Data Privacy Act (RA No. 10173) Overview

Questions and Answers

What is the primary purpose of the Data Privacy Act (RA No 10173)?

• To promote social media usage
• To protect individual personal information (correct)
• To regulate the internet
• To enhance government transparency

The Data Privacy Act applies only to the private sector.

False (B)

What does 'personal information' refer to?

Any information that can identify an individual

The Data Privacy Act created a __________ to oversee its implementation.

National Privacy Commission

Match the terms with their definitions:

Data Privacy Act = An act protecting individual personal information Personal information = Information that identifies an individual Information and Communications System = System for processing electronic data National Privacy Commission = Body overseeing data privacy implementation

Which of the following is included in the definition of an Information and Communications System?

Systems for processing electronic documents (C)

The Data Privacy Act allows unrestricted access to personal information for innovation purposes.

False (B)

What is the policy of the State regarding individual privacy?

To protect the fundamental human right of privacy

What must a personal information controller do when subcontracting the processing of personal information?

Ensure proper safeguards are in place for confidentiality (C)

A personal information processor with less than 250 employees must always register, regardless of the risk level involved.

False (B)

What is the maximum number of individuals whose sensitive personal information would require a processor to register?

1,000

The personal information controller must submit a __________ summary of the reports to the Commission annually.

general

Which of the following is NOT required to be included in the registration of personal data processing?

Financial statements of the processor (B)

The Commission must always request the reports from the personal information controller.

False (B)

What should the personal information controller ensure while processing personal information?

Confidentiality and compliance with laws

What is the role of a personal information controller?

To collect and process personal information for individual purposes (A), To handle personal information on behalf of another entity (D)

The National Privacy Commission is responsible for ensuring the confidentiality of personal information.

True (A)

What does NPC stand for?

National Privacy Commission

A personal information processor is any natural or juridical person who is qualified to act under this Act to whom a personal information controller may outsource the __________ of personal data.

processing

Match the following terms with their correct definitions:

Personal Information Controller = Controls the collection and use of personal information Personal Information Processor = Handles the processing of personal data as outsourced National Privacy Commission = Independent body monitoring data protection compliance Confidentiality = Ensuring personal information is kept secret and secure

Which of the following is NOT excluded from the definition of a personal information controller?

A company outsourcing data processing to another firm (D)

The NPC can refer to entities created under different acts.

False (B)

What is the primary function of the National Privacy Commission?

To administer and implement data protection laws

What is the definition of consent of the data subject?

Any freely given, specific, informed indication of will. (A)

Sensitive personal information cannot include race or political affiliation.

False (B)

What does 'processing' refer to in the context of personal information?

Any operation or set of operations performed upon personal information.

Which of the following conditions allows for the processing of personal information?

The processing is necessary for compliance with a legal obligation. (B)

Consent may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so, and can be evidenced by __________.

written, electronic or recorded means

Personal information can be processed indefinitely as long as it serves a legitimate purpose.

False (B)

What principle requires that personal information be processed fairly and lawfully?

Fair processing principle

Match the following types of information with their descriptions:

Sensitive Personal Information = Includes data about race and health Privileged Information = Protected by laws governing communication Consent = Freely given agreement for data processing Processing = Operations performed on personal information

Which of the following is NOT considered sensitive personal information?

Business address (D)

Personal information must be ______ for specified and legitimate purposes.

collected

The Act applies only to legal persons involved in personal information processing.

False (B)

Match the condition of lawful processing to its description:

Consent = The data subject has agreed to the processing. Legal obligation = Processing required by law. Vital interests = Necessary to protect someone's life or health. Legitimate interests = Processing necessary for the interests pursued that do not infringe on rights.

Which of the following is NOT a valid reason for processing personal information?

Random marketing decisions (B)

Name one type of information categorized under privileged information.

Communication protected by law.

Data controllers must ensure the accuracy and relevance of the personal information they process.

True (A)

The processing of personal information for performing public functions includes the activities of __________.

law enforcement and regulatory agencies

Which of the following statements regarding sensitive personal information is TRUE?

It may involve details of criminal history. (A)

What must be done with inaccurate personal data?

It must be rectified, supplemented, or destroyed.

Data must be kept in a form that permits ______ for no longer than necessary.

identification of data subjects

What principle ensures that personal information is adequate and not excessive?

Proportionality Principle (C)

Under what circumstance is the processing of sensitive personal information allowed?

