Podcast
Questions and Answers
What is the definition of a filing system?
What is the definition of a filing system?
- A method for automatically processing data.
- A record-keeping method without organization.
- A collection of information structured for easy access. (correct)
- A system for generating electronic documents.
Which of the following best describes personal data?
Which of the following best describes personal data?
- Information used exclusively for marketing purposes.
- Information collected about organizations and their activities.
- All types of personal information relating to an individual. (correct)
- Any information that pertains to data processing.
What occurs during a personal data breach?
What occurs during a personal data breach?
- The unauthorized marketing of personal data.
- Accidental loss or unauthorized access to personal data. (correct)
- The lawful alteration of personal information.
- The encryption of sensitive personal data.
Which of the following is NOT a function of a personal information controller?
Which of the following is NOT a function of a personal information controller?
What is included in an information and communications system?
What is included in an information and communications system?
What characterizes personal information?
What characterizes personal information?
Which statement about personal information controllers is true?
Which statement about personal information controllers is true?
What is the primary role of an information and communications system?
What is the primary role of an information and communications system?
What does the term "personal information processor" refer to?
What does the term "personal information processor" refer to?
Which of the following activities is considered 'processing' of personal data?
Which of the following activities is considered 'processing' of personal data?
What does 'profiling' consist of?
What does 'profiling' consist of?
Which of the following describes 'privileged information'?
Which of the following describes 'privileged information'?
What is a 'security incident'?
What is a 'security incident'?
What constitutes sensitive personal information?
What constitutes sensitive personal information?
Who is classified as a 'public authority'?
Who is classified as a 'public authority'?
Which of the following is NOT an element of 'processing'?
Which of the following is NOT an element of 'processing'?
What principle requires that the processing of personal data should not exceed what is necessary for the specified purpose?
What principle requires that the processing of personal data should not exceed what is necessary for the specified purpose?
Which of the following is NOT a requirement for the processing of personal data under the legislation?
Which of the following is NOT a requirement for the processing of personal data under the legislation?
What must a data subject be informed about according to the principle of transparency?
What must a data subject be informed about according to the principle of transparency?
For what reasons can consent for the processing of personal data be withdrawn?
For what reasons can consent for the processing of personal data be withdrawn?
What is the primary purpose of requiring consent prior to data collection?
What is the primary purpose of requiring consent prior to data collection?
Which of the following best describes the principle of legitimate purpose?
Which of the following best describes the principle of legitimate purpose?
What does the principle of transparency primarily emphasize?
What does the principle of transparency primarily emphasize?
Under what condition is data processing considered permissible?
Under what condition is data processing considered permissible?
What type of issued information is primarily referenced?
What type of issued information is primarily referenced?
In which scenario does the Act apply to entities not established in the Philippines?
In which scenario does the Act apply to entities not established in the Philippines?
Which of the following is NOT a condition for the Act's applicability?
Which of the following is NOT a condition for the Act's applicability?
What is the significance of 'comity' in the context of the Act?
What is the significance of 'comity' in the context of the Act?
Which situation would likely NOT necessitate the collection of restricted information?
Which situation would likely NOT necessitate the collection of restricted information?
What type of entities does the Act explicitly apply to?
What type of entities does the Act explicitly apply to?
Which of the following statements is true regarding the special cases mentioned in the Act?
Which of the following statements is true regarding the special cases mentioned in the Act?
How is personal data processing defined in the context of the Act?
How is personal data processing defined in the context of the Act?
What is the primary obligation of employees, agents, or representatives who have access to personal data?
What is the primary obligation of employees, agents, or representatives who have access to personal data?
Which of the following is NOT part of the processing of personal data procedures?
Which of the following is NOT part of the processing of personal data procedures?
What must personal information controllers ensure through contractual agreements?
What must personal information controllers ensure through contractual agreements?
What is a key training component for employees who process personal data?
What is a key training component for employees who process personal data?
What type of timeline must be established for personal data retention?
What type of timeline must be established for personal data retention?
What responsibility do data subjects have under the processing of personal data?
What responsibility do data subjects have under the processing of personal data?
Which procedure is focused specifically on obtaining consent for data processing?
Which procedure is focused specifically on obtaining consent for data processing?
What is a necessary component of managing human resources in relation to personal data?
What is a necessary component of managing human resources in relation to personal data?
What is required of a personal information controller when subcontracting the processing of personal data?
