Data Privacy Act RA 10173

Questions and Answers

What is the purpose of RA No. 10173, the Data Privacy Act?

To protect the fundamental human right of privacy

Data Subject (DS) refers to an organization controlling personal information processing.

False

Personal information controller refers to a person or organization who __________ the collection, holding, processing, or use of personal information.

controls

Match the following Principles with their descriptions:

Proportionality = Adequate, relevant, suitable, necessary & not excessive Legitimate Purpose = Compatible with the declared & specified purpose Transparency = Data Subject (DS) must be aware of nature, purpose, & extent of the processing of his Personal Data by the company

Study Notes

Data Privacy Act (RA No. 10173)

Definition of Terms

• Consent of the data subject: freely given, specific, informed indication of will
• Data subject (DS): individual whose personal information is processed
• Personal information controller: person or organization controlling collection, holding, processing, or use of personal information
• Processing: any operation performed on personal information

Coverage

• All types of personal information
• Natural or juridical persons involved in personal information processing
• Exclusions:
  • Government institutions and employees
  • Discretionary benefits of a financial nature
  • Journalistic, artistic, literary, or research purposes
  • Banks and other financial institutions
  • Residents of foreign jurisdictions

National Privacy Commission

• Privacy commissioner (Chairman): enjoys benefits, privileges, and emoluments equivalent to the rank of secretary
• Qualifications:
  • At least 35 years old
  • Good moral character
  • Recognized expert in IT and data privacy
• Two (2) Deputy commissioners:
  • Data processing systems
  • Policies and planning

Principles

• Proportionality: adequate, relevant, suitable, necessary, and not excessive
• Legitimate purpose: compatible with declared and specified purpose
• Transparency: data subject must be aware of nature, purpose, and extent of processing

Personal Information (PI)

• Apparent, ascertained by entity, or would identify an individual
• Criteria for lawful processing:
  • With consent
  • Related to fulfillment of a contract
  • For compliance with a legal obligation
  • To protect vital interest
  • For legitimate purposes
  • To respond to national emergency

Sensitive Personal Information (SPI)

• Race, ethnic origin, marital status, age, color, and religious, philosophical, or political beliefs
• Health, education, genetic or sexual life, proceedings for an offense, and issued by government agencies
• Criteria for lawful processing:
  • With consent
  • Provided for by existing law and regulation
  • Protect life and health of data subject or another
  • Achieve lawful and non-commercial objectives of public organizations and their associations
  • For purposes of medical treatment
  • Protection of lawful rights and interest of natural or legal persons

Rights of the Data Subject

• Informed consent
• Complaints and damages
• Retracted information accessible
• Portability of data
• Erasure
• Access
• Object

Security Measures

• Safeguards
• Security policy
• Identifying and assessing reasonable foreseeable vulnerabilities
• Regular monitoring

Unlawful Acts and Penalties

• Unauthorized processing and access:
  • Imprisonment: 1-3 years (PI), 3-6 years (SPI)
  • Fine: 500,000 - 2,000,000 (PI), 500,000 - 4,000,000 (SPI)
• Improper disposal:
  • Imprisonment: 6 months - 2 years (PI), 1-3 years (SPI)
  • Fine: 100,000 - 500,000 (PI), 100,000 - 1,000,000 (SPI)
• Intentional breach:
  • Imprisonment: 1-3 years
  • Fine: 500,000 - 2,000,000
• Processing of unauthorized process:
  • Imprisonment: 1-5 years (PI), 2-7 years (SPI)
  • Fine: 500,000 - 1,000,000 (PI), 500,000 - 2,000,000 (SPI)
• Concealment or malicious:
  • Imprisonment: 1.5-5 years
  • Fine: 500,000 - 1,000,000
• Unauthorized disclosure:
  • Imprisonment: 1-3 years (PI), 3-5 years (SPI)
  • Fine: 500,000 - 1,000,000 (PI), 500,000 - 2,000,000 (SPI)
• Combination or series of acts:
  • Imprisonment: 3-6 years
  • Fine: 1,000,000 - 5,000,000

Description

Learn about the Data Privacy Act of 2012, a Philippine law that protects the fundamental human right of privacy in communication while ensuring the free flow of information. This quiz covers the key concepts and principles of RA No. 10173.