Data Privacy Act of 2012 Quiz

Questions and Answers

What is one of the major functions of the NPC?

Data processing operations registration

Public education (correct)

Economic analysis

Tax enforcement

Which scenario requires a data processing system to be registered?

When data processing is done occasionally

When a nonprofit organization handles personal data

When employees total less than 100

When sensitive data of at least 1,000 individuals is involved (correct)

What is necessary before making automated processing decisions that affect a data subject?

A formal contract with the data subject

Payment to the regulatory authority

Public announcement of data policies

Consent from the data subject (correct)

What must be appointed to ensure compliance with the Data Privacy Act?

Data Protection Officer

What is a requirement in the event of a data breach?

Notify the NPC within 72 hours

When is a data breach notification required?

When sensitive personal information is acquired by an unauthorized person

What should be formed to address security incidents or personal data breaches?

Data Breach Response Team

What kind of report must be prepared annually regarding data security incidents?

A summary of documented security incidents and breaches

What is the primary purpose of the Data Privacy Act of 2012?

To protect individual personal information.

Which entity is responsible for managing compliance with the Data Privacy Act?

National Privacy Commission (NPC)

According to the Data Privacy Act, who qualifies as a Data Subject?

An individual whose personal information is processed.

Which role is characterized by controlling the processing of personal data?

Personal Information Controller (PIC)

Which of the following actions is covered by the Data Privacy Act?

Processing personal data of Philippine citizens from overseas.

What distinguishes data as being more valuable than money?

Data allows for future financial exploitation.

Who may be hired to process the personal data of a Data Subject under the DPA?

Personal Information Processor (PIP)

What defines the role of the Data Protection Officer (DPO) in relation to the Data Privacy Act?

Overall management of compliance with the DPA.

Which of the following is NOT a principle for processing personal data?

Shared without a Data Sharing Agreement

What should be done to ensure personal information is kept secure?

Encrypting personal information held electronically

In case of a data breach, which of the following organizations did NOT experience a noted breach?

Amazon

What is recommended to protect oneself while using Facebook?

Use unique passwords for different accounts

What method is suggested for handling confidential waste to maintain security?

Shredding all confidential waste

What is the maximum jail term for unauthorized processing of sensitive personal information?

3-6 years

Which right allows a data subject to be informed about the processing of their personal data?

Right to be informed

What is the maximum fine for improper disposal of personal information?

500 k - 1 million

Which principle requires that information about personal data processing should be accessible and clear?

Principle of Transparency

Under which section can a data subject rightfully file a complaint?

Section 34.a.2

What is the jail term range for malicious disclosure of personal information?

18 months – 5 years

What does the right to data portability enable a data subject to do?

Transfer their data to another entity

What is the potential jail term for a combination of acts violating data privacy?

1-3 years

Study Notes

Data Privacy Act of 2012 (RA 10173)

• The Data Privacy Act of 2012 is a Philippine law that protects personal data in information and communications systems in both the government and private sector.
• The law creates the National Privacy Commission (NPC), an independent body mandated to implement and enforce the DPA.
• The DPA covers acts done or practices engaged in both inside and outside the Philippines if any of the following criteria are met:
  • The person involved in processing personal data is located in the Philippines.
  • The act or practice involves personal data of a Philippine citizen or resident.
  • The processing of personal data is done in the Philippines.
  • The act, practice, or processing of personal data is done by an entity with links to the Philippines, subject to international law.

Key Roles in the DPA

• Data Subject: An individual whose personal, sensitive personal, or privileged information is processed.
• Personal Information Controller (PIC): Controls the processing of personal data or instructs another to process personal data on their behalf.
• Personal Information Processor (PIP): An organization or individual that a PIC may outsource or instruct to process personal data pertaining to a data subject.
• Data Protection Officer (DPO): Responsible for managing compliance to the DPA.

National Privacy Commission (NPC)

• The NPC is responsible for:
  • Rule-making.
  • Advising.
  • Public education.
  • Compliance and monitoring.
  • Complaints and investigations.
  • Enforcement.

Compliance with the Data Privacy Act

• Registration of data processing systems (DPS): Entities with less than 250 employees are exempt from registration unless their data processing operations involve sensitive personal information of at least 1,000 individuals, are likely to pose a risk to the rights and freedoms of data subjects, or are not occasional.
• Notification of Automated Processing Operations: Data subjects must be notified when decisions about them are based solely on automated processing, as these decisions can significantly affect them.
• Appointment of a Data Protection Officer: Ensure compliance with the DPA.
• Creation of a Data Breach Response Team: Respond immediately to security incidents or personal data breaches.
• Adoption of data protection policies: Provide for data security measures and security incident management.
• Annual Report: Document security incidents and personal data breaches.
• Compliance with other requirements: As specified by the NPC.