What is required of a personal information controller when subcontracting the processing of personal data?
What must be included in the contract governing the processing of personal data?
What must be included in the contract governing the processing of personal data?
Which of the following is NOT a requirement for a personal information processor as per the outlined agreements?
Which of the following is NOT a requirement for a personal information processor as per the outlined agreements?
What must be ensured to prevent unauthorized use of personal data when subcontracting?
What must be ensured to prevent unauthorized use of personal data when subcontracting?
What type of document must the agreement for outsourcing be governed by?
What type of document must the agreement for outsourcing be governed by?
What is a key responsibility of the personal information processor regarding confidentiality?
What is a key responsibility of the personal information processor regarding confidentiality?
What is the purpose of ensuring safeguards during personal data processing?
What is the purpose of ensuring safeguards during personal data processing?
In what circumstance can personal data be transferred internationally without documented instructions?
In what circumstance can personal data be transferred internationally without documented instructions?
Flashcards
Filing System
Filing System
A structured collection of information about individuals or groups, making specific information easily retrievable, even without automatic processing.
Information and Communications System
Information and Communications System
A system for creating, sending, receiving, storing, or processing electronic data/documents (e.g., email, computer systems).
Personal Data
Personal Data
Any type of information that identifies an individual.
Personal Data Breach
Personal Data Breach
Signup and view all the flashcards
Personal Information
Personal Information
Signup and view all the flashcards
Personal Information Controller
Personal Information Controller
Signup and view all the flashcards
Personal information processor
Personal information processor
Signup and view all the flashcards
Processing (of personal data)
Processing (of personal data)
Signup and view all the flashcards
Profiling
Profiling
Signup and view all the flashcards
Privileged information
Privileged information
Signup and view all the flashcards
Public authority
Public authority
Signup and view all the flashcards
Security incident
Security incident
Signup and view all the flashcards
Sensitive personal information
Sensitive personal information
Signup and view all the flashcards
Data Privacy Principles
Data Privacy Principles
Signup and view all the flashcards
Transparency (data processing)
Transparency (data processing)
Signup and view all the flashcards
Legitimate Purpose (data processing)
Legitimate Purpose (data processing)
Signup and view all the flashcards
Scope of Data Protection Act
Scope of Data Protection Act
Signup and view all the flashcards
Proportionality (data processing)
Proportionality (data processing)
Signup and view all the flashcards
Exceptions to Data Protection Act
Exceptions to Data Protection Act
Signup and view all the flashcards
Data Protection in Philippines
Data Protection in Philippines
Signup and view all the flashcards
Personal Data Collection Purpose
Personal Data Collection Purpose
Signup and view all the flashcards
Exempt Personal Data
Exempt Personal Data
Signup and view all the flashcards
Consent (data collection)
Consent (data collection)
Signup and view all the flashcards
International Application
International Application
Signup and view all the flashcards
Personal Data Privacy
Personal Data Privacy
Signup and view all the flashcards
Data Controller
Data Controller
Signup and view all the flashcards
Personal Data Protection
Personal Data Protection
Signup and view all the flashcards
Employee Confidentiality
Employee Confidentiality
Signup and view all the flashcards
Consent for Data Collection
Consent for Data Collection
Signup and view all the flashcards
Data Minimization
Data Minimization
Signup and view all the flashcards
Security Incident Procedures
Security Incident Procedures
Signup and view all the flashcards
Data Subject Rights
Data Subject Rights
Signup and view all the flashcards
Data Retention Schedule
Data Retention Schedule
Signup and view all the flashcards
Contracts with Data Processors
Contracts with Data Processors
Signup and view all the flashcards
Personal Data Subcontracting
Personal Data Subcontracting
Signup and view all the flashcards
Outsourcing Contract
Outsourcing Contract
Signup and view all the flashcards
Processing Instructions
Processing Instructions
Signup and view all the flashcards
Confidentiality Obligations
Confidentiality Obligations
Signup and view all the flashcards
Security Measures
Security Measures
Signup and view all the flashcards
Annual Reports
Annual Reports
Signup and view all the flashcards
Breach Notification
Breach Notification
Signup and view all the flashcards
Subcontract of Personal Data
Subcontract of Personal Data
Signup and view all the flashcards
Study Notes
Implementing Rules and Regulations of Republic Act No. 10173
-
Pursuant to the Data Privacy Act of 2012, the National Privacy Commission implemented these rules and regulations.
