Data Privacy Act of 2012

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

Under the Data Privacy Act of 2012, what is the definition of 'personal information'?

  • Information available in public records only.
  • Any data stored electronically.
  • Anonymous statistical data used for research purposes.
  • Information from which the identity of an individual is apparent or can be reasonably and directly ascertained. (correct)

According to the Data Privacy Act of 2012, which of the following constitutes 'sensitive personal information'?

  • An individual's employment history.
  • An individual's email address.
  • An individual's previously held addresses.
  • An individual's race, ethnic origin, marital status, or age. (correct)

In the context of the Data Privacy Act of 2012, what does 'processing' of personal information encompass?

  • Any operation performed upon personal information, including collection, recording, storage, and use. (correct)
  • Secure deletion of personal information.
  • Only the analysis of data for marketing purposes.
  • The act of transmitting data across borders.

What is the primary role of the National Privacy Commission (NPC) as defined by the Data Privacy Act of 2012?

<p>To administer and implement the provisions of the Data Privacy Act and ensure the country's compliance with international standards for data protection. (B)</p> Signup and view all the answers

Under what conditions does the Data Privacy Act of 2012 permit the processing of sensitive personal information?

<p>When the data subject has given consent, or when processing is provided for by existing laws and regulations. (A)</p> Signup and view all the answers

According to the Data Privacy Act, what is the 'right to data portability'?

<p>The right of a data subject to obtain a copy of their data in a commonly used electronic format. (B)</p> Signup and view all the answers

What does the Data Privacy Act of 2012 stipulate regarding the confidentiality of personal information?

<p>The Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession. (C)</p> Signup and view all the answers

Which of the following scenarios describes a situation where the Data Privacy Act of 2012 would not apply?

<p>Processing personal information for journalistic purposes. (C)</p> Signup and view all the answers

What is the role of a 'Personal Information Controller' under the Data Privacy Act of 2012?

<p>To control the collection, holding, processing, or use of personal information. (D)</p> Signup and view all the answers

Under the Data Privacy Act of 2012, what is required when a personal information controller subcontracts the processing of personal information?

<p>The personal information controller remains responsible for ensuring that proper safeguards are in place. (C)</p> Signup and view all the answers

What is the consequence for unauthorized processing of personal information under Section 25 of the Data Privacy Act?

<p>Imprisonment ranging from one to three years and a fine. (A)</p> Signup and view all the answers

According to the Data Privacy Act, what constitutes 'privileged information'?

<p>Data which, under the Rules of Court and other pertinent laws, constitutes privileged communication. (C)</p> Signup and view all the answers

Under the Data Privacy Act, what action can the National Privacy Commission take if it finds that the processing of personal information is detrimental to national security?

<p>Issue cease and desist orders, imposing a temporary or permanent ban on the processing. (C)</p> Signup and view all the answers

How does the Data Privacy Act address cross-border enforcement of data protection?

<p>It allows the National Privacy Commission to negotiate and contract with data privacy authorities of other countries for cross-border application and implementation of respective privacy laws. (D)</p> Signup and view all the answers

What is required of government agencies regarding sensitive personal information maintained by them, according to the Data Privacy Act?

<p>They must secure it using the most appropriate standard recognized by the information and communications technology industry. (D)</p> Signup and view all the answers

According to the Data Privacy Act, what rights do lawful heirs and assigns have concerning the data subject's rights?

<p>They may invoke the rights of the data subject at any time after the death of the data subject. (C)</p> Signup and view all the answers

Under what condition can the notification of a security breach involving sensitive personal information be delayed, according to the Data Privacy Act?

<p>Only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. (A)</p> Signup and view all the answers

According to the Data Privacy Act, what is the minimum age requirement for the Privacy Commissioner?

<p>35 (D)</p> Signup and view all the answers

Under the Data Privacy Act, what is the term length for the Privacy Commissioner and Deputy Privacy Commissioners?

<p>3 years (B)</p> Signup and view all the answers

Which agencies should majority of the members of the Secretariat have served for at least five years?

<p>Any agency of the government that is involved in the processing of personal information. (A)</p> Signup and view all the answers

Under the Data Privacy Act, what steps must the personal information controller take when personal information is inaccurate?

<p>Correct the data immediately and inform third parties who received the incorrect data. (B)</p> Signup and view all the answers

If the head of an agency does not respond to a request to transport sensitive personal information off-site within two business days, what is the status of the request?

