Data Privacy Act_Notes.pdf

Full Transcript

Polytechnic University of the Philippines
College of Accountancy and Finance

DATA PRIVACY ACT (RA No. 10173)

What is RA No. 10173? updating or modification,
→ It is the policy of the State to protect the retrieval, consultation, use,
fundamental human right of privacy, of consolidation, blocking, erasure
communication while ensuring free flow of or destruction of data.
information to promote innovation and
growth. Coverage:
a) all types of personal information
Definition of Terms: b) any natural/juridical person involved in
Consent of the data subject personal information processing
refers to any freely given,
specific, informed indication of Not covered:
will of the data subject. × Officer/Employee of a government
Data subject (DS) refers to an institution
× Performing service under government
individual whose personal
contract
information is processed.
× Discretionary benefit of a financial nature
Direct marketing refers to × Journalistic, artistic, literary or research
communication by whatever × Carry out the functions of public authority
means of any advertising or × Banks & other financial institutions
marketing material which is × Residents of foreign jurisdiction
directed to particular individuals.
Information and Communications Extraterritorial coverage:
System refers to a system for ✓ Personal information of PH
generating, sending, receiving, citizen/resident
storing or otherwise processing ✓ Has a link w/ the PH thru:
electronic data messages or (a) contracts
electronic documents (b) Juridical entity
Personal information controller (c) Branch, agency, office, subsidiary
refers to a person or organization ✓ Other links in the PH
who controls the collection, (a) Carries on business
holding, processing or use of (b) Collected or held by entity in PH
personal information.
Processing refers to any NATIONAL PRIVACY COMMISSION
operation or any set of operations Privacy commissioner (Chairman) -
performed upon personal shall enjoy benefits, privileges and
information including, but not emoluments equivalent to the rank
limited to, the collection, of secretary.
Qualifications:
recording, organization, storage,
 (1)at least thirty-five (35) years or to comply with the
of age requirements of public order &
(2)good moral character safety
(3)recognized expert in the field (f) Purposes of the legitimate
of IT and data privacy. interest

Two (2) Deputy commissioner Privilege Information:
(1) Data processing systems 1. Atty-client
(2) Policies and planning 2. Doctor-patient
3. Marital privilege communication
Principles: 4. Priest-confessor
1. Proportionality - adequate, relevant,
suitable, necessary & not excessive Sensitive Personal Information:
2. Legitimate Purpose - compatible w/ 1. race, ethnic origin, marital status,
the declared & specified purpose age, color, & religious, philosophical,
3. Transparency - Data Subject (DS) political affiliation
must be aware of nature, purpose, & 2. Health, education, genetic or sexual
extent of the processing of his life, proceedings for an offense
Personal Data by the company. committed
3. Issued by the gov't agencies
Personal Information (PI): 4. Specifically established by an
1. Apparent executive order
2. Ascertained by entity
3. Would identify an individual ** Criteria for their lawful processing:
(Privilege & Sensitive Information)
**PI must be: (a) w/ DS consent
(a) collected for legitimate purpose (b) Provided for by existing law &
(b) processed fairly & lawfully regulation
(c) accurate, relevant & necessary (c) Protect life & Health of DS or
(d) not excessive another
(e) as long as Necessary (d) To achieve lawful &
(f) kept in a form w/c permits noncommercial objectives of
identification of DS public org & their associations
(e) For purposes of medical
** Criteria for lawful processing of treatment
Personal information: (f) Protection of lawful rights &
(a) w/ DS consent interest of natural or legal
(b) Related to the fulfillment of a persons
contract
(c) For compliance w/ a legal PIC RESPONSIBILITY:
obligation I. confidentiality of the personal
(d) To protect vitality of important information processed
interest
(e) Respond to national emergency
 II. Prevent its use for unauthorized Info processing system
purposes, and generally comply w/
the requirements UNLAWFUL ACTS & PENALTIES:
1. Unauthorized Processing & Access
Rights of the Data Subject:
1. Informed consent
PI SPI
2. Complaints/Damages
3. Retracted information accessible Imprisonment 1-3yrs 3-6yrs
4. Portability of data
5. Erasure Fine 500K-2M 500K-4M
6. Access
7. Object 2. Improper Disposal

SECURITY MEASURES:
PI SPI
✓ Safeguards
Imprisonment 6m-2yrs 1-3yrs
✓ Security Policy
✓ Identifying & assessing reasonable Fine 100K-500K 100K-1M
foreseeable vulnerabilities
3. Intentional Breach
✓ Regular monitoring

* Data processor must report to the NPC in Imprisonment 1-3yrs
case of DATA BREACH in 72 hours.
Fine 500K-2M
REQUIREMENTS TO ACCESS TO S.P.I:
1. On-site & online access - no 4. Processing of Unauthorized Process
employee shall have access unless
given a security clearance PI SPI
2. Off-site Access - May not be
transported or accessed unless Imprisonment 1-5yrs 2-7yrs
there's a request to transport
Fine 500K-1M 500K-2M
guideline for request:
(a) 2 business days - Deadline for
approval/disapproval 5. Concealment/Malicious
* If no action, deemed disapproved
(b) Limit the access to 1000 records Imprisonment 1.5-5yrs
only
(c) use most secure encryption Fine 500K-1M
standard
6. Unauthorized Disclosure
REQUIRES GOV'T CONTRACTORS:
✓ Coverage of 1000 or more individual PI SPI
✓ employees must register their Personal
 Imprisonment 1-3yrs 3-5yrs

Fine 500K-1M 500K-2M

7. Combination/Series of Act

Imprisonment 3-6 yrs

Fine 1M-5M

DATA BREACH NOTIFICATION
✓ 72 hrs: Notify Commission
✓ 5 days: Submission of full report

NO DELAY OF NOTIFICATION:
× Involves at least 100 data subjects
× harmful & will adversely affect the DS

250 and above data subjects
→ PIC and PIP requires to register & any
number if possess risk

1000 data subjects
→ requires registration