Data Privacy act.pdf

Full Transcript

RA 10173 ( DATA PRIVACY ACT OF 2012 )
WHO STORES DATA ABOUT YOU?
SPEED OF INFORMATION
WHICH IS MORE VALUABLE?

Data Money
“Data is more valuable than Money.
If someone takes your money, that's
all they have. If you let someone
take your data, they may eventually
take your money too!“

from: Deputy Privacy Commissioner Dondi Mapa
 WHAT IS THE DATA PRIVACY ACT OF 2012?

Republic Act 10173, the Data Privacy Act of 2012

AN ACT PROTECTING INDIVIDUAL PERSONAL
INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE
GOVERNMENT AND THE PRIVATE SECTOR,
CREATING FOR THIS PURPOSE A NATIONAL
PRIVACY COMMISSION, AND FOR OTHER
PURPOSES
 KEY ROLES IN THE DATA PRIVACY ACT
ü Data Subjects
Refers to an individual whose, sensitive personal, or
privileged information is processed.
ü Personal Information Controller (PIC)
Controls the processing of personal data, or instructs
another to process personal data on its behalf.
ü Personal Information Processor (PIP)
Organization or individual whom a personal
information controller may outsource or instruct the
processing of personal data pertaining to a data subject
ü Data Protection Officer (DPO)
Responsible for the overall management of
compliance to DPA
ü National Privacy Commission
Independent body mandated to administer and
implement the DPA of 2012, and to monitor and ensure
compliance of the country with international standards set
for personal data protection
WHAT ACTS ARE COVERED BY THE DPA?
¢ The DPA and its Implementing Rules and
Regulations (IRR) apply to all acts done or practices
engaged in and outside of the Philippines if:
¢ The person, either an individual or an institution,
involved in the processing of personal data is located in
the Philippines;
¢ The act or practice involves personal data of a Philippine
citizen or Philippine resident;
¢ The processing of personal data is done in the
Philippines; or
¢ The act, practice or processing of personal data is done
by an entity with links to the Philippines, subject to
international law and comity.
WHO IMPLEMENTS THE DPA?
The National Privacy Commission (NPC) is in charge of
administering and implementing the DPA. It is also tasked
to monitor and ensure compliance of the Philippines with
international standards for personal data protection. The
major functions of the NPC are as follows:
Rule making.

¢ Advisory.
¢ Public education.
¢ Compliance and monitoring.
¢ Complaints and investigations.
¢ Enforcement.
HOW TO COMPLY WITH THE DATA PRIVACY ACT?
1. Registration of data processing systems (DPS). An individual or institution employing
fewer than 250 employees need not register unless its data processing operations:
¢ involves sensitive personal information of at least 1,000 individuals; likely to pose a risk to
the rights and freedoms of data subjects; or the processing is not occasional.

2. Notification of automated processing operations where the processing becomes the sole
basis of making decisions about a data subject and when the decisions would significantly
affect the data subject. A “data subject” is an individual whose personal, sensitive personal or
privileged information is process.
¢ NOTE: No decision with legal effects concerning a data subject shall be made solely on the
basis of automated processing without the consent of the data subject. The consent may be
in written, electronic or recorded form. It may be given by a lawful representative or agent.
3. Appointment of a Data Protection Officer in charge of ensuring compliance with the DPA;
4. Creation of a data breach response team that will immediately address security incidents
or personal data breach;
5. Adoption of data protection policies that provide for data security measures and security
incident management;
6. Annual report of the summary of documented security incidents and personal data
breaches; and
7. Compliance with other requirements as may be provided by the NPC.
WHAT SHOULD YOU DO IN THE EVENT OF A DATA BREACH?
¢ The law requires a data breach notification within 72
hours upon knowledge of the breach or reasonable belief
that it has occurred to the NPC and the data subject. The
notification is generally required when the breach
involves sensitive personal information or any other
information that may be used to enable identity fraud;
this information has been acquired by an unauthorized
person; and the acquisition is likely to give rise to a real
risk of serious harm to the affected data subject.
¢ The NPC may investigate the breach, depending on its
nature or if there is a delay or failure to notify. Inquiries
may include on-site examination of systems and
procedures.
DPA Punishable Act For Personal For Sensitive Personal Fine (Pesos)
Section Information Information