<p>It is considered disapproved. (D)</p> Signup and view all the answers

According to the Data Privacy Act, what is the maximum number of records that an agency head can allow access to at a time when approving off-site access to sensitive personal information?

<p>1,000 (A)</p> Signup and view all the answers

What technology is required to secure sensitive personal information for off-site access approved by the agency head under the Data Privacy Act?

<p>Encryption (C)</p> Signup and view all the answers

According to the Data Privacy Act, what does 'malicious disclosure' refer to?

<p>Disclosure with malice or in bad faith of unwarranted or false information. (A)</p> Signup and view all the answers

According to the Data Privacy Act, what is the scope of the 'principle of accountability'?

<p>Each personal information controller is responsible for personal information under its control or custody. (B)</p> Signup and view all the answers

Under the Data Privacy Act, how are doubts interpreted?

<p>Shall be liberally interpreted in a manner mindful of the rights and interests of the individual about whom personal information is processed. (B)</p> Signup and view all the answers

Flashcards

Commission

The National Privacy Commission created by virtue of the Data Privacy Act of 2012.

Consent of data subject

Freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information.

Data subject

An individual whose personal information is processed.

Direct marketing

Communication of advertising or marketing material directed to particular individuals.

Signup and view all the flashcards

Information and Communications System

System for generating, sending, receiving, storing, or processing electronic data messages/documents.

Signup and view all the flashcards

Personal information

Info, recorded or not, from which an individual's identity is apparent or can be reasonably ascertained.

Signup and view all the flashcards

Personal information controller

Person/organization controlling the collection, holding, processing, or use of personal information.

Signup and view all the flashcards

Personal information processor

Natural/juridical person qualified to act under this Act to whom a personal information controller may outsource the processing of personal data.

Signup and view all the flashcards

Processing

Operation/set of operations performed upon personal information (collection, recording, storage, etc.).

Signup and view all the flashcards

Privileged information

Data which under the Rules of Court and other pertinent laws constitute privileged communication.

Signup and view all the flashcards

Sensitive personal information

Personal information about race, ethnic origin, marital status, health, etc.

Signup and view all the flashcards

Confidentiality

Ensuring confidentiality of any personal information that comes to its knowledge and possession.

Signup and view all the flashcards

General Data Privacy Principles

Collected for specified/legitimate purposes, processed fairly, accurate, adequate, and retained only as long as necessary.

Signup and view all the flashcards

Right to Data Portability

The data subject has the right to this if their data is processed by electronic means and in a structured and commonly used format.

Signup and view all the flashcards

Security of Personal Information

Implementing reasonable measures to protect personal information against unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.

Signup and view all the flashcards

Study Notes

  • Republic Act No. 10173 is an act protecting individual personal information in information and communications systems in the government and the private sector.
  • The Act creates a National Privacy Commission.

General Provisions

  • This Act is known as the "Data Privacy Act of 2012".
  • The State protects the fundamental human right to privacy and communication while ensuring the free flow of information to promote innovation and growth.
  • The State recognizes the vital role of information and communications technology in nation-building.
  • The State has an obligation to ensure that personal information in information and communications systems in the government and private sector are secured and protected.

Key Definitions

  • Commission refers to the National Privacy Commission.
  • Consent of the data subject is a freely given, specific, informed indication of will that the data subject agrees to the collection and processing of personal information. It must be evidenced by written, electronic, or recorded means.
  • Data subject refers to an individual whose personal information is processed.
  • Direct marketing refers to communication of advertising or marketing material directed to particular individuals.
  • Filing system refers to any act of information relating to natural or juridical persons, structured for accessibility.
  • Information and Communications System refers to a system for generating, sending, receiving, storing, or processing electronic data messages or electronic documents, including related procedures.
  • Personal information refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained.
  • Personal information controller refers to a person or organization who controls the collection, holding, processing, or use of personal information. This excludes those performing functions as instructed by another organization, and individuals handling data for personal, family, or household affairs.
  • Personal information processor refers to a natural or juridical person qualified to act under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
  • Processing refers to any operation performed upon personal information, including collection, recording, organization, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
  • Privileged information refers to data protected under the Rules of Court and other laws constituting privileged communication.
  • Sensitive personal information refers to personal information about an individual’s race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations; health, education, genetic or sexual life, or any offense committed; issued by government agencies like social security numbers, health records, and tax returns; and specifically established by an executive order or an act of Congress to be kept classified.

