Data Privacy Act RA 10173

Questions and Answers

Which of the following best describes the focus of data privacy?

• Governing the collection, storage, management, and sharing of data, especially concerning individual rights. (correct)
• Protecting data from malicious attacks and exploitation.
• Implementing security standards to protect data.
• Preventing unauthorized access, alteration, and deletion of data by third parties.

A company is implementing measures to prevent unauthorized access and data alteration. Which concept does this primarily address?

• Republic Act 10173 compliance
• Data security (correct)
• Data privacy
• Personal information processing

What is the main purpose of Republic Act 10173, also known as the Data Privacy Act of 2012?

• To define the rights of individuals regarding access to government data.
• To regulate data security standards for organizations.
• To establish guidelines for processing operational data within companies.
• To protect all forms of information, whether private, personal, or sensitive, for both natural and juridical persons. (correct)

According to Sec. 3(j) of the Data Privacy Act, which activity is considered 'processing' of personal information?

Any operation performed upon personal information, including collection, storage, and erasure. (A)

Under RA 10173, what does the 'Right to be Informed' primarily ensure for individuals?

The right to dictate who can access their personal information and how it is used. (A)

An individual requests to know what personal data an organization holds about them. Which right are they exercising?

The Right to Access (C)

If an individual objects to the processing of their personal data, what action should the Personal Information Controller (PIC) take, according to the Data Privacy Act?

Immediately cease processing the personal data, unless processing is required by law. (C)

Which right allows an individual to request the removal of their personal data from an organization's records?

The Right to Erasure or Blocking (A)

An individual suffers financial loss due to a company's unlawful use of their personal data. Which right allows them to seek compensation?

The Right to Damages (A)

If an individual believes their personal data has been misused, to which organization can they file a complaint under RA 10173?

The National Privacy Commission (B)

A company has an incorrect address for a customer. Which right allows the customer to request a correction?

The Right to Rectify (C)

Which right enables an individual to transfer their contact list from one phone to another using cloud services?

The Right to Data Portability (B)

Under what circumstance might the rights to data portability and transmissibility be limited?

When the data is used for scientific research kept confidential. (C)

Which of the following actions aligns with the principles of data privacy?

Ensuring individuals have control over how their personal information is used and shared. (A)

A company experiences a data breach, leading to unauthorized access to customer data. Which aspect of data protection has been compromised?

Data security (A)

A customer withdraws consent for a company to send marketing emails, but the company continues sending them because it is required by a service contract. Is this permissible under the Data Privacy Act?

Yes, the company can continue as required by a contract. (A)

A company routinely backs up customer data to prevent data loss. Which aspect of data processing does this represent?

Storage (B)

A hospital restricts access to patient records to only authorized personnel. Which principle of data handling does this exemplify?

Data security (D)

An online retailer allows customers to easily download their purchase history. Which right under RA 10173 does this support?

The Right to Access (B)

A research institution uses anonymized patient data for a clinical trial. Which of the following best describes their obligation under the Data Privacy Act?

They are still subject to minimal restrictions ensuring data is confidential and used appropriately. (D)

A social media platform updates its privacy policy. Which right under RA 10173 requires them to inform their users about these changes?

The Right to be Informed (D)

A bank uses customer data to improve its customer service. This falls under which aspect of the right to access?

Reasonable access to how the data is being used (D)

When can a company continue sending marketing emails to a customer even after they have withdrawn their consent?

If required by a contract, like service updates (B)

What is the primary responsibility of the Personal Information Controller (PIC) when an individual objects to the processing of their personal data?

To no longer process the personal data (C)

Which of the following scenarios best exemplifies the Right to Erasure or Blocking?

Asking an organization to delete all personal data they hold about you (A)

In what situation is an individual entitled to seek compensation under the Right to Damages?

If their personal data was used unlawfully, causing harm (A)

Which situation would justify an individual filing a complaint with the National Privacy Commission?

Believing their personal data was disclosed improperly (B)

When can the rights to data portability and transmissibility be restricted, even if the data is kept confidential?