JAIL TERM

25 Unauthorized processing 1-3 years 3-6 years 500 k – 4 million

26 Access due to negligence 1-3 years 3-6 years 500 k – 4 million

27 Improper disposal 6 months – 2 years 3-6 years 100 k – 1 million

28 Unauthorized purposes 18 months – 5 years 2-7 years 500 k – 2 million

29 Intentional breach 1-3 years 500 k – 2 million

30 Concealment of breach 18 months – 5 years 500 k – 1 million

31 Malicious disclosure 18 month – 5 years 500 k – 1 million

32 Unauthorized disclosure 1-3 years 3-5 years 500 k – 2 million

33 Combination of acts 1-3 years 1 million – 5 million
 RIGHTS OF THE DATA SUBJECT
ü Right to be informed - IRR, Section 34.a
ü Right to object - IRR, Section 34.b
 RIGHTS OF THE DATA SUBJECT
ü Right to access - IRR, Section 34.c
ü Right to correct (rectification) - IRR, Section
34.d
 RIGHTS OF THE DATA SUBJECT
ü Right to erasure or blocking - IRR, Section
34.e
 RIGHTS OF THE DATA SUBJECT
ü Right to file a complaint - IRR, Section 34.a.2
ü Right to damages - IRR, Section 34.f

ü Transmissibility of Rights - IRR, Section 35
ü Right to data portability - IRR, Section 36
Principle of Transparency
A data subject must be aware of the
nature, purpose, and extent of the processing
of his or her personal data, including the risks
and safeguards involved, the identity of
personal information controller, his or her
rights as a data subject, and how these can
be exercised. Any information and
communication relating to the processing of
personal data should be easy to access and
understand, using clear and plain language.
Principle of Legitimate Purpose
The processing of information shall
be compatible with a declared and
specified purpose, which must not be
contrary to law, morals, or public policy.
Personal data shall be:
1. processed fairly and lawfully
2. processed only for specified, lawful and
compatible purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. kept for no longer than necessary
6. processed in accordance with the rights
of data subjects
7. kept secure
8. shared to other Personal Information
Collection Statements (PICs) only if there
is a Data Sharing Agreement (DSA).
Other Security Measures
ü Shredding all confidential waste.

ü Using strong passwords.
ü Installing a firewall and virus checker on your
computers.
ü Encrypting any personal information held
electronically.
ü Disabling any ‘auto-complete’ settings.
ü Holding telephone calls in private areas.

ü Checking the security of storage systems.
ü Keeping devices under lock and key when
not in use.
ü Not leaving papers and devices lying around.
SAMPLE DATA BREACHES IN THE PHILIPPINES
¢ Philippines, January 2019: Cebuana's marketing
server breached and the mysterious case of the DFA
¢ Philippines, May 2018: Wendy’s and Jollibee asked to
take preventive measures against data breach
FACEBOOK DATA BREACH
What happened?
¢ More than 500 million Facebook users’ details were
published online on an underground website used by
cyber criminals.
HOW TO PROTECT YOURSELF?
¢ Ask yourself if you need to share all
your information with Facebook
¢ Think about what you share

¢ Avoid using Facebook to sign in to other websites

¢ Use unique passwords
 References:
[email protected]
https://theconversation.com/facebook-data-breach-what-happened-
and-why-its-hard-to-know-if-your-data-was-leaked-158417
https://www.csoonline.com/article/3532816/the-biggest-data-
breaches-in-southeast-asia.html
https://eccinternational.com/ra-10173-data-privacy-summary/

End…….