Data Privacy in the Philippines

Questions and Answers

What is considered sensitive personal information related to an individual's background?

Credit score and financial history

Employment history and income level

Social media activity and preferences

Race, ethnic origin, and marital status (correct)

Which of the following is NOT classified as sensitive personal information?

Genetic information about an individual

An individual’s political affiliation

Employment recommendations from previous employers (correct)

Health records issued by government agencies

Under what condition do the Act and Rules apply to personal data processing outside of the Philippines?

If the data processor is a government agency

If it involves international data transfer regulations

If the data subject is a resident of another country

If the processing relates to a Philippine citizen or resident (correct)

What must a government agency require from a private service provider when accessing sensitive personal information of over a thousand individuals?

Registration of their personal data processing system

What is necessary for a data sharing agreement between agencies?

Review by the Commission for compliance

What happens before any request for off-site or online access is approved?

Implementation of security requirements must occur

Which of the following is NOT included in sensitive personal information outlined in the content?

Income level

What is the purpose of the executive order regarding sensitive personal information?

To establish a legal framework for sensitive data retention and access

What is the maximum imprisonment penalty for unauthorized processing of personal information?

Six years

Which penalty applies to unauthorized processing of sensitive personal information?

Imprisonment of three to six years and a fine of Php500,000 to Php4,000,000

What penalty is imposed for negligence in accessing personal information without authorization?

Imprisonment from one to three years and a fine of Php500,000 to Php2,000,000

What is the minimum fine imposed for improper disposal of sensitive personal information?

Php500,000

If a person processes personal information without the consent of the data subject, which punishment could they face?

Imprisonment of one to three years and a fine of Php500,000 to Php2,000,000

What rights does a data subject have regarding their personal data processing?

Right to be notified about data processing.

What must the personal information controller provide to the data subject?

Purpose for processing their personal data.

Which of the following describes the right to object for a data subject?

The option to refuse processing under specific circumstances.

Which of these aspects is NOT a part of the right to be informed?

Legal background of the information controller.

What is a requirement for notifying a data subject before processing their data?

Description of the methods utilized for automated access.

Which of the following reflects a right related to automated decision-making?

Right to be informed about automated decision-making processes.

What must a data subject be informed about, concerning the processing of their data?

The period for which their personal data will be stored.

What is included in the information that must be provided to data subjects before processing their data?

The scope and method of personal data processing.

What is the minimum imprisonment penalty for someone who unlawfully breaks into a system storing personal information?

One year

What is the maximum fine that can be imposed for concealing a security breach involving sensitive personal information?

Php1,000,000.00

For malicious disclosure of personal information, what is the range of imprisonment that can be imposed?

One year and six months to five years

What is the minimum imprisonment sentence for a personal information controller who discloses sensitive personal information without consent?

Three years

What is required for a personal information controller to legally disclose personal information to a third party?

Written consent of the data subject

What penalty is imposed on a corporation if an offense is committed due to gross negligence?

Suspension of rights

What is the penalty for a person who conceals a security breach of which they have knowledge?

Imprisonment of one year and six months to five years

What is the fine range for a person who unlawfully discloses personal information without consent?

Php500,000.00 to Php1,000,000.00

What is the penalty for an alien found guilty of a related offense?

Immediate deportation

Which of the following actions triggers a penalty of imprisonment and a fine as described?

Disclosing false information with malice

What is the impact of committing an offense involving personal data of at least 100 persons?

Maximum penalty applies

What happens to a public official found guilty of offenses under Sections 54 and 55?

Permanent disqualification from office

Which entity is responsible for imposing penalties on violations related to data confidentiality?

The Commission

What is the maximum fine for a combination of acts defined in Sections 52 to 59?

Php5,000,000.00

What accessory penalty does a public officer face when committing an offense in the course of his duties?

Double term disqualification

Which of the following statements about the penalties for offenses against personal data protection is correct?

Penalties can include both imprisonment and hefty fines.

Study Notes

Sensitive Personal Information

• Includes racial/ethnic origin, marital status, age, color, religious/philosophical/political affiliations.
• Covers health, education, genetic or sexual life; legal proceedings or sentences.
• Government-issued data like social security numbers, health records, licenses (including denials/revocations), tax returns.
• Information classified via executive order or Congressional act.

Scope of Application

• Act and rules apply to all natural and juridical persons (government or private) processing personal data.
• Applies to acts/practices inside or outside Philippines if:
  • The processor is located in the Philippines.
  • The data relates to a Filipino citizen or resident.

Security Requirements Implementation

• Security requirements must be implemented before any off-site or online access is approved.
• Data sharing agreements between agencies are subject to Commission review (initiative or complaint).

Applicability to Government Contractors

• Government agencies contracting private providers (accessing sensitive info from ≥1000 individuals) must require provider registration with the Commission.
• Providers must comply with all Act and Rule provisions, like government agencies and their employees.

Rights of Data Subjects

• Right to be informed: Data subjects have the right to know if their data is being processed (including automated decisions/profiling). Notification includes:
  • Description of data.
  • Processing purposes (marketing, profiling, etc.).
  • Processing basis (if not consent).
  • Processing scope and method.
  • Recipients of the data.
  • Automated access methods (if applicable).
  • Data controller's identity and contact.
  • Data storage period.
  • Data subject rights (access, correction, objection, complaint filing).
• Right to object.

Penalties for Unauthorized Processing

• Unauthorized processing of personal information: 1–3 years imprisonment, ₱500,000–₱2,000,000 fine.
• Unauthorized processing of sensitive personal information: 3–6 years imprisonment, ₱500,000–₱4,000,000 fine.
• Negligent access to personal information: 1–3 years imprisonment, ₱500,000–₱2,000,000 fine.
• Negligent access to sensitive personal information: 3–6 years imprisonment, ₱500,000–₱4,000,000 fine.
• Improper disposal of personal/sensitive information (knowingly unlawful or violating data confidentiality/system security): 1–3 years imprisonment, ₱500,000–₱2,000,000 fine.
• Concealment of security breaches (sensitive personal information): 1.5–5 years imprisonment, ₱500,000–₱1,000,000 fine.
• Malicious disclosure of unwarranted/false information: 1.5–5 years imprisonment, ₱500,000–₱1,000,000 fine.
• Unauthorized disclosure of personal information (not covered by malicious disclosure): 1–3 years imprisonment, ₱500,000–₱1,000,000 fine.
• Unauthorized disclosure of sensitive personal information (not covered by malicious disclosure): 3–5 years imprisonment, ₱500,000–₱2,000,000 fine.
• Combination/series of offenses: 3–6 years imprisonment, ₱1,000,000–₱5,000,000 fine.

Extent of Liability

• For corporations/juridical persons, penalties apply to responsible participating officers or those who allowed the crime through gross negligence.
• Courts may suspend or revoke rights under the Act.
• Alien offenders will be deported after serving their sentences.
• Public officials/employees guilty of offenses in Sections 54 and 55 face perpetual/temporary disqualification.

Large-Scale Offenses

• Maximum penalties apply if ≥100 persons are harmed/affected.

Offense Committed by Public Officer

• Public officers (as defined in the Administrative Code of 1987) committing offenses while on duty face an additional disqualification from public office, double the criminal penalty's term.

Restitution

• Note: The provided text cuts off here, preventing the inclusion of information regarding restitution.

Description

This quiz covers the regulations surrounding sensitive personal information and data privacy in the Philippines. It includes the application scope, security requirements, and the obligations of both government and private entities. Test your knowledge on how these laws affect data processing and handling.