FAQs About Republic Act No. 10173 (Data Privacy Act of 2012)
We are currently
living in an era where data and information are considered to be our most
valuable resources. Not only that, they are also known to be the most powerful
tool that can be used against us or against others. Think about it – anyone who
has the right piece of information could potentially bring down private
corporations, government agencies, and people in power.
What’s scary about
all this is the fact that people’s abilities to acquire data and information
get better and better as time passes and technology advances. As a way to
counteract this fast progress, countries implement laws that try to prevent the
mishandling of data. Among those who have done so are the UK, South Korea, USA,
Canada, Norway, Germany, Japan, and, of course, the Philippines.
It may have taken us
a long time but we’ve finally gotten to the point where we don’t have to fear
loss and leak of data or at least not as much as before. The threat is still
there – and we should accept that it always will be – but there are now
measures to reduce them and penalties for those who attempt such unlawful
actions.
All this is made
possible through the issuance of Republic Act No. 10173 (Data Privacy Act of
2012). There’s a lot that needs to be known about this specific act, which is
why we’ve made this extensive FAQ article. Through this, we hope to educate
people about this important addition to our country’s legislation for each of
our sakes!
What is the Data Privacy Act of 2012?
In 2012, the State finally recognized its crucial role in data protection and obligation to ensure that information – whether in the public or private sector – is kept secured and, therefore, passed Republic Act No. 10173 into the Philippine Congress. RA 10173 or the Data Privacy Act (DPA) of 2012 was then made into a law four years later in 2016.
According to official records, the DPA aims to “protect the fundamental human right of privacy, of communication while ensuring the free flow of information to promote innovation and growth” (Republic Act. No. 10173, Ch. 1, Sec. 2). Simply put, the act aims to ensure that information flow – an aspect necessary for the growth of individuals, institutions, and countries – continues to happen while assuring parties involved that their rights to privacy are still secured.
Through the implementation of DPA, the State is hoping to protect specific forms of information and prevent their unauthorized use and processing that may or may not be detrimental to an individual.
Who oversees the implementation of the Data Privacy Act?
- Ensure and monitor compliance with the different provisions of the DPA
- Receive, process, and resolve complaints as well as prompt investigations, giving them access to personal information that are subjects of complaints
- Stop personal information processing operations through the issuance of cease and desist orders or through imposing temporary or permanent bans
- Compel any and all entities to abide by its rules and orders and take appropriate actions in matters concerning data privacy
- Propose additions or modifications to Philippine Law on data privacy and protection
- Publish guides on a regular basis to make people aware and help them comprehend the different laws related to data protection
- Recommend penalties to the Department of Justice (DOJ)
- Assist private and public entities on matters regarding data privacy and protection
- Facilitate cross-border negotiations and enforcement of privacy laws
What terms need to be defined for the understanding of the Data Privacy Act?
Data Subject
Any individual – person or entity – who is having or has had their information processed is considered a data subject.
Consent
Consent or lack thereof is what separates acts that are allowable and punishable which is why it is important to define the term for the understanding of the DPA. In legal terms, consent refers to a data subject’s indication of will or agreement to the collection and processing of personal information relating to them. Evidence of consent must be presented in any of three forms – recorded, written, or electronic. In cases when the data subject is not able to give consent – i.e. injury – it may be given by an agent that is authorized to do so.
Personal Information Controller (PIC)
As the name suggests, a personal information controller is someone or something – an organization, company, institution, legal entity – that participates in collecting, using, processing, and holding of personal information. Those who instruct separate bodies to perform such acts on their behalf are also included in this definition
Excluded, however, are those individuals that are instructed by but do not work for separate organizations. For example, if a company orders or coerces someone to collect data for their benefit, the company is considered as a PIC, but the person who does it is not, since they do not gain anything from the act.
Individuals, who process personal information for things relating to personal and family affairs, are also exempted. A mother who collects personal information on her spouse for a visa application, for instance, is not a PIC.
Personal Information Processor (PIP)
Personal information processors are those that are, under the DPA, qualified to perform personal information processing functions – by law, they are professionals. They may be employed by personal information controllers in order to legally process data related to the data subject.
Data Processing
Processing is an extremely ambiguous term that may refer to an action or set of actions performed upon personal information. Some of the most basic ones include recording, organization, storage, collection, modification, retrieval, destruction, and use of personal information. Keep in mind that the term is not limited to these actions and may extend to others that the NPC see apt.
As mentioned earlier, the law only protects specific forms of data and information and they are the following:
Personal Information
Personal information is any piece of information – written, recorded, or otherwise – that may make an individual’s identity apparent or discernible to the party that is holding the information. It may be a direct link or something that, when pieced together with other information, would correctly identify an individual.
Simply put, anything that can be used to make you readily identifiable is considered personal information; prime examples include name, age, address, phone number, and sex.
Sensitive Personal Information
The only difference between personal information and sensitive personal information is that the latter has been kept classified by an executive order or through the powers of Congress.
