Data Privacy Act

avatar
Created by
Christine Abegail

Cards (30)

  • Data Privacy Act of 2012 (R.A. No. 10173)

    Law that protects the fundamental human rights of privacy and communication while ensuring free flow of information to promote innovation and growth
    View source
  • Policies of the State
    • Protect the fundamental human rights of privacy and communication
    • Ensure free flow of information to promote innovation and growth
    • Recognize the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected
    View source
  • Data privacy
    The right
    View source
  • Data protection
    The means to implement the right of data privacy
    View source
  • Definition of Terms
    • Commission - National Privacy Commission
    • Consent of the data subject - Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information
    • Data subject - An individual whose personal information is processed
    • Direct marketing - Communication by whatever means of any advertising or marketing materials which is directed to particular individuals
    • Filing system - Any act of information relating to natural or juridical persons
    • Information and Communications System - A system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents
    • Personal information - Any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained
    • Personal information controller - A person or organization who controls the collection, holding, processing or use of personal information
    • Personal information processor - Any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data
    • Processing - Any operation or any set of operations performed upon personal information
    • Privileged information - Any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication
    • Sensitive personal information - Personal information about an individual's health, education, genetic or sexual life, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns
    View source
  • Scope of Data Privacy Act
    • Applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing
    • Applies to those personal information controllers and processors who, although, not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines
    View source
  • Exceptions to Coverage of Data Privacy Act
    • Information about any individual who is or was an officer or employee of a government institution
    • Information about an individual who is or was performing service under contract for a government institution
    • Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual
    • Personal information processed for journalistic, artistic, literary or research purposes
    • Information necessary in order to carry out the functions of public authority
    • Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas
    • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions
    View source
  • Functions of National Privacy Commission
    • Ensure compliance of personal information controllers
    • Receive complaints, institute investigations, facilitate or enable settlement of complaints
    • Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information
    • Compel or petition of any entity; government agency or instrumentality to abide by its orders or take action
    • Monitor the compliance of other government agencies or instrumentalities on their security and technical measures
    • Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies
    • Publish on a regular basis a guide to all laws relating to data protection
    • Publish a compilation of agency system of records and notices, including index and other finding aids
    • Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties
    • Review, approve, reject or require modification of privacy codes voluntarily adhere to by personal information controllers
    • Provide assistance on matters relating to privacy or data protection
    • Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures
    • Propose legislation, amendments or modifications to Philippine laws on privacy or data protection
    • Ensure property and effective coordination with data privacy regulators in other countries and private accountability agents
    • Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws
    • Assist Philippine companies doing business abroad to respond to foreign privacy or data protection and regulations
    View source
  • The National Privacy Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession
    View source
  • Organization Structure of National Privacy Commission (NPC)
    • Composition - Headed by a Privacy Commissioner, assisted by two (2) Deputy Privacy Commissioners
    • Appointment - Appointed by the President of the Philippines
    • Term of Office - 3 years, may be reappointed for another 3 years
    View source
  • Qualifications of NPC Commissioners
    Privacy Commissioner - At least 35 years of age, good moral character, unquestionable integrity and known probity, recognized expert in the field of information technology and data privacy<|>Deputy Privacy Commissioners - Recognized experts in the field of information and communications technology and data privacy
    View source
  • Liability of NPC Commissioners
    • Not civilly liable for acts done in good faith in the performance of their duties
    • Liable for willful or negligent acts done by him or her which are contrary to law, morals, public policy and good customs even if he or she acted under orders or instructions of superiors
    View source
  • General Data Privacy Principles
    • Personal information must be collected for specified and legitimate purposes
    • Personal information must be processed fairly and lawfully
    • Personal information must be accurate, relevant and kept up to date
    • Personal information must be adequate and not excessive in relation to the purposes of which they are collected and processed
    • Personal information must be retained only for as long as necessary
    • Personal information must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed
    View source
  • Processing of personal information
    1. Collected for specified and legitimate purposes
    2. Determined and declared before, or as soon as reasonably practicable after collection
    3. Later processed in a way compatible with such declared, specified and legitimate purposes only
    View source
  • Personal information must be processed
    Fairly and lawfully
    View source
  • Personal information must be
    Accurate, relevant and, where necessary for purposes for which it is to be used, kept up to date<|>Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted
    View source
  • Personal information must be

    Adequate and not excessive in relation to the purposes of which they are collected and processed
    View source
  • Personal information must be
    Retained only for as long as necessary for the fulfillment of the purposes for which the data were obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law
    View source
  • Personal information must be

    Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed
    View source
  • Criteria for Lawful Processing of Personal Information
    • The data subject has given his or her consent
    • The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract
    • The processing is necessary to protect vitally important interests of the data subject, including life and health
    • The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate
    • The processing is necessary for the purposes of the legitimate interest pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except such interest are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution
    View source
  • Sensitive Personal Information and Privileged Information
    As a general rule, the processing of sensitive personal information and privileged information shall be prohibited
    View source
  • Exceptional cases where processing of sensitive personal information and privileged information may be allowed

    • The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing
    • The processing of the same is provided for by existing laws and regulations
    • The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or consent prior to the processing
    • The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations
    • The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured
    • The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority
    View source
  • Subcontract of Personal Information
    A personal information controller may subcontract the processing of personal information, but the personal information controller shall be responsible for ensuring that proper safeguards are in place
    View source
  • Extension of Privileged Communication and Inadmissibility of Privileged Information as Evidence
    Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process, and any evidence gathered on privileged information is inadmissible
    View source
  • Rights of Data Subject
    • Right to be informed whether personal information pertaining to him or her shall be, are being or have been processed
    • Right to be furnished information about the description of the personal information, purposes, scope and method of processing, recipients, methods of automated access, identity and contact details of the personal information controller, period for which the information will be stored, and the existence of their rights
    • Right to have reasonable access to the contents of his or her personal information, sources, recipients, manner of processing, reasons for disclosure, information on automated processes, date of last access and modification, and the designation, name or identity and address of the personal information controller
    • Right to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately
    • Right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller's filing system
    • Right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information
    • Right to data portability - to obtain a copy of data undergoing processing in an electronic or structured format
    View source
  • Non-Applicability of the Rights of Data Subject
    The data privacy subject rights are not applicable if the processed information are used only for the needs of scientific and statistical research, or if the information is gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject
    View source
  • Internal control measures to be implemented by the personal information controller to secure personal information
    • Reasonable and appropriate organizational, physical and technical measures for protection against accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing
    • Measures to protect personal information against natural and human dangers
    • Safeguards to protect its computer network
    • A security policy with respect to the processing of personal information
    • A process for identifying and accessing reasonably foreseeable vulnerabilities and taking preventive, corrective and mitigating action
    • Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action
    View source
  • Employees, agents or representatives of a personal information controller
    Must operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure, even after leaving the public service, transfer to another position or upon termination of employment or contractual relations
    View source
  • Notification requirement
    The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may enable identify fraud are reasonably believed to have been acquired by an unauthorized person
    View source
  • Accountability of Personal Information Controller for Transfer of Personal Information
    Each personal information controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally<|>The personal information controller is accountable for complying with the requirements of this Act and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party<|>The personal information controller shall designate an individual or individuals who are accountable for the organization's compliance with this Act
    View source