Data Privacy Act (RA No. 10173) Overview

Questions and Answers

What is the primary purpose of the Data Privacy Act (RA No 10173)?

To promote social media usage

To protect individual personal information (correct)

To regulate the internet

To enhance government transparency

The Data Privacy Act applies only to the private sector.

False (B)

What does 'personal information' refer to?

Any information that can identify an individual

The Data Privacy Act created a __________ to oversee its implementation.

National Privacy Commission

Match the terms with their definitions:

Data Privacy Act = An act protecting individual personal information Personal information = Information that identifies an individual Information and Communications System = System for processing electronic data National Privacy Commission = Body overseeing data privacy implementation

Which of the following is included in the definition of an Information and Communications System?

Systems for processing electronic documents (C)

The Data Privacy Act allows unrestricted access to personal information for innovation purposes.

False (B)

What is the policy of the State regarding individual privacy?

To protect the fundamental human right of privacy

What must a personal information controller do when subcontracting the processing of personal information?

Ensure proper safeguards are in place for confidentiality (C)

A personal information processor with less than 250 employees must always register, regardless of the risk level involved.

False (B)

What is the maximum number of individuals whose sensitive personal information would require a processor to register?

1,000

The personal information controller must submit a __________ summary of the reports to the Commission annually.

general

Which of the following is NOT required to be included in the registration of personal data processing?

Financial statements of the processor (B)

The Commission must always request the reports from the personal information controller.

False (B)

What should the personal information controller ensure while processing personal information?

Confidentiality and compliance with laws

What is the role of a personal information controller?

To collect and process personal information for individual purposes (A), To handle personal information on behalf of another entity (D)

The National Privacy Commission is responsible for ensuring the confidentiality of personal information.

True (A)

What does NPC stand for?

National Privacy Commission

A personal information processor is any natural or juridical person who is qualified to act under this Act to whom a personal information controller may outsource the __________ of personal data.

processing

Match the following terms with their correct definitions:

Personal Information Controller = Controls the collection and use of personal information Personal Information Processor = Handles the processing of personal data as outsourced National Privacy Commission = Independent body monitoring data protection compliance Confidentiality = Ensuring personal information is kept secret and secure

Which of the following is NOT excluded from the definition of a personal information controller?

A company outsourcing data processing to another firm (D)

The NPC can refer to entities created under different acts.

False (B)

What is the primary function of the National Privacy Commission?

To administer and implement data protection laws

What is the definition of consent of the data subject?

Any freely given, specific, informed indication of will. (A)

Sensitive personal information cannot include race or political affiliation.

False (B)

What does 'processing' refer to in the context of personal information?

Any operation or set of operations performed upon personal information.

Which of the following conditions allows for the processing of personal information?

The processing is necessary for compliance with a legal obligation. (B)

Consent may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so, and can be evidenced by __________.

written, electronic or recorded means

Personal information can be processed indefinitely as long as it serves a legitimate purpose.

False (B)

What principle requires that personal information be processed fairly and lawfully?

Fair processing principle

Match the following types of information with their descriptions:

Sensitive Personal Information = Includes data about race and health Privileged Information = Protected by laws governing communication Consent = Freely given agreement for data processing Processing = Operations performed on personal information

Which of the following is NOT considered sensitive personal information?

Business address (D)

Personal information must be ______ for specified and legitimate purposes.

collected

The Act applies only to legal persons involved in personal information processing.

False (B)

Match the condition of lawful processing to its description:

Consent = The data subject has agreed to the processing. Legal obligation = Processing required by law. Vital interests = Necessary to protect someone's life or health. Legitimate interests = Processing necessary for the interests pursued that do not infringe on rights.

Which of the following is NOT a valid reason for processing personal information?

Random marketing decisions (B)

Name one type of information categorized under privileged information.

Communication protected by law.

Data controllers must ensure the accuracy and relevance of the personal information they process.

True (A)

The processing of personal information for performing public functions includes the activities of __________.

law enforcement and regulatory agencies

Which of the following statements regarding sensitive personal information is TRUE?

It may involve details of criminal history. (A)

What must be done with inaccurate personal data?

It must be rectified, supplemented, or destroyed.

Data must be kept in a form that permits ______ for no longer than necessary.

identification of data subjects

What principle ensures that personal information is adequate and not excessive?

Proportionality Principle (C)

Under what circumstance is the processing of sensitive personal information allowed?

When the data subject has consented to processing. (C)

Consent of the data subject is required for all instances of sensitive personal information processing.

False (B)

What should be included in the information furnished to the data subject prior to processing?

Description of the personal information, purposes of processing, scope and method, recipients, automated access methods, identity of the controller, storage period, and rights.

The processing of sensitive personal information is prohibited except in cases where _______ is obtained.

consent

Match the following scenarios with the appropriate condition for processing sensitive personal information:

Data subject's consent = Processing is allowed when consent is given. Existing laws = Processing is allowed when provided by law. Protection of life = Processing is allowed to protect life and health. Public organization objectives = Processing is allowed for lawful noncommercial objectives.

Which of the following is NOT a right of the data subject?

Right to sell their information (A)

Sensitive personal information may be processed without the data subject's consent if related to public health.

True (A)

What is the obligation of the personal information controller before processing personal information?

To ensure implementation of personal information processing principles.