When the data is used for research or criminal investigations (B)

How does the Data Privacy Act treat an individual's control over their personal data?

Similar to control over personal property (C)

Which of the following is a primary focus of data security measures?

Protecting data from malicious attacks (A)

What is a key difference between data privacy and data security?

Data privacy emphasizes how data is collected and shared, while data security emphasizes protecting data. (D)

Which scenario violates the Right to be Informed under RA 10173?

A company doesn’t notify users of data policy changes. (C)

Which right is a customer exercising when they ask what personal data a company holds about them?

Right To Access (A)

Under the Right to Rectify, what action can an individual take?

Dispute inaccuracy and correct them (A)

Which action best demonstrates the Right to Data Portability?

Moving your contact list using cloud services (D)

Why might the rights to data portability and transmissibility be limited for scientific research?

When stored confidentially and for the proper purpose. (A)

A company is no longer allowed to process personal data. What right does this correlate with?

Right to Object (D)

What does Section 3(j) of the Data Privacy Act define?

Defines processing data (C)

Flashcards

Data privacy

Focuses on how data should be handled, managed, and shared, emphasizing individual rights regarding personal information.

Data Security

Involves standards to protect data from unauthorized access, alteration, and deletion, preventing the exploitation of stolen data.

Republic Act 10173

A Philippine law protecting all forms of information, be it private, personal, or sensitive, covering both natural and juridical persons.

Processing of Personal Information

Any action on personal data, including collection, recording, storage, updating, retrieval, use, or destruction.

Right to be Informed

Entitles individuals to decide how their data is accessed, used, and request changes or deletions.

Right to Access

Allows individuals to find out if an organization holds personal data about them and gain reasonable access to it.

Right to Object

Enables individuals to prevent the processing of their personal data under certain conditions.

Right to Erasure or Blocking

Allows individuals to suspend, withdraw, or request the blocking, removal, or destruction of their personal data.

Right to Damages

Enables individuals to seek compensation if their data was incorrect, incomplete, outdated, or unlawfully used.

Right to File a Complaint

Allows individuals to file a complaint with the National Privacy Commission if their data is misused or their privacy rights are violated.

Right to Rectify

Provides the right to correct inaccuracies or errors in the personal data held by an organization.

Right to Data Portability

Gives individuals full control to move, copy, or transfer their personal data to other services or organizations.

Study Notes

• Data privacy is focused on how data is collected, stored, managed, and shared, emphasizing individual rights regarding personal information and lawful data handling.
• Data security involves organizational standards to protect data and prevent unauthorized access, alteration, and deletion, focusing on safeguarding data from malicious attacks and exploitation.
• Republic Act 10173, the Data Privacy Act of 2012, seeks to protect all forms of information, whether private, personal, or sensitive, for both natural and juridical persons involved in processing it.
• Processing of personal information includes any operation on personal data, such as collection, recording, organizing, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction.

Rights under RA 10173

• The right to be informed entails that personal data is treated like personal property, allowing you to decide who accesses it, how it's used, and to request changes or deletions.
• The right to access allows you to determine if an organization holds your personal data and to gain reasonable access to it.
• The right to object means the Personal Information Controller (PIC) should stop processing personal data once consent is withheld, unless required by subpoena or for obvious purposes.
• The right to erasure or blocking allows you to suspend, withdraw, or order the blocking, removal, or destruction of your personal data.
• The right to damages grants you the ability to seek compensation if your personal data is incorrect, incomplete, outdated, or used unlawfully, violating your rights as a data subject.
• The right to file a complaint with the National Privacy Commission (NPC) arises if personal data is misused, improperly disclosed, or privacy rights are violated.
• The right to rectify is the ability to dispute and correct any inaccuracy or error in the data a personal information controller (PIC) holds about you.
• The right to data portability gives you full control over your personal data, enabling secure movement, copying, or transfer to other services or organizations as needed.
• Limitations of rights include that data portability and transmissibility rights don't apply to personal data used for scientific research or criminal investigations if kept confidential and used for the intended purpose, with minimal restrictions.