Data Privacy Act Notes PDF
Document Details
Uploaded by PleasedPrairieDog
Polytechnic University of the Philippines, College of Accountancy and Finance
Tags
Summary
These notes provide an overview of the Data Privacy Act (RA No. 10173) in the Philippines. They include definitions of key terms, coverage, and what is not covered under the act. The notes offer a comprehensive overview of data privacy within the specific context of the Philippine government.
Full Transcript
Polytechnic University of the Philippines College of Accountancy and Finance DATA PRIVACY ACT (RA No. 10173) What is RA No. 10173? updating or modification, → I...
Polytechnic University of the Philippines College of Accountancy and Finance DATA PRIVACY ACT (RA No. 10173) What is RA No. 10173? updating or modification, → It is the policy of the State to protect the retrieval, consultation, use, fundamental human right of privacy, of consolidation, blocking, erasure communication while ensuring free flow of or destruction of data. information to promote innovation and growth. Coverage: a) all types of personal information Definition of Terms: b) any natural/juridical person involved in Consent of the data subject personal information processing refers to any freely given, specific, informed indication of Not covered: will of the data subject. × Officer/Employee of a government Data subject (DS) refers to an institution × Performing service under government individual whose personal contract information is processed. × Discretionary benefit of a financial nature Direct marketing refers to × Journalistic, artistic, literary or research communication by whatever × Carry out the functions of public authority means of any advertising or × Banks & other financial institutions marketing material which is × Residents of foreign jurisdiction directed to particular individuals. Information and Communications Extraterritorial coverage: System refers to a system for ✓ Personal information of PH generating, sending, receiving, citizen/resident storing or otherwise processing ✓ Has a link w/ the PH thru: electronic data messages or (a) contracts electronic documents (b) Juridical entity Personal information controller (c) Branch, agency, office, subsidiary refers to a person or organization ✓ Other links in the PH who controls the collection, (a) Carries on business holding, processing or use of (b) Collected or held by entity in PH personal information. Processing refers to any NATIONAL PRIVACY COMMISSION operation or any set of operations Privacy commissioner (Chairman) - performed upon personal shall enjoy benefits, privileges and information including, but not emoluments equivalent to the rank limited to, the collection, of secretary. Qualifications: recording, organization, storage, (1)at least thirty-five (35) years or to comply with the of age requirements of public order & (2)good moral character safety (3)recognized expert in the field (f) Purposes of the legitimate of IT and data privacy. interest Two (2) Deputy commissioner Privilege Information: (1) Data processing systems 1. Atty-client (2) Policies and planning 2. Doctor-patient 3. Marital privilege communication Principles: 4. Priest-confessor 1. Proportionality - adequate, relevant, suitable, necessary & not excessive Sensitive Personal Information: 2. Legitimate Purpose - compatible w/ 1. race, ethnic origin, marital status, the declared & specified purpose age, color, & religious, philosophical, 3. Transparency - Data Subject (DS) political affiliation must be aware of nature, purpose, & 2. Health, education, genetic or sexual extent of the processing of his life, proceedings for an offense Personal Data by the company. committed 3. Issued by the gov't agencies Personal Information (PI): 4. Specifically established by an 1. Apparent executive order 2. Ascertained by entity 3. Would identify an individual ** Criteria for their lawful processing: (Privilege & Sensitive Information) **PI must be: (a) w/ DS consent (a) collected for legitimate purpose (b) Provided for by existing law & (b) processed fairly & lawfully regulation (c) accurate, relevant & necessary (c) Protect life & Health of DS or (d) not excessive another (e) as long as Necessary (d) To achieve lawful & (f) kept in a form w/c permits noncommercial objectives of identification of DS public org & their associations (e) For purposes of medical ** Criteria for lawful processing of treatment Personal information: (f) Protection of lawful rights & (a) w/ DS consent interest of natural or legal (b) Related to the fulfillment of a persons contract (c) For compliance w/ a legal PIC RESPONSIBILITY: obligation I. confidentiality of the personal (d) To protect vitality of important information processed interest (e) Respond to national emergency II. Prevent its use for unauthorized Info processing system purposes, and generally comply w/ the requirements UNLAWFUL ACTS & PENALTIES: 1. Unauthorized Processing & Access Rights of the Data Subject: 1. Informed consent PI SPI 2. Complaints/Damages 3. Retracted information accessible Imprisonment 1-3yrs 3-6yrs 4. Portability of data 5. Erasure Fine 500K-2M 500K-4M 6. Access 7. Object 2. Improper Disposal SECURITY MEASURES: PI SPI ✓ Safeguards Imprisonment 6m-2yrs 1-3yrs ✓ Security Policy ✓ Identifying & assessing reasonable Fine 100K-500K 100K-1M foreseeable vulnerabilities 3. Intentional Breach ✓ Regular monitoring * Data processor must report to the NPC in Imprisonment 1-3yrs case of DATA BREACH in 72 hours. Fine 500K-2M REQUIREMENTS TO ACCESS TO S.P.I: 1. On-site & online access - no 4. Processing of Unauthorized Process employee shall have access unless given a security clearance PI SPI 2. Off-site Access - May not be transported or accessed unless Imprisonment 1-5yrs 2-7yrs there's a request to transport Fine 500K-1M 500K-2M guideline for request: (a) 2 business days - Deadline for approval/disapproval 5. Concealment/Malicious * If no action, deemed disapproved (b) Limit the access to 1000 records Imprisonment 1.5-5yrs only (c) use most secure encryption Fine 500K-1M standard 6. Unauthorized Disclosure REQUIRES GOV'T CONTRACTORS: ✓ Coverage of 1000 or more individual PI SPI ✓ employees must register their Personal Imprisonment 1-3yrs 3-5yrs Fine 500K-1M 500K-2M 7. Combination/Series of Act Imprisonment 3-6 yrs Fine 1M-5M DATA BREACH NOTIFICATION ✓ 72 hrs: Notify Commission ✓ 5 days: Submission of full report NO DELAY OF NOTIFICATION: × Involves at least 100 data subjects × harmful & will adversely affect the DS 250 and above data subjects → PIC and PIP requires to register & any number if possess risk 1000 data subjects → requires registration