Personal information processing should inform the data subject about the ______ of their information.

scope

Which one of the following indicates a condition under which sensitive personal information can be processed?

If processing relates to the bonafide members of public organizations. (B)

Study Notes

Data Privacy Act (RA No. 10173)

• Protects individual personal information in information and communications systems in the government and private sector.
• Creates a National Privacy Commission (NPC) for this purpose.
• Ensures confidentiality of personal information held by the NPC.

Declaration of Policy

• Protects the fundamental human right to privacy and communication.
• Promotes innovation and growth by ensuring free flow of information.
• Recognizes the crucial role of information and communications technology in nation-building.

Functions of the National Privacy Commission (NPC)

• Administers and implements the provisions of the Act.
• Monitors compliance with international data protection standards.
• Ensures the confidentiality of all personal information.

Terminologies

• Consent: Freely given, specific, informed indication of willingness to allow collection and processing of personal information.
• Data subject: An individual whose personal information is processed.
• Information and Communications System (ICS): System for generating, sending, receiving, storing, or processing electronic data, including procedures.
• Personal information: Any information (recorded or not) identifying an individual, or enabling identification when combined with other information.
• Personal information controller: Person/organization controlling collection, holding, processing, or use of personal information.
• Personal information processor: Entity processing personal information on behalf of a controller.
• Processing: Any operation on personal information, including collection, recording, organization, storage, updating, etc.
• Privileged information: Information protected as privileged communication by laws/rules.

Sensitive Personal Information

• Includes information on race, ethnicity, marital status, age, color, religious/philosophical/political affiliation.
• Health, education, genetic/sexual life, any legal proceedings.
• Government-issued identification, records, permits, denials, suspensions, revocations, and tax returns.
• Any information classified by executive order or act of Congress.

The scope of application refers to the extent and boundaries within which laws, regulations, or policies are applicable. This includes the populations, entities, and situations affected by specific legal frameworks. It is important to delineate the parameters to ensure that individuals and organizations understand their rights, obligations, and protections under the relevant laws. It can also define geographic limitations and the temporal aspects, such as when certain rules take effect or expire. Understanding the scope is crucial for compliance and enforcement.

• Applies to all types of personal information processing by natural and juridical persons.
• Includes those in the Philippines and those processing data using Philippine equipment or having an office/branch here.
• Excludes information about government officers/employees related to their position, contracts with the government, and certain financial transactions.
• Excludes information collected from foreign jurisdictions under their laws.

Lawful Processing of Personal Information

• Processing allowed only if not prohibited by law.
• Consent from the data subject.
• Necessary for fulfilling a contract or taking steps prior to a contract.
• Necessary for complying with a legal obligation.
• Necessary for protecting vital interests (like life or health).
• Necessary for responding to a national emergency or public safety issue.
• Necessary for providing or performing a mandate based on public authority.
• Necessary for legitimate interests of a controller or third-party, unless overridden by data subject rights.

Sensitive Personal Information and Privileged Information Processing

• Processing prohibited unless specified conditions are met.
• Consent from the data subject, specific to the purpose.
• Processing permitted by existing law/regulation, with safeguards for sensitive/privileged information.
• Necessary for protecting life/health of data subject/another person, where they can't give consent.
• Necessary for non-commercial objectives of public organizations/associations, for members only, and with compliance with safeguards.
• Processing for purposes of medical treatment by a licensed medical professional.
• Required to protect lawful rights/interests of a party in court proceedings.

Rights of the Data Subject

• Be informed if personal information is processed.
• Receive information about the processing (description, purposes, recipients, storage period, etc.).
• Access, correct, or request removal of personal information (if inaccurate, incomplete, outdated, etc.).
• Lodge a complaint with the Commission.
• Suspend, withdraw, or order the removal of personal information if found to be incomplete, inaccurate, etc.

Personal Data Breach Notification

• Notification within 72 hours of knowledge of a breach.
• Requires notification if sensitive information has been compromised, significantly impacting a person's identity and/or causing harm, or in cases deemed likely for these issues.
• Includes a description of the nature, personal data involved, and measures taken.
• Delayed notification for certain reasons, such as further investigation or restoring system integrity.

Automated Processing Operations Notification

• Notification required for wholly or partially automated processing that significantly affects data subject rights.
• Includes details on processing purpose, data categories, data subjects, consent forms, recipients, data storage period, processing logic, decisions based on processed data, and officer contact.
• Decisions based on automated processing alone are prohibited without consent.

Review by the Commission

• Reviews actions from personal information controllers/processors.
• Reviews compliance with the Act and other data protection regulations.
• Reviews data sharing agreements and other relevant contracts.
• Reviews issues about whether processes sufficiently protect data subjects' rights.
• Reviews the implementation of the Act, rules, and other related issuances.

Accountability for Transfer of Personal Information

• Controller is responsible for transferring personal information.
• Must take measures to protect information transferred to third parties.
• Should designate an individual/individuals to ensure compliance with the Act.

Registration of Personal Data Processing Systems

• Registration requirements for systems using personal information.
• Applies to systems of organizations with more than 250 employees, or those with high-risk processing.
• Includes details on purpose of use, data categories, and recipients.

Description

Explore the key features of the Data Privacy Act (RA No. 10173), which safeguards individual personal information within both government and private sectors. Learn about the establishment of the National Privacy Commission and its essential functions in maintaining data confidentiality and compliance with international standards.