Scope and Applicability

  • This Act applies to the processing of all types of personal information.
  • This Act applies to natural and juridical persons involved in personal information processing, including controllers and processors who use equipment located in the Philippines, or who maintain an office, branch, or agency in the Philippines.

Exemptions

  • Information about officers or employees of government institutions related to their position or functions.
  • Information about individuals performing service under contract for a government institution.
  • Information relating to any discretionary financial benefit like a license or permit.
  • Personal information processed for journalistic, artistic, literary or research purposes.
  • Information necessary for public authority functions, including processing by the central monetary authority, law enforcement, and regulatory agencies.
  • Information necessary for banks and financial institutions to comply with Republic Acts No. 9510 and No. 9160 as long as compliant with the Anti-Money Laundering Act.
  • Personal information originally collected from residents of foreign jurisdictions following their laws, which is being processed in the Philippines.

Protection of Journalists

  • Establishes that nothing in this Act amends or repeals Republic Act No. 53.
  • The R.A. No. 53, protects publishers, editors, and reporters from being compelled to reveal sources.

Extraterritorial Application

  • The Act applies to acts done outside of the Philippines by an entity if the act relates to personal information about a Philippine citizen or resident, or if the entity has a link with the Philippines and is processing personal information about Philippine citizens or residents.

National Privacy Commission

  • The National Privacy Commission is responsible for administering and implementing the provisions of the Act, and monitoring compliance with international data protection standards.
  • The Commission is an independent body.

Functions of the National Privacy Commission

  • Ensure compliance of personal information controllers with the provisions of the Act.
  • Receive complaints, institute investigations, facilitate settlement through alternative dispute resolution, adjudicate matters, award indemnity, prepare reports, and publicize reports.
  • Issue cease and desist orders and impose bans on processing detrimental to national security and public interest.
  • Compel entities and government agencies to abide by its orders.
  • Monitor compliance of government agencies and recommend actions to meet minimum standards.
  • Coordinate with government agencies and the private sector to strengthen the protection of personal information.
  • Publish a guide to all laws relating to data protection.
  • Publish a compilation of agency system of records and notices.
  • Recommend prosecution and penalties to the Department of Justice (DOJ).
  • Review, approve, reject, or require modification of privacy codes voluntarily adhered to by personal information controllers.
  • Provide assistance on matters relating to privacy or data protection.
  • Comment on the data privacy implication of proposed national or local statutes, regulations, or procedures, issue advisory opinions, and interpret data privacy laws.
  • Propose legislation, amendments, or modifications to Philippine laws on privacy or data protection.
  • Coordinate with data privacy regulators in other countries, participate in international and regional initiatives.
  • Negotiate and contract with other data privacy authorities for cross-border application implementation of respective privacy laws.
  • Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations.
  • Generally perform acts to facilitate cross-border enforcement of data privacy protection.

Confidentiality

  • The Commission ensures the confidentiality of personal information that comes to its knowledge and possession.

Organizational Structure

  • The Commission is attached to the Department of Information and Communications Technology (DICT).
  • The Commission is headed by a Privacy Commissioner who acts as Chairman.
  • The Privacy Commissioner is assisted by two Deputy Privacy Commissioners, one for Data Processing Systems, and one for Policies and Planning.
  • The President of the Philippines appoints the Privacy Commissioner and Deputy Privacy Commissioners for a term of three years, with possible reappointment for another term.
  • The Privacy Commissioner must be at least 35 years of age, of good moral character, unquestionable integrity, known probity, and a recognized expert in information technology and data privacy.
  • The Privacy Commissioner enjoys benefits, privileges, and emoluments equivalent to the rank of Secretary.
  • Deputy Privacy Commissioners must be recognized experts in information and communications technology and data privacy, and enjoy benefits equivalent to the rank of Undersecretary.
  • The Privacy Commissioner, Deputy Commissioners, or any person acting on their behalf is not civilly liable for acts done in good faith, but is liable for willful or negligent acts.
  • The Commission can reimburse reasonable litigation costs if an official is sued for lawful implementation of duty.

Provision for Secretariat

  • Majority of the members of the Secretariat must have served for at least five (5) years in any agency of the government that is involved in the processing of personal information.
  • Relevant agencies include: Social Security System (SSS), Government Service Insurance System (GSIS), Land Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health Insurance Corporation (PhilHealth), Commission on Elections (COMELEC), Department of Foreign Affairs (DFA), Department of Justice (DOJ), and Philippine Postal Corporation (Philpost).

