Understanding the Data Privacy Act of 2012

Questions and Answers

The Data Privacy Act is also known as Republic Act No. __________.

10173

What is the policy of the State regarding data privacy?

To protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth.

Who is considered a data subject?

An individual whose personal information is processed

What is consent of the data subject?

Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Signup and view all the answers

Personal information refers to any information whether recorded in a material form or not, from which the __________ of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information.

identity Signup and view all the answers

What is sensitive personal information?

Information about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations, etc. Signup and view all the answers

The processing of sensitive personal information is, in general, allowed.

False Signup and view all the answers

What is the applicability of the Data Privacy Act?

The Data Privacy Act applies to all natural and juridical persons involved in personal information processing, including those who use equipment located in the Philippines, or those who maintain an office, branch, or agency in the Philippines. Signup and view all the answers

What is not applicable to the Data Privacy Act?

All of the above Signup and view all the answers

What is the general rule on processing of personal information?

Personal information may be processed unless prohibited by law, while sensitive personal information may be processed only if permitted by law. Signup and view all the answers

The processing of personal information is necessary to protect the __________ of the data subject or another person.

life and health Signup and view all the answers

What is the general rule on processing of sensitive personal information?

The processing of sensitive personal information is prohibited unless permitted by law. Signup and view all the answers

What are the three principles to adhere to according to the Data Privacy Act (DPA)?

Transparency, Legitimate Purpose, Proportionality Signup and view all the answers

What are some of the general principles to adhere to in the collection, processing, and retention of personal data?

Collection for a declared purpose, fair and lawful processing, ensuring data quality, limited retention, and having safeguards for further processing. Signup and view all the answers

The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise ________.

unreasonable Signup and view all the answers

Unauthorized processing of personal information and sensitive personal information is allowed under the Data Privacy Act.

False Signup and view all the answers

Study Notes

Data Privacy Act (R.A. No. 10173)

The policy of the State is to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth.
The Act aims to ensure that personal information in information and communications systems in the government and private sector are secured and protected.

Key Concepts

Data Subject: An individual whose personal information is processed.
Consent of the Data Subject: Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about him/her.
Personal Information: Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained.
Sensitive (Personal) Information: Information about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations, etc.

Application of the Data Privacy Act

The Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing.
The Act is applicable to any act done or practice engaged in and outside of the Philippines by an entity if:
- The act, practice, or processing relates to personal information about a Philippine citizen or a resident.
- The entity has a link with the Philippines.

Non-Applicability of the Data Privacy Act

The Act does not apply to:
- Information about any individual who is or was an officer or employee of a government institution that relates to his official position or functions.
- Information about an individual who is or was performing service under contract for a government institution that relates to the services performed.
- Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual.
- Personal information processed for journalistic, artistic, literary or research purposes.

Processing of Personal Information

Processing: Any operation or any set of operations performed upon personal information, including collection, recording, organization, storage, updating, modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
Personal Information Controller: A person or organization who controls the collection, holding, processing, or use of personal information.
Personal Information Processor: A natural or juridical person qualified to act as such under the Act to whom a personal information controller may outsource the processing of personal data.

General Rules on Processing of Personal Information

The processing of personal information is permitted unless prohibited by law.
The processing of sensitive information is prohibited unless permitted by law.
Conditions for lawful processing of personal information:
- Not otherwise prohibited by law.
- At least one of the following: consent, necessary for a contract, necessary for compliance with a legal obligation, necessary to protect vitally important interest, etc.

Rights of a Data Subject

Right to be Informed: The data subject must be notified and furnished with information about the processing of personal data.
Right to Withhold Consent: The data subject must be notified and given an opportunity to withhold consent to the processing of personal data in case of changes.
Right to Access: The data subject has the right to reasonable access to the contents of his/her personal data.
Right to Rectification: The data subject has the right to correct inaccurate or erroneous personal data.
Right to Erasure or Blocking: The data subject has the right to suspend, withdraw, or order the blocking, removal, or destruction of personal data.
Right to Damages: The data subject shall be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, or unlawfully obtained personal data.
Right to Data Portability: The data subject has the right to obtain a copy of personal data in an electronic or structured format.### Compliance and Accountability
The organization must designate an individual accountable for compliance with the Act, whose identity must be made known to any data subject upon request.

Security Measures

The personal information controller and processor must take steps to ensure that authorized personnel only process personal data upon instruction or as required by law.
Security measures must:
- Maintain the availability, integrity, and confidentiality of personal data.
- Protect personal data against accidental or unlawful destruction, alteration, and disclosure.
- Protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, and alteration.

Prohibited Acts

Unauthorized Processing

Processing personal information without the consent of the data subject or without being authorized under this Act or any existing law is prohibited.

Unauthorized Access

Providing access to personal information without being authorized under this Act or any existing law is prohibited.

Improper Disposal

Knowingly or negligently disposing, discarding, or abandoning personal information in an area accessible to the public or placing it in a container for trash collection is prohibited.

Unauthorized Purpose

Processing personal information for purposes not authorized by the data subject or otherwise authorized under this Act or existing laws is prohibited.

Unauthorized Access or Intentional Breach

Knowingly and unlawfully accessing or breaching data confidentiality and security data systems is prohibited.

Concealment of Security Breaches

Intentionally or by omission concealing the fact of security breach after having knowledge and the obligation to notify the National Privacy Commission is prohibited.

Malicious Disclosure

Maliciously disclosing unwarranted or false information relative to any personal information or sensitive personal information is prohibited.

Unauthorized Disclosure

Disclosing personal information to a third party without the consent of the data subject is prohibited.

Large-Scale

Large-scale violations occur when personal information of at least 100 persons is harmed, affected, or involved as a result of the above-mentioned actions.

Restitution

Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

This quiz covers the basics of the Data Privacy Act of 2012, Republic Act No. 10173, including the concept of data privacy and the rights of data subjects.