Data Privacy Law In the philippines

Posted byHereezel SegundoPosted inUncategorized

Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information

Data Privacy Act of 2012 or formally known as Republic Act 10173 of the Republic of the Philippines. This Act was passed and promulgated with the title: An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes. 

It is the law or “policy of the State to protect the fundamental human right of privacy, of communication while ensuring the free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.” (Sec. 2)

WHAT IS THE SCOPE OF THE DATA PRIVACY ACT?

As mentioned earlier, the Data Privacy Act applies to any natural or juridical persons involved in the processing of personal information. It also covers those who, although not found or established in the Philippines, use equipment located in the Philippines, or those who maintain an office, branch, or agency in the Philippines.

WHAT IS PROCESSING OF PERSONAL INFORMATION?

Under Sec. 3(j) of the Data Privacy Act, “[p]rocessing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”

In other words, processing of personal information is any operation where personal information is involved. Whenever your information is, among other things, collected, modified, or used for some purpose, processing already takes place.

Approach

The Philippines law takes the approach that “The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.”


The Data Privacy Act explicitly states that its provisions are not applicable in the following cases: 

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

WHAT IS PERSONAL INFORMATION?


Under Sec. 3(g) of the Data Privacy Act, “[p]ersonal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”

In other words, personal information is any information which can be linked to your identity, thus making you readily identifiable

WHAT IS PRIVILEGED INFORMATION?

Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.” One such example would be any information given by a client to his lawyer. Such information would fall under attorney-client privilege and would, therefore, be considered privileged information.

In 2012, the Congress of the Philippines passed Republic Act No. 10173, also known as the Data Privacy Act (DPA) of 2012. Five years later, the DPA’s Implementing Rules and Regulations was put in effect on September 9, 2016, thus mandating all companies to comply.

The act is a necessary and important precaution in a world economy that’s swiftly going digital. In 2014, it was estimated that 2.5 quintillion — or 2.5 billion billion — bytes of data were created everyday. This includes unprecedented knowledge about what real individuals are doing, watching, thinking, and feeling.

Companies must be held accountable not only for what they do with customer data — but how they protect that data from third parties. The past few years of security breaches, system errors, and ethical scandals within some of the country’s major banks have reminded us that there is much work to be done.

So, where to begin for institutions who want to comply with RA 10173 and be proactive about their consumers’ digital privacy?

What is RA 10173?

RA 10173, or the Data Privacy Act, protects individuals from unauthorized processing of personal information that is (1) private, not publicly available; and (2) identifiable, where the identity of the individual is apparent either through direct attribution or when put together with other available information.

What does this entail?

First, all personal information must be collected for reasons that are specified, legitimate, and reasonable. In other words, customers must opt in for their data to be used for specific reasons that are transparent and legal.

Second, personal information must be handled properly. Information must be kept accurate and relevant, used only for the stated purposes, and retained only for as long as reasonably needed. Customers must be active in ensuring that other, unauthorized parties do not have access to their customers’ information. 

Third, personal information must be discarded in a way that does not make it visible and accessible to unauthorized third parties.

Unauthorized processing, negligent handling, or improper disposal of personal information is punishable with up to six (6) years in prison or up to five million pesos (PHP 5,000,000) depending on the nature and degree of the violation.

Who needs to register?

Companies with at least 250 employees or access to the personal and identifiable information of of at least 1,000 people are required to register with the National Privacy Commission and comply with the Data Privacy Act of 2012. Some of these companies are already on their way to compliance — but many more are unaware that they are even affected by the law. 

How do I remain in compliance of the Data Privacy Act?

The National Privacy Commission, which was created to enforce RA 10173, will check whether companies are compliant based on a company having 5 elements:

  1. Appointing a Data Protection Officer
  2. Conducting a privacy impact assessment
  3. Creating a privacy knowledge management program
  4. Implementing a privacy and data protection policy
  5. Exercising a breach reporting procedure

Privacy program required

The law requires that any entity involved in data processing and subject to the act must develop, implement and review procedures for the collection of personal data, obtaining consent, limiting processing to defined purposes, access management, providing recourse to data subjects, and appropriate data retention policies. These requirements necessitate the creation of a privacy program. Requirements for technical security safeguards in the act also mandate that an entity have a security program.

Surveillance

Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a major anti-terrorism law that enables surveillance) must comply with the Privacy Act.

What should you do in the event of a data breach? 

blur close up code computer
Photo Courtesy of Luis Gomes via Pexels 

The law requires a data breach notification within 72 hours upon knowledge of the breach or reasonable belief that it has occurred to the NPC and the data subject. The notification is generally required when the breach involves sensitive personal information or any other information that may be used to enable identity fraud; this information has been acquired by an unauthorized person; and the acquisition is likely to give rise to a real risk of serious harm to the affected data subject.

The NPC may investigate the breach, depending on its nature or if there is a delay or failure to notify. Inquiries may include on-site examination of systems and procedures.

Why is the Data Protection Act important?

The Data Protection Act is important because it provides guidance and best practice rules for organisations and the government to follow on how to use personal data including:

  1. Regulating the processing of personal data
  2. Protecting the rights of the data subject
  3. Enabling the Data Protection Authority (The ICO) to enforce rules
  4. Holding organisations liable to fines in the event of a breach of the rules

The DPA’s rules are very thorough and cover rules around sharing of data, and data security. At the heart of it are eight common sense rules known as the ‘data protection principles’ that all organisations collecting and using personal information are legally required to comply with.

The law provides stronger protection for more sensitive information such as:

  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Health
  • Sexual life
  • Criminal history

Leave a comment

Design a site like this with WordPress.com
Get started