General Data Privacy Principles - Processing of Personal Information

  • The processing of personal information must comply with the requirements of this Act and other laws, adhering to the principles of transparency, legitimate purpose, and proportionality.
  • Personal information must be collected for specified and legitimate purposes determined and declared before or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified, and legitimate purposes only.
  • Processed fairly and lawfully.
  • Accurate, relevant, and kept up to date.
  • Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
  • Adequate and not excessive in relation to the purposes for which they are collected and processed.
  • Retained only as long as necessary or for the establishment, exercise or defense of legal claims, or legitimate business purposes, or as provided by law.
  • Kept in a form which permits identification of data subjects for no longer than is necessary.
  • Personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods.
  • The personal information controller must ensure implementation of personal information processing principles set out herein.

Lawful Processing

  • The processing of personal information is permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
  • The data subject has given his or her consent
  • Processing of personal information related to fulfilment of a contract with the data subject
  • Processing necessary for compliance with a legal obligation
  • Processing necessary to protect vitally important interests of the data subject, including life and health
  • Processing necessary to respond to national emergency, to comply with requirements of public order and safety, or to fulfill functions of public authority
  • Processing necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party

Sensitive and Privileged Information

  • Processing sensitive personal information and privileged information is generally prohibited, except in specific cases.
  • Exceptions include the data subject's consent, processing provided by law, necessary protection of life and health, or necessary for lawful and noncommercial objectives of public organizations.

Subcontracting

  • A personal information controller may subcontract the processing of personal information, provided that they ensure confidentiality, prevent unauthorized use, and comply with the Act and other applicable laws.

Rights of the Data Subject

  • To be informed whether personal information pertaining to him or her shall be, is being or have been processed.
  • To be furnished information before their personal information is entered into a processing system including:
    • A description of the personal information to be entered into the system;
    • The purposes for which it is being or is to be processed;
    • The scope and method of the personal information processing;
    • The recipients or classes of recipients to whom it is or may be disclosed;
    • Methods utilized for automated access, if allowed
    • The identity and contact details of the personal information controller or its representative;
    • The period for which the information will be stored;
    • The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.
  • Reasonable acess to personal information.
  • To dispute inaccurarcy of errors in personal information.
  • To suspend, withdraw, to block removal or destruction of personal information from the personal information controller's filing system.
  • To be indemnified from damages sustained

Transmissibility

  • Lawful heirs and assigns of the data subject may invoke rights of the data subject in certain circumstances.

Right to Data Portability

  • The data subject has the right to obtain a copy of their data in a commonly used electronic format.

Non-Applicability

  • The immediately preceding sections are not applicable if the processed personal information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject:
  • Immediately preceding sections are not applicable to processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.

Security of Personal Information

  • Personal information controllers must implement reasonable organizational, physical, and technical measures for data protection.
  • Measures should address accidental or unlawful destruction, alteration, disclosure, and other unlawful processing.
  • Measures should address natural and human dangers, such as accidental loss, unlawful access, and fraudulent misuse.
  • Appropriate level of security must take into account the nature of the personal information to be protected, the risks represented by the processing and the size and complexity of the organization.
  • Third parties must implement security measures.
  • Employees and representatives involved in processing must maintain strict confidentiality.
  • Controllers must promptly notify the Commission and data subjects of security breaches involving sensitive personal information that are reasonably believed to have been acquired by an unauthorized person that is likely to give rise to a real risk of serious harm to any affected data subject.

Accountability for Transfer

  • Each personal information controller is responsible for personal information under its control, and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party.

Security of Sensitive Information in Government

  • All sensitive personal information maintained by the government must be secured using appropriate standards.
  • Heads of government agencies are responsible for complying with security requirements set by the Commission.

Access Requirements

  • Government employees must receive security clearance to access sensitive personal information.
  • Off-site access requires an approved request from the agency head, with a deadline of two business days.
  • Approved requests shall limit access to one thousand (1,000) records.
  • Secured by the use of the most secure encryption standard recognized by the Commission
  • Compliance should apply no later than six months after the date of the enactment of this Act

Government Contractors

  • Agencies must require contractors and their employees to register their systems and comply with this Act when contracts involve accessing sensitive personal information from more than one thousand individuals.