-
The rules and regulations ensure compliance with international data protection standards.
Rule I. Preliminary Provisions
- Title: Implementing Rules and Regulations of Republic Act No. 10173, known as the “Data Privacy Act of 2012”, or the “Rules”.
- Policy: The Rules further enforce the Data Privacy Act and adopt international principles and standards for personal data protection, protecting the fundamental human right to privacy while promoting the free flow of information for growth.
- Definitions:
- Act: Republic Act No. 10173, the Data Privacy Act of 2012
- Commission: National Privacy Commission
- Consent of the data subject: freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal, sensitive personal, or privileged information
- data subject: individual whose personal, sensitive personal, or privileged information is processed
- Data Processing Systems: the structure and procedure for collecting and processing personal data
- Data sharing: disclosure or transfer of data to a third party by an information controller or personal information processor
- Direct marketing: communication by any means of advertising or marketing materials to particular individuals
- Filing system: an organized system for information relating to individuals that is not automated
- Information and communications system: system for generating, sending, receiving, storing, or otherwise processing electronic data or documents
- Personal data: all types of personal information
- Personal data breach: compromise of security leading to destruction, loss, alteration, unauthorized disclosure, or access of personal data
- Personal information: any information identifying an individual
Rule II. Scope of Application
- Scope: Applies to all natural and juridical persons processing data in the government or private sector. Includes acts in or outside the Philippines.
- Special cases: Certain information processing in the public interest is exempt, e.g., public access to information.
Rule III. National Privacy Commission
- Mandate: To administer and implement the Act and monitor compliance with international data protection standards.
- Functions: Rule making, reviewing existing rules, and promoting compliance by government agencies.
- Advisory: Provides advisory and guidance on data privacy matters.
Rule IV. Data Privacy Principles
- General Principles: Processing of personal data adheres to transparency, legitimate purpose, and proportionality
- Transparency: Data subjects are aware of data processing nature, purpose, and risks.
- Legitimate Purpose: Processing must be compatible with a stated purpose. The purpose must be legitimate, and not contrary to law, morals, or public policy.
- Proportionality: Data processing must be adequate, relevant, and necessary for its stated purpose, and not excessive.
Rule V. Lawful Processing of Personal Data
- Criteria for Lawful Processing: Processing of personal information requires one of the following:
- Data Subject Consent;
- Contractual Obligations;
- Legal Obligations;
- Vital Interests;
- National Emergency;
- Constitutional/Statutory Mandate
Rule VI. Security Measures for the Protection of Personal Data
- Data Privacy and Security: Personal information controllers and processors must implement reasonable and appropriate organizational, physical, and technical security measures.
Rule VII. Security of Sensitive Personal Information in Government
- Responsibility of Heads of Agencies: Heads of government agencies are responsible for securing sensitive personal information with the appropriate standards.
Rule VIII. Rights of Data Subjects
- Right to be Informed: Data subjects must be informed about their personal data being processed.
- Right to Access: Data subjects have the right to obtain a copy of their personal data.
- Right to Rectify: Data subjects can correct inaccuracies in their personal data.
- Right to Erasure: Data subjects can request erasure of their personal data under certain conditions.
Rule IX. Data Breach Notification
- Data Breach Notification: Personal information controllers must notify the commission and data subjects of a data breach within 72 hours.
Rule X. Outsourcing and Subcontracting Agreements
-
Subcontract of Personal Data: A personal information controller can outsource data processing but must ensure adequate safeguards.
-
Agreements for Outsourcing: Contracts or legal documents govern data processing by third parties.
Rule XI. Registration and Compliance Requirements
- Registration of Personal Data Processing Systems: Systems processing data for at least one thousand individuals must be registered.
Rule XII. Rules on Accountability
- Accountability for Transfer of Personal Data: Personal information controllers are responsible for personal data, even if it is outsourced.
Rule XIII. Penalties
- Unauthorized Processing of Personal Information: Penalties for unauthorized processing range from imprisonment to a fine.
Rule XIV. Miscellaneous Provisions
Other Rules
- Appeal: Appeals from Commission decisions can be made to courts.
- Period for Compliance: Time periods for compliance with the rules are stipulated.
- Appropriations Clause: Funding for the Commission is ensured.
- Interpretation: Any ambiguities in the rules will be resolved liberally to protect the rights of individuals.
- Separability: Invalid provisions won't affect other valid provisions.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.