Cybersecurity Law Overview

Questions and Answers

Which type of information about government employees is exempt from the Act?

Personal medical history of the employee

Criminal record of the employee

Employee's business address and office telephone number (correct)

Social security number of the employee

What category of information is excluded due to its connection with discretionary benefits?

Work hours logged by an employee

Details regarding the granting of licenses or permits (correct)

Information about community service requirements

Employee performance reviews

Which of the following is NOT exempt from the provisions of the Act?

Name of an individual on an official document

Information processed for research purposes

Competencies required for a position (correct)

Terms of a contract for government services

What type of services performed under contract for a government institution is exempt?

Information relating to the terms of the contract

Which of these statements about personal information processing is accurate?

Journalistic purposes related information is exempt

What must be specified before collecting personal information?

The purposes for collection

Which principle states that personal information must be processed fairly and lawfully?

Fair processing

How should inaccurate personal information be handled?

It must be rectified or destroyed as necessary

For how long should personal information be retained?

Only as long as necessary for the purposes it was collected

Which of the following is NOT a condition for processing personal information?

Data must be kept confidential at all costs

What condition does not allow for the processing of personal information?

The processing is explicitly prohibited by law.

Under which condition can personal information be processed without consent?

When it is necessary for life-threatening situations.

Which condition involves processing personal data for compliance with legal obligations?

Legal obligation of the data controller.

What is a condition that justifies processing personal information during a national emergency?

For maintaining public order and safety.

Which of the following statements about legitimate interests is true?

Such interests must not override the fundamental rights of the data subject.

What is required before any information supplied to a data subject can be amended?

The data subject should be informed in advance.

Under what circumstances can the notification requirement to a data subject be waived?

In cases involving legal obligations or subpoenas.

Which of the following is NOT a reasonable access request for personal information?

The personal opinions of the data processor.

What can a data subject do if they find inaccuracies in their personal information?

Request immediate correction from the controller.

Which of the following information regarding automated processes must be disclosed to the data subject?

Information on any significant decisions based on the data.

What is the penalty for concealing knowledge of a security breach?

Imprisonment of 1 year and 6 months to 5 years and a fine of 500,000 to 1 million pesos

Which of the following penalties applies to the unauthorized disclosure of personal information?

Imprisonment of 1 to 3 years and a fine of 500,000 to 1 million pesos

What is the consequence of maliciously disclosing false information?

Imprisonment of 1 year and 6 months to 5 years and a fine of 500,000 to 1 million pesos

What is the fine range for unauthorized disclosure of sensitive personal information?

1 million to 2 million pesos

What imprisonment term applies to a combination of acts as defined in Sections 25 to 32?

3 to 6 years

What is the minimum fine for unauthorized disclosure of personal information?

500,000 pesos

Which section addresses the penalties for malicious disclosure of personal information?

Section 31

What is the maximum fine for unauthorized disclosure of sensitive personal information?

2 million pesos

Study Notes

Legal Penalties for Security Breaches

• Imprisonment of 1.5 to 5 years and fines between Php500,000.00 and Php1,000,000.00 for concealing a security breach after obligation to notify the Commission.
• Similar penalties apply for malicious disclosure of false information regarding personal data.

Unauthorized Disclosure of Personal Information

• Disclosing personal information to third parties without consent results in imprisonment of 1 to 3 years and fines of Php500,000.00 to Php1,000,000.00.
• For sensitive personal information, imprisonment ranges from 3 to 5 years with fines between Php500,000.00 and Php2,000,000.00.

Series of Acts and Combinations

• Engaging in a series of acts related to personal data misuse leads to imprisonment of 3 to 6 years and fines of Php1,000,000.00 to Php5,000,000.00.

Exceptions to the Act

• Information relating to government employees and their roles may not be covered by this Act.
• Contracts related to government services and discretionary benefits from the government are also exempt.
• Processing personal data for journalistic or research purposes, and for public authority functions, is excluded.

Principles of Personal Data Processing

• Personal data must be collected for legitimate, specified purposes.
• Fairness, accuracy, and relevance of the data are required; outdated or incorrect information must be rectified.
• Data retention limited to necessary duration for stated purposes, allowing for longer storage for historical or research use under specific laws.

Criteria for Lawful Processing

• Consent from the data subject is necessary unless the processing is required for contract fulfillment, legal obligations, or protection of vital interests.
• Public authority functions and legitimate interests pursued may justify data processing, with respect for rights and freedoms under the Constitution.

Rights of Data Subjects

• Data subjects must be notified before any amendments to their information, except in specific legal contexts.
• They have the right to access their personal information, including details about processing, sources, and recipients.
• Data subjects can dispute inaccuracies and demand corrections unless the request is unreasonable.

Description

This quiz covers essential aspects of cybersecurity law, specifically focusing on penalties for failure to report security breaches as outlined in relevant legislation. It provides insights into the responsibilities of personal information controllers and their obligations. Test your understanding of legal implications related to cybersecurity.