Data Breach Notification

• The law requires notification of a data breach to the NPC and the data subject within 72 hours of becoming aware of the breach.
• Notification is required if the breach involves sensitive personal information or any information that can be used for identity fraud that has been acquired by an unauthorized person and is likely to result in serious harm to the affected data subject.

Punishable Acts under the DPA

• Unauthorized processing:
  • Personal information: 1-3 years imprisonment, Php 500,000 - Php 4 million fine.
  • Sensitive personal information: 3- 6 years imprisonment, Php 500,000 - Php 4 million fine.
• Access due to negligence:
  • Personal information: 1-3 years imprisonment, Php 500,000 - Php 4 million fine.
  • Sensitive personal information: 3- 6 years imprisonment, Php 500,000 - Php 4 million fine.
• Improper disposal:
  • Personal information: 6 months - 2 years imprisonment, Php 100,000 - Php 1 million fine.
  • Sensitive personal information: 3- 6 years imprisonment, Php 100,000 - Php 1 million fine.
• Unauthorized purposes:
  • Personal information: 18 months - 5 years imprisonment, Php 500,000 - Php 2 million fine.
  • Sensitive personal information: 2- 7 years imprisonment, Php 500,000 - Php 2 million fine.
• Intentional breach:
  • Sensitive personal information: 1- 3 years imprisonment, Php 500,000 - Php 2 million fine.
• Concealment of breach:
  • Sensitive personal information: 18 months - 5 years imprisonment, Php 500,000 - Php 1 million fine.
• Malicious disclosure:
  • Sensitive personal information: 18 months - 5 years imprisonment, Php 500,000 - Php 1 million fine.
• Unauthorized disclosure:
  • Personal information: 1- 3 years imprisonment, Php 500,000 - Php 2 million fine.
  • Sensitive personal information: 3- 5 years imprisonment, Php 500,000 - Php 2 million fine.
• Combination of acts: 1-3 years imprisonment, Php 1 million - Php 5 million fine.

Rights of the Data Subject

• Right to be informed: The data subject has the right to know the reasons why personal information is being collected, how it will be used, and who will have access to it.
• Right to object: Data subjects have the right to object to the processing of their personal information.
• Right to access: Data subjects have the right to access their own personal information.
• Right to correction (rectification): Data subjects have the right to request that their personal information be corrected if it is inaccurate.
• Right to erasure or blocking: Data subjects have the right to request the deletion or suppression of their personal information.
• Right to file a complaint: Data subjects have the right to file a complaint with the NPC if they believe their rights have been violated.
• Right to damages: Data subjects may have the right to seek compensation for damages if their rights have been violated.
• Transmissibility of rights - Data subject rights can be passed on to heirs upon their death.
• Right to data portability: Data subjects can request the transfer of their data to another data controller in a structured, commonly used format, and to transmit it without hindrance.

Key Principles of the DPA

• Principle of Transparency: Data subjects must be informed about the purpose, nature, and extent of the processing of their personal data, including any risks, safeguards, and the identity of the personal information controller. Information regarding personal data processing should be clear, plain, and easy to understand.
• Principle of Legitimate Purpose: The processing of information must be compatible with a declared and specific purpose that is not contrary to law, morality, or public policy.
• Other Security Measures:
  • Shredding confidential waste.
  • Using strong passwords.
  • Installing firewalls and virus checkers on computers.
  • Encrypting personal information held electronically.
  • Disabling auto-complete settings.
  • Holding telephone calls in private areas.
  • Checking the security of storage systems.
  • Keeping devices under lock and key.
  • Not leaving papers and devices lying around.

Sample Data Breaches in the Philippines

• 2019: Cebuana’s marketing server was breached, and there was a mysterious case involving the DFA.
• 2018: Wendy’s and Jollibee were asked to take preventive measures against data breaches.

Facebook Data Breach

• Over 500 million Facebook users’ details were published online on a website used by cybercriminals.

How to Protect Yourself

• Consider whether you need to share all your information with Facebook.
• Carefully evaluate what you share on Facebook.
• Avoid using Facebook to sign in to other websites.
• Use unique passwords.

Description

Test your knowledge on the Data Privacy Act of 2012, a crucial legislation in the Philippines that safeguards personal data in various sectors. Explore the key roles, principles, and provisions outlined in this law that affects individuals and organizations alike.