When the data subject has consented to processing. (C)

Consent of the data subject is required for all instances of sensitive personal information processing.

False (B)

What should be included in the information furnished to the data subject prior to processing?

Description of the personal information, purposes of processing, scope and method, recipients, automated access methods, identity of the controller, storage period, and rights.

The processing of sensitive personal information is prohibited except in cases where _______ is obtained.

consent

Match the following scenarios with the appropriate condition for processing sensitive personal information:

Data subject's consent = Processing is allowed when consent is given. Existing laws = Processing is allowed when provided by law. Protection of life = Processing is allowed to protect life and health. Public organization objectives = Processing is allowed for lawful noncommercial objectives.

Which of the following is NOT a right of the data subject?

Right to sell their information (A)

Sensitive personal information may be processed without the data subject's consent if related to public health.

True (A)

What is the obligation of the personal information controller before processing personal information?

To ensure implementation of personal information processing principles.

Personal information processing should inform the data subject about the ______ of their information.

scope

Which one of the following indicates a condition under which sensitive personal information can be processed?

If processing relates to the bonafide members of public organizations. (B)

Flashcards

Right to Privacy

The right to control access to and use of personal information.

Data Privacy Act (RA 10173)

A legal framework protecting the personal information of individuals in information and communications systems (ICS).

Information and Communications System (ICS)

A system used to generate, send, receive, store, or process electronic data messages, including computers and networks.

State Policy for Privacy Protection

The policy of the Philippine government to protect the fundamental human right to privacy while ensuring free flow of information.

Personal Information

Any information, whether recorded or not, that can reveal an individual's identity.

National Privacy Commission (NPC)

The agency responsible for enforcing the Data Privacy Act in the Philippines.

Balance of Privacy and Innovation

The goal of promoting innovation and growth while protecting personal information.

Personal Information Processing System

A system for collecting, processing, and storing personal information.

What is the National Privacy Commission (NPC)?

The National Privacy Commission (NPC) is an independent body responsible for enforcing the Data Privacy Act in the Philippines. It ensures compliance with international data protection standards and safeguards personal information.

What are the main functions of the NPC?

The NPC is responsible for administering and enforcing the Data Privacy Act, monitoring compliance, and ensuring the country adheres to international data protection standards.

What is the NPC's responsibility regarding personal information?

The NPC must keep any personal information it receives confidential. This means they cannot share it with others without a good reason.

What does 'Commission' refer to in the context of the Data Privacy Act?

The term 'Commission' refers to the National Privacy Commission, established by the Data Privacy Act (RA 10173).

What is a Personal Information Controller?

A personal information controller is someone or an organization that collects, stores, uses, processes, or shares personal information. This could be a business or a government agency.

What is a Personal Information Processor?

A personal information processor is someone or an organization that processes personal data on behalf of the controller. This could be a third-party company hired to manage data.

Who is NOT considered a Personal Information Controller?

The term excludes: a person or organization receiving instructions for data processing and individuals handling personal information for personal or household matters.

Why are these terms important in the context of the Data Privacy Act?

The Data Privacy Act (RA 10173) aims to protect personal information. It defines certain key terms, including personal information controller and processor, to ensure clear understanding and implementation.

Consent of the data subject

Any freely given, specific, informed indication of will by the data subject to allow the collection and processing of their personal information.

Processing (of personal data)

Any operation or set of operations performed on personal information, including collection, storage, retrieval, and deletion.

Data Subject

An individual whose personal information is being processed.

Sensitive Personal Information (Type 1)

Personal information about an individual's race, ethnic origin, marital status, age, color, religious, philosophical, or political affiliation.

Sensitive Personal Information (Type 2)

Personal information about an individual's health, education, genetic or sexual life, or any legal proceedings involving them.

Sensitive Personal Information (Type 3)

Personal information issued by government agencies, including social security numbers, health records, licenses, and tax returns.

Sensitive Personal Information (Type 4)

Personal information specifically designated by the government to be kept classified.

Scope of Application (of the Act)

This Act applies to all types of personal information and to any natural or juridical person involved in processing it.

Privileged Information

Any form of data that is protected by law as privileged communication, usually involving legal or medical information.

Sensitive Personal Information (Government Employee)

Information that relates to an individual's employment with the government, including their title, address, salary, and position.