Penalties

  • Penalties include imprisonment and fines for unauthorized processing, accessing, or disclosing personal and sensitive personal information without consent or authority.
  • Penalties also apply to improper disposal, unauthorized access, concealment of security breaches, and malicious disclosure of information.

Fines and Imprisonment

  • Unauthorized Processing of Info: 1-3 years imprisonment and Php500,000-2,000,000 fine
  • Unauthorized Processing of Sensitive Info: 3-6 years imprisonment and Php500,000-4,000,000 fine
  • Accessing Info Due to Negligence: 1-3 years imprisonment and Php500,000-2,000,000 fine
  • Accessing Sensitive Info Due to Negligence: 3-6 years imprisonment and Php500,000-4,000,000 fine
  • Improper Disposal of Info: 6 months-2 years imprisonment and Php100,000-500,000 fine
  • Improper Disposal of Sensitive Info: 1-3 years imprisonment and Php100,000-1,000,000 fine
  • Processing Info for Unauthorized Purposes: 1 year & 6 months-5 years imprisonment and Php500,000-1,000,000 fine
  • Processing Sensitive Info for Unauthorized Purposes: 2-7 years imprisonment and Php500,000-2,000,000 fine
  • Unauthorized Access or Intentional Breach: 1-3 years imprisonment and Php500,000-2,000,000 fine
  • Concealment of Security Breaches Involving Sensitive Personal Information: 1 year & 6 months-5 years imprisonment and Php500,000-1,000,000 fine
  • Malicious Disclosure: 1 year & 6 months-5 years imprisonment and Php500,000-1,000,000 fine
  • Unauthorized Disclosure if not covered by the section on Malicious Disclosure above: 1-3 years imprisonment and Php500,000-1,000,000 fine
  • Unauthorized Disclosure of Sensitive Personal Information if not covered by the section on Malicious Disclosure above: 3-5 years imprisonment and Php500,000-2,000,000 fine

Combination of Acts

  • Any combination or series of acts as defined in Sections 25 to 32 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00).

Liability

  • If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers.
  • Court may suspend or revoke rights.
  • Alien offenders will be deported.
  • Public officials are disqualified from office.

Large Scale

  • The maximum penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the above mentioned actions.

Public Officer

  • An accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied.

Restitution

  • Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code.

Interpretation of the Act

  • Any doubt in the interpretation of any provision of this Act shall be liberally interpreted in a manner mindful of the rights and interests of the individual about whom personal information is processed.

Implementing Rules and Regulations (IRR)

  • The Commission shall promulgate the rules and regulations to effectively implement the provisions of this Act within ninety days from the effectivity of this Act.

Reports and Information

  • The Commission shall annually report to the President and Congress on its activities.
  • The Commission shall undertake efforts to inform and educate the public of data privacy, protection and fair information rights and responsibilities.

Appropriations Clause

  • The Commission shall be provided with an initial appropriation of Twenty million pesos (Php20,000,000.00) to be drawn from the national government.
  • Shall receive Ten million pesos (Php10,000,000.00) per year for five (5) years.

Transitory Provision

  • Existing industries, businesses and offices affected by the implementation of this Act shall be given one year transitory period from the effectivity of the IRR.

Separability Clause

  • If any provision or part hereof is held invalid or unconstitutional, the remainder of the law or the provision not otherwise affected shall remain valid and subsisting.

Repealing Clause

  • The provision of Section 7 of Republic Act No. 9372 is hereby amended.
  • All other laws, decrees, executive orders, proclamations and administrative regulations or parts thereof inconsistent herewith are hereby repealed or modified accordingly.

Effectivity Clause

  • This Act shall take effect fifteen (15) days after its publication in at least two (2) national newspapers of general circulation.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

Data Privacy Act of 2012 (Philippines) PDF

More Like This

Data Privacy Act of 2012
6 questions

Data Privacy Act of 2012 Quiz: Questions and Answers

PainlessBowenite avatar
PainlessBowenite
Data Privacy Act of 2012 (DPA) Quiz
10 questions

Data Privacy Act of 2012 Quiz: Questions and Answers

ImpressiveAqua avatar
ImpressiveAqua
Data Privacy Act RA 10173
4 questions

Data Privacy Act RA 10173

PleasedPrairieDog avatar
PleasedPrairieDog
Data Privacy Act RA 10173
38 questions

Data Privacy Act RA 10173

ObservantEmpowerment8385 avatar
ObservantEmpowerment8385
Use Quizgecko on...
Open
Browser
Browser