Privileged Information
Privileged information is pieces of information that an individual cannot, under the eye of the law, disclose or discover. Strictly speaking, it’s confidential. A good example of this would be information shared between lawyers and their clients which are protected by attorney-client privilege.
Whom does the Data Privacy Act apply to?
Businesses in the Philippines are legal entities. This means that they are based and equipped for information processing. Foreign entities that process the personal information of Filipino citizens are also included regardless of where they operate.
Businesses that operate in the Philippines but lawfully process and collect personal information of residents from foreign jurisdictions are the only exemption under the DPA.
What does the Data Privacy Act actually mean for those that are under its scope?
Firstly, processing of personal information must only be done for specified and legitimate reasons. Data subjects must be aware of what these reasons are and must willfully agree or consent to every action to be performed upon their data. In addition, no kind of data processing may be done without the prior consent of the data subject.
Secondly, handling of said personal information must be done properly. Aside from only being used for the intended purpose, they must also be appropriately disposed of once there is no more reasonable need for them.
Third and lastly, the processing, handling, and disposal of personal information must be done in such a way that unauthorized third parties may not be able to gain access to them.
These three are the main obligations of PICs, PIPs, and any other entity involved in the practice of data processing.
What are the rights of the data subject under the Data Privacy Act?
The Right to Information
As said previously, you are entitled to all information related to the processing of your personal information. Organizations must tell you things such as the identity of the processor or controller, type of data they want, the reason behind their data processing or collection, specific actions to be performed upon your information, recipients (if any), where it will be stored, and until when they plan to keep it. You can also ask other questions and they are legally required to answer them as long as they only pertain to your own, personal data.
The Right to Refuse
After receiving information regarding the data processing, you then have the right to refuse or withhold your consent. There are also cases when the information previously given to you needs to be changed. These changes must be relayed to you, the data subject. You will, then, have the option to accept or object them.
Once you withhold consent, PIPs and PICs are prohibited from collecting or using your personal information or data unless, of course, it is a result of a legal obligation or a pursuant to a subpoena.
The Right to Access Upon Demand
As a data subject, you also have the right to know whether or not organizations, companies, or third parties possess any kind of data or information about you. Upon your demand, they must be able to provide you what these pieces of information are as well as an explanation as to why they have them. Moreover, they must be able to give you these in a way that is easy to access with a language that is easy to understand, meaning no use of jargons and legal terms.
If you want, you may also demand access to things such as how and when they obtained your data, what they have done to it, who was/were responsible for the act and such.
The Right to Dispute Inaccuracies
Any inaccuracies or errors about your data can and must be corrected upon your request. Immediate and accurate action must be done by PICs and PIPs to fulfill this unless your request is deemed unreasonable. Once corrections have been done, you should be notified of the changes and given access to both information – new and retracted. Additionally, should you request it again, they are required to inform third-party recipients of the apparent change.
The Right to Order Disposal
Withdrawal, suspension, removal, destruction, and disposal of personal information is also part of data processing and you have the right to each and every one of them, given that you have found evidence that your information is or was:
- Outdated, false, and/or incomplete
- Illegally or unlawfully obtained and processed
- Used without your authorization
- Used for purposes not divulged to you
- Detrimental to you (unless authorized by the court of law)
The Right to Compensation for Damages
In the occasion that you suffer damages due to the unlawful and unauthorized collection and use of your data or due to your data being inaccurate, false, outdated, and incomplete, you have the right to demand compensation from the PIC or PIP that caused the event.
However, do take note that the NPC does not have the power to deal with compensation claims – this is between the PIC or PIP and data subject.
The Right to File Complaints
The NPC may not be able to ensure you receive proper compensation, but they have the power to penalize parties that misuse and mishandle your personal information and violate DPA provisions. All you have to do then if you feel that this has been done to you is file a complaint and the NPC will take care of the rest.
The Right to Transmissibility
Lawful and assigned heirs have the right to invoke the right of the data subject in the event of death or inability to exercise his/her own rights.
The Right to Portability
The right to portability is given to data subjects to assure them that they remain in full control of their own, personal data. In essence, data portability allows you to securely obtain, move, transfer, and manage your data however you see fit. With this, the flow of personal information across different channels – i.e. the internet – is kept safe and continuous.
What are the limitations of a data subject’s rights?
In short, any information you may have given for the sake of scientific and/or statistical research or obtained for the sake of juridical investigations is basically open to all unless otherwise stated.
Is consent always a necessity when processing data?
Why is it important to know the different types of information under the Data Privacy Act?
Consequently, information that has been made accessible to the public prior to the enactment of the act is not under any kind of protection and continues to stay public.
Under what circumstance can specific personal information and privileged information be processed?
As you already know, the DPA prohibits the processing of sensitive personal information and privileged information unless:
- Consent to the act has been given by the data subject. In which case, processing must be limited to what the data subject has been told.
- It is a matter of life and death for the data subject or other individuals yet the data subject is incapable of giving consent and no lawful or assigned heirs are present.
- It is needed for the achievement of lawful and non-commercial objectives of government branches, public organizations, and other associations.