Lawful Processing of Personal Information (Section 11)

The processing of personal information should be allowed if it follows the principles of transparency, legitimate purpose, and proportionality, while abiding by the Data Privacy Act and allowing public disclosure under other laws.

Consent

The data subject (the person whose information is being processed) provides clear agreement to the processing of their information.

Fulfillment of Contract

Processing personal information is necessary to fulfill a contractual obligation between the data subject and the controller, or to take steps at the data subject's request before entering an agreement.

Compliance With Legal Obligation

The controller needs to process personal data to comply with a legal requirement, like a law or court order.

Protection of Vital Interests

The processing of personal data is essential to protect the vital interests of the data subject, such as their life or health.

National Emergency or Public Interest

The processing of personal information is necessary to respond to a national emergency, maintain public order, or fulfill the functions of a public authority, which might include the processing of personal data for fulfilling their mandate.

Legitimate Interests

The processing of personal information aligns with the legitimate interests of the controller or a third party, except when these interests conflict with fundamental rights and freedoms of the data subject requiring protection under the Philippine Constitution

Purpose Limitation

Personal information should be collected for clearly defined and specific purposes before or shortly after collection. It should only be processed for those stated purposes later.

Fairness and Lawfulness

Personal information should be processed lawfully and fairly.

Accuracy and Relevance

Personal information should be accurate and relevant, and kept updated. If information is inaccurate or incomplete, then it must be corrected, supplemented, or destroyed.

Subcontracting Personal Information Processing

A personal information controller can delegate the processing of personal information to another party, but remains responsible for ensuring the safety and compliance of the processed information.

Exemption from Registration

Companies with less than 250 employees are exempt from registration unless their data processing poses risks, is not occasional, or involves sensitive information about many individuals.

Accountability for Information Transfer

A personal information controller is accountable for the safe and compliant transfer of personal information, even when processed by another party.

Registration Contents

This refers to the information that needs to be submitted when registering a personal information processing system.

Purpose of Information Processing

The purpose of processing needs to be stated during registration, including whether the processing is done through an outsourcing agreement.

Personal Information Controller

This refers to the individual or organization responsible for collecting, storing, and processing personal information.

Personal Information Processor

This refers to the individual or organization that processes personal information on behalf of the controller.

Annual Summary Report

Organizations are required to submit an annual summary report to the Commission about their personal information processing activities.

Right to be Informed

Data subjects have the right to know whether their information is being processed, and to access specific details about the processing.

Right to Prior Information

Before personal information is processed, data subjects must be provided with information about the type of data being processed, the purpose of processing, the methods used, and other important details.

Right to Correction

Data subjects have the right to correct any inaccurate or incomplete personal information held by the data controller.

Processing of Sensitive and Privileged Information

The processing of sensitive personal information and privileged information is generally prohibited, but exceptions are allowed for specific purposes.

Personal Information Processing Principles

The data controller must ensure that the principles of personal information processing are followed, including obtaining valid consent, limiting the processing purpose, and maintaining data security.

Safeguards for Long-Term Storage

The data controller must implement safeguards to protect personal information stored for extended periods. These safeguards ensure the information is not mishandled or compromised.

Consent for Sensitive Information

The processing of sensitive personal information can be allowed if the data subject has given their explicit consent, even if the information is privileged.

Processing for Life and Health Protection

The processing of sensitive information is permitted if it's necessary to protect the life or health of the data subject. This applies even if they can't express their consent due to circumstances.

Data Processing for Public Organizations

Public organizations can process sensitive personal information if it aligns with their lawful, non-commercial objectives and benefits their members. However, it should not be shared with outside parties.

Processing Under Legal Requirements

The processing of sensitive information can be allowed if it's required by existing laws and regulations. This requires proper safeguards to protect the data.

Study Notes

Data Privacy Act (RA No. 10173)

• Protects individual personal information in information and communications systems in the government and private sector.
• Creates a National Privacy Commission (NPC) for this purpose.
• Ensures confidentiality of personal information held by the NPC.

Declaration of Policy

• Protects the fundamental human right to privacy and communication.
• Promotes innovation and growth by ensuring free flow of information.
• Recognizes the crucial role of information and communications technology in nation-building.

Functions of the National Privacy Commission (NPC)

• Administers and implements the provisions of the Act.
• Monitors compliance with international data protection standards.
• Ensures the confidentiality of all personal information.

