those posted on social media sites and published
in news articles, magazines and other reading
materials available to the public, are covered by
DPA?
We believe that the provisions of the DPA are still applicable even
for those personal data which are available in the public domain…

There is no express mention that personal data which is available


publicly is outside of its scope. Thus, “it is a misconception that
publicly accessible personal data can be further used or
disclosed for any purpose whatsoever without regulation.”
(Office of the Privacy for Personal Data, Hong Kong)
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-41
14 August 2017

With this, we believe that the personal information controller


(PIC) which collects and processes personal data from the
public domain must still observe the requirements under the
law, specifically on the lawful processing of personal,
sensitive personal and privileged information…

Thus, even if the data subject has provided his or her personal
data in a publicly accessible platform, this does not mean he or
she has given blanket consent for the use of his or her personal
data for whatever purposes.
Classification of Personal Information
Sensitive Personal Information
1. Individual’s race, ethnic origin, marital status, age,
complexion, and religious, philosophical or political affiliations

2. Individual’s health, education, genetic or sexual life of a


person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal
of such proceedings, or the sentence of any court in such
proceedings

3. Issued by government agencies peculiar to an individual such


as: social security numbers, previous or current health
records, licenses or its denials, suspension or revocation, and
tax returns

4. Specifically established by an Executive Order or an act of


Congress to be kept classified.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

How do we interpret the definition of sensitive


personal information particularly with respect to
offenses committed or alleged to have been
committed (Sec. 3 (t)(2), IRR)?
Are we not allowed to publish reports on cases or
complaints filed by (government-run entity) in
court or other tribunal?

“Section 3.(t)(2) About an individual’s health and education, genetic, or


sexual life of a person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;”
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

We believe that (government run entity’s) processing of sensitive personal


information, which may include the publication of reports containing the
same, is allowed under Section 13(b) and (f) above, i.e. the processing of
the same is provided for by existing laws and regulations, and the
processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in
court proceedings, or the establishment, exercise and defense of legal
claims, or when provided to government or public authority, respectively.

If it is within the mandate of (government run entity) to publish


reports on cases or complaints filed by the (government run entity)
in order to inform the public, the DPA will not operate to hinder the
said mandate.
Classification of Personal Information
Privileged Information
Any and all forms of data which constitute privileged communication
under the Rules of Court, such as but not limited to:
• marital privilege
• lawyer-client privilege
• doctor-patient privilege
• priest-penitent privilege
• state secret rule and newsman shield rule
• privileged information rooted in separation of powers of
the branches of the government
• information on military and diplomatic secrets
• information affecting national security
• information on investigations of crimes by law
enforcement agencies before the prosecution of the
accused
• trade and industrial secrets
General Principles of the Data Privacy Act

1. Transparency

The data subject must be aware of:

• the nature, purpose, and extent of the processing


• the risks and safeguards involved
• the identity of the authorized personnel of the
Department
• his or her rights
• how these rights shall be exercised
General Principles of the Data Privacy Act

2. Legitimate Purpose

The processing of information shall be compatible


with a declared and specified purpose, which must
not be contrary to law, morals, or public policy.

3. Proportionality

The processing of information shall be adequate,


relevant, suitable, necessary, and not excessive in
relation to a declared and specified purpose.

Do not overcollect.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2018-008
02 April 2018
Letter seeking to clarify whether the employer’s disclosure
of the list of employees with their corresponding salary to
the (Government Office) is in consonance with RA 10173,
its IRR and relevant issuances.
(Upon evaluation, the personal information being requested by the
(Government Office) satisfies the general data privacy principles of
transparency, legitimacy and proportionality.

First, the collection and processing of personal information is pursuant to a


statutory mandate.
Second, there is an assurance that the personal information collected will
be stored securely and kept confidential.
Third, the information requested are relevant and necessary to enable the
(Government Office) to accurately compute and determine the (purpose of
disclosure as stated) from every employee.
The Data Life Cycle
The Data Life Cycle should be based on the Department of Education
Records’ Retention Period and Disposition Schedule.
Talk Excerpt
Commissioner Raymund Liboro on Data Life Cycle:

Focusing on the tendency of government (including


the private sector) to over-collect personal information,
Liboro reminded everyone that there is a Data Life
Cycle.

The Data Life Cycle includes the proper and secure


disposal of personal data that have already served its
purpose.

“Data has a life. It has a beginning and it has an


end.” Liboro said.

https://blogwatch.tv/2017/04/national-privacy-commission-holds-first-assembly-
government-data-protection-officers/
Advisory Opinion on DATA SHARING AGREEMENT
Privacy Policy Office
Advisory Opinion No. 2017-54
11 September 2017
Advisory Opinion on DATA SHARING AGREEMENT
Privacy Policy Office
Advisory Opinion No. 2017-54
11 September 2017
Advisory Opinion on OUTSOURCING AGREEMENT
Privacy Policy Office
Advisory Opinion No. 2018-015
12 April 2018
Advisory Opinion on OUTSOURCING AGREEMENT
Privacy Policy Office
Advisory Opinion No. 2018-015
12 April 2018

OUTSOURCING
AGREEMENT
OBLIGATION: FIVE PILLARS OF COMPLIANCE

Commit to comply:
Appoint a Data Protection Officer

Know your risks:


Conduct a Privacy Impact Assessment

Be Accountable:
Write your Privacy Management Program and
Privacy Manual

Demonstrate your Compliance:


Implement Privacy and Data Protection Measures

Be Prepared for Breach:


Regularly Exercise your Breach Reporting Process
Prohibited Acts and Penalties
Prohibited Acts and Penalties
Cases of Identity
Theft
Thank you!
36