Summary

This document details the Data Privacy Act of 2012 in the Philippines, outlining its key roles, applicable acts, implementation procedures, and responsibilities. It covers data breaches, compliance, data subjects rights and security measures under the law.

Full Transcript

RA 10173 ( DATA PRIVACY ACT OF 2012 ) WHO STORES DATA ABOUT YOU? SPEED OF INFORMATION WHICH IS MORE VALUABLE? Data Money “Data is more valuable than Money. If someone takes your money, that's all they have. If you let someone take your data, they may eventually take your money too!“...

RA 10173 ( DATA PRIVACY ACT OF 2012 ) WHO STORES DATA ABOUT YOU? SPEED OF INFORMATION WHICH IS MORE VALUABLE? Data Money “Data is more valuable than Money. If someone takes your money, that's all they have. If you let someone take your data, they may eventually take your money too!“ from: Deputy Privacy Commissioner Dondi Mapa WHAT IS THE DATA PRIVACY ACT OF 2012? Republic Act 10173, the Data Privacy Act of 2012 AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES KEY ROLES IN THE DATA PRIVACY ACT ü Data Subjects Refers to an individual whose, sensitive personal, or privileged information is processed. ü Personal Information Controller (PIC) Controls the processing of personal data, or instructs another to process personal data on its behalf. ü Personal Information Processor (PIP) Organization or individual whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject ü Data Protection Officer (DPO) Responsible for the overall management of compliance to DPA ü National Privacy Commission Independent body mandated to administer and implement the DPA of 2012, and to monitor and ensure compliance of the country with international standards set for personal data protection WHAT ACTS ARE COVERED BY THE DPA? ¢ The DPA and its Implementing Rules and Regulations (IRR) apply to all acts done or practices engaged in and outside of the Philippines if: ¢ The person, either an individual or an institution, involved in the processing of personal data is located in the Philippines; ¢ The act or practice involves personal data of a Philippine citizen or Philippine resident; ¢ The processing of personal data is done in the Philippines; or ¢ The act, practice or processing of personal data is done by an entity with links to the Philippines, subject to international law and comity. WHO IMPLEMENTS THE DPA? The National Privacy Commission (NPC) is in charge of administering and implementing the DPA. It is also tasked to monitor and ensure compliance of the Philippines with international standards for personal data protection. The major functions of the NPC are as follows: Rule making. ¢ Advisory. ¢ Public education. ¢ Compliance and monitoring. ¢ Complaints and investigations. ¢ Enforcement. HOW TO COMPLY WITH THE DATA PRIVACY ACT? 1. Registration of data processing systems (DPS). An individual or institution employing fewer than 250 employees need not register unless its data processing operations: ¢ involves sensitive personal information of at least 1,000 individuals; likely to pose a risk to the rights and freedoms of data subjects; or the processing is not occasional. 2. Notification of automated processing operations where the processing becomes the sole basis of making decisions about a data subject and when the decisions would significantly affect the data subject. A “data subject” is an individual whose personal, sensitive personal or privileged information is process. ¢ NOTE: No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without the consent of the data subject. The consent may be in written, electronic or recorded form. It may be given by a lawful representative or agent. 3. Appointment of a Data Protection Officer in charge of ensuring compliance with the DPA; 4. Creation of a data breach response team that will immediately address security incidents or personal data breach; 5. Adoption of data protection policies that provide for data security measures and security incident management; 6. Annual report of the summary of documented security incidents and personal data breaches; and 7. Compliance with other requirements as may be provided by the NPC. WHAT SHOULD YOU DO IN THE EVENT OF A DATA BREACH? ¢ The law requires a data breach notification within 72 hours upon knowledge of the breach or reasonable belief that it has occurred to the NPC and the data subject. The notification is generally required when the breach involves sensitive personal information or any other information that may be used to enable identity fraud; this information has been acquired by an unauthorized person; and the acquisition is likely to give rise to a real risk of serious harm to the affected data subject. ¢ The NPC may investigate the breach, depending on its nature or if there is a delay or failure to notify. Inquiries may include on-site examination of systems and procedures. DPA Punishable Act For Personal For Sensitive Personal Fine (Pesos) Section Information Information JAIL TERM 25 Unauthorized processing 1-3 years 3-6 years 500 k – 4 million 26 Access due to negligence 1-3 years 3-6 years 500 k – 4 million 27 Improper disposal 6 months – 2 years 3-6 years 100 k – 1 million 28 Unauthorized purposes 18 months – 5 years 2-7 years 500 k – 2 million 29 Intentional breach 1-3 years 500 k – 2 million 30 Concealment of breach 18 months – 5 years 500 k – 1 million 31 Malicious disclosure 18 month – 5 years 500 k – 1 million 32 Unauthorized disclosure 1-3 years 3-5 years 500 k – 2 million 33 Combination of acts 1-3 years 1 million – 5 million RIGHTS OF THE DATA SUBJECT ü Right to be informed - IRR, Section 34.a ü Right to object - IRR, Section 34.b RIGHTS OF THE DATA SUBJECT ü Right to access - IRR, Section 34.c ü Right to correct (rectification) - IRR, Section 34.d RIGHTS OF THE DATA SUBJECT ü Right to erasure or blocking - IRR, Section 34.e RIGHTS OF THE DATA SUBJECT ü Right to file a complaint - IRR, Section 34.a.2 ü Right to damages - IRR, Section 34.f ü Transmissibility of Rights - IRR, Section 35 ü Right to data portability - IRR, Section 36 Principle of Transparency A data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. Principle of Legitimate Purpose The processing of information shall be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy. Personal data shall be: 1. processed fairly and lawfully 2. processed only for specified, lawful and compatible purposes 3. adequate, relevant and not excessive 4. accurate and up to date 5. kept for no longer than necessary 6. processed in accordance with the rights of data subjects 7. kept secure 8. shared to other Personal Information Collection Statements (PICs) only if there is a Data Sharing Agreement (DSA). Other Security Measures ü Shredding all confidential waste. ü Using strong passwords. ü Installing a firewall and virus checker on your computers. ü Encrypting any personal information held electronically. ü Disabling any ‘auto-complete’ settings. ü Holding telephone calls in private areas. ü Checking the security of storage systems. ü Keeping devices under lock and key when not in use. ü Not leaving papers and devices lying around. SAMPLE DATA BREACHES IN THE PHILIPPINES ¢ Philippines, January 2019: Cebuana's marketing server breached and the mysterious case of the DFA ¢ Philippines, May 2018: Wendy’s and Jollibee asked to take preventive measures against data breach FACEBOOK DATA BREACH What happened? ¢ More than 500 million Facebook users’ details were published online on an underground website used by cyber criminals. HOW TO PROTECT YOURSELF? ¢ Ask yourself if you need to share all your information with Facebook ¢ Think about what you share ¢ Avoid using Facebook to sign in to other websites ¢ Use unique passwords References: [email protected] https://theconversation.com/facebook-data-breach-what-happened- and-why-its-hard-to-know-if-your-data-was-leaked-158417 https://www.csoonline.com/article/3532816/the-biggest-data- breaches-in-southeast-asia.html https://eccinternational.com/ra-10173-data-privacy-summary/ End…….

Use Quizgecko on...
Browser
Browser