Terminologies

• Consent: Freely given, specific, informed indication of willingness to allow collection and processing of personal information.
• Data subject: An individual whose personal information is processed.
• Information and Communications System (ICS): System for generating, sending, receiving, storing, or processing electronic data, including procedures.
• Personal information: Any information (recorded or not) identifying an individual, or enabling identification when combined with other information.
• Personal information controller: Person/organization controlling collection, holding, processing, or use of personal information.
• Personal information processor: Entity processing personal information on behalf of a controller.
• Processing: Any operation on personal information, including collection, recording, organization, storage, updating, etc.
• Privileged information: Information protected as privileged communication by laws/rules.

Sensitive Personal Information

• Includes information on race, ethnicity, marital status, age, color, religious/philosophical/political affiliation.
• Health, education, genetic/sexual life, any legal proceedings.
• Government-issued identification, records, permits, denials, suspensions, revocations, and tax returns.
• Any information classified by executive order or act of Congress.

The scope of application refers to the extent and boundaries within which laws, regulations, or policies are applicable. This includes the populations, entities, and situations affected by specific legal frameworks. It is important to delineate the parameters to ensure that individuals and organizations understand their rights, obligations, and protections under the relevant laws. It can also define geographic limitations and the temporal aspects, such as when certain rules take effect or expire. Understanding the scope is crucial for compliance and enforcement.

• Applies to all types of personal information processing by natural and juridical persons.
• Includes those in the Philippines and those processing data using Philippine equipment or having an office/branch here.
• Excludes information about government officers/employees related to their position, contracts with the government, and certain financial transactions.
• Excludes information collected from foreign jurisdictions under their laws.

Lawful Processing of Personal Information

• Processing allowed only if not prohibited by law.
• Consent from the data subject.
• Necessary for fulfilling a contract or taking steps prior to a contract.
• Necessary for complying with a legal obligation.
• Necessary for protecting vital interests (like life or health).
• Necessary for responding to a national emergency or public safety issue.
• Necessary for providing or performing a mandate based on public authority.
• Necessary for legitimate interests of a controller or third-party, unless overridden by data subject rights.

Sensitive Personal Information and Privileged Information Processing

• Processing prohibited unless specified conditions are met.
• Consent from the data subject, specific to the purpose.
• Processing permitted by existing law/regulation, with safeguards for sensitive/privileged information.
• Necessary for protecting life/health of data subject/another person, where they can't give consent.
• Necessary for non-commercial objectives of public organizations/associations, for members only, and with compliance with safeguards.
• Processing for purposes of medical treatment by a licensed medical professional.
• Required to protect lawful rights/interests of a party in court proceedings.

Rights of the Data Subject

• Be informed if personal information is processed.
• Receive information about the processing (description, purposes, recipients, storage period, etc.).
• Access, correct, or request removal of personal information (if inaccurate, incomplete, outdated, etc.).
• Lodge a complaint with the Commission.
• Suspend, withdraw, or order the removal of personal information if found to be incomplete, inaccurate, etc.

Personal Data Breach Notification

• Notification within 72 hours of knowledge of a breach.
• Requires notification if sensitive information has been compromised, significantly impacting a person's identity and/or causing harm, or in cases deemed likely for these issues.
• Includes a description of the nature, personal data involved, and measures taken.
• Delayed notification for certain reasons, such as further investigation or restoring system integrity.

Automated Processing Operations Notification

• Notification required for wholly or partially automated processing that significantly affects data subject rights.
• Includes details on processing purpose, data categories, data subjects, consent forms, recipients, data storage period, processing logic, decisions based on processed data, and officer contact.
• Decisions based on automated processing alone are prohibited without consent.

Review by the Commission

• Reviews actions from personal information controllers/processors.
• Reviews compliance with the Act and other data protection regulations.
• Reviews data sharing agreements and other relevant contracts.
• Reviews issues about whether processes sufficiently protect data subjects' rights.
• Reviews the implementation of the Act, rules, and other related issuances.

Accountability for Transfer of Personal Information

• Controller is responsible for transferring personal information.
• Must take measures to protect information transferred to third parties.
• Should designate an individual/individuals to ensure compliance with the Act.

Registration of Personal Data Processing Systems

• Registration requirements for systems using personal information.
• Applies to systems of organizations with more than 250 employees, or those with high-risk processing.
• Includes details on purpose of use, data categories, and recipients.