- It is necessary for medical treatment. In such cases, processing must be done by medical practitioners or institutions and they should still be able to provide levels of protection.
- Processing is needed to protect lawful rights and persons of interest in court and legal proceedings.
What constitutes lawful data and information processing?
- Data subject or his/her authorized heirs have given consent.
- The data subject has entered into a contract with third parties and processing is necessary to fulfill such a contract.
- Legal obligations necessitate the processing of information.
- Vital interests of the data subject are on the line – cases of life or death.
- It is necessary to perform public, statutory, and governmental functions such as administering order and responding to a national emergency – commonly applies to those in positions of power.
- Processing is done for the pursuit of a business’ or third party’s legitimate interests to whom personal information has been disclosed.
What acts are penalized under the Data Privacy Act?
- Processing without consent or authorization
- Giving others access to personal information without authorization – mostly due to negligence
- Negligent disposal or abandonment of personal information leading to public access and availability
- Use of personal information for purposes that are different from what was told to the subject or that are unauthorized by the DPA
- Intentionally and unknowingly gaining unauthorized access to systems holding information (also called intentional breach)
- Failure to notify the NPC of or intentionally concealing security breaches
- Disclosing processed information to separate parties with malice or in bad faith
- Disclosing information to third parties without consent or knowledge of the data subject
- Any combination of these given acts.
What penalties await those who break the Data Privacy Act?
If, however, at least 100 people were harmed and affected by any of the mentioned actions, the maximum penalty will be given to the doer. In this case, that’s a ₱5,000,000 on top of six years of prison time. Special penalties are also given to public officers in the form of disqualification from public office for a term that is double the jail time imposed. For example, a public official who was sentenced a year of imprisonment is not allowed to run for or enter a public office for 2 terms.
How can companies comply with the Data Privacy Act?
For starters, businesses and companies who have at least 250 employees or those that have access to personal information relating to at least 1,000 unique individuals are required to register their operations with the NPC. After which, they must abide by 5 rules which are:
Assign a Data Protection Officer (DPO)
Every company must have at least one Data Protection Officer (DPO) in their ranks. Knowledge of the DPA, data security, and data processing activities are necessary for a DPO because their primary role is to monitor and ensure that their company stays in compliance with the law. They should also be able to work independently and should be well-equipped to perform functions such as privacy impact assessments, security incident management, and stakeholder relationship maintenance – NPC included.
Regularly Conduct Privacy Impact Assessments
A privacy impact assessment is undertaken in order to evaluate the impact of programs, projects, systems, products, devices, processes, and measure to the data privacy. Through this assessment – often headed or overseen by the DPO – companies can ascertain things such as whether or not the data in their possession is protected, data flow is not restricted, and whether there are risks to privacy and security.
Put simply, a privacy impact assessment helps organizations come up and implement the latest and best data privacy practices to lessen the risks of violations and breaches for the sake of their business and their clients.
Create a Privacy Management Program
Top management and DPOs aren’t the only ones responsible for ensuring data privacy. Every single person in the company or organization is required to adhere to these laws especially if they are considered PICs or PIPs, meaning they collect and process data on a daily basis.
As such, it is a must for organizations to create a privacy management program or framework that can guide every employee on how to handle personal information and data. The goal of this program is to alight everyone within the organization and ensure that each individual is operating in compliance with the DPA.
Implement Privacy and Data Protection Policies
It is not enough for you to inform your employees about the provisions of the DPA and the punishments that await those that go against them. Theoretical knowledge simply won’t save you from data breaches and leaks. You, as an organization that is separate from the NPC, must create and implement your own privacy and data protection policies that your employees must follow.
These policies and measures that you come up with must also be reviewed and revised whenever necessary. Employee training must also be conducted on a regular basis to further ensure compliance.
Generate a Breach Reporting Procedure
Aside from policies for compliance, you should also lay out a procedure that you and your employees must follow in the discovery or suspicion of a security incident or data breach. Similar to risk management procedures, you should conduct an investigation of the data breach, assess and mitigate its impact, and finally, notify data subjects and the NPC.
All of these must be done within 72 hours of the discovery of the breach most, especially notifying all of the parties involved.
How can companies protect themselves from the liabilities from the Data Privacy Act?
We haven’t mentioned it yet, but you can outsource your DPO from said organizations who are authorized to do so. That way, you won’t have to choose someone from your ranks who is likely to be a lot less knowledgeable about the Data Privacy Act. Additionally, they will be able to help you conduct privacy impact assessments, create a privacy management program, write up privacy and data protection policies – implementation is, of course, up to you – and generate breach reporting procedures.
Admittedly, understanding the Data Privacy Act is a daunting task not only because it’s relatively new but there are a lot of complexities within it – as it is with any law. So, in order to lighten your load, why not work hand-in-hand with expert organizations that can guarantee your compliance and protection from these laws?
If you’re looking for the best of the best in the Philippines with regards to such matters, then you won’t have to look far because Data Protect PH is the one. Want your company protected from any liabilities from the Data Privacy Act? Contact us today!