Data Privacy Act PDF

DATA PRIVACY ACT REPUBLIC ACT NO. 10173 CONCEPT OF DATA PRIVACY It is the policy of the State to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth, particularly to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected (R.A. No. 10173, or the Data Privacy Act of 2012, Sec. 2 [hereinafter DPA]). DATA SUBJECT An individual whose personal information is processed (DPA, Sec. 3(c)) CONSENT OF THE DATA SUBJECT Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so (DPA, Sec. 3(b)) PERSONAL INFORMATION Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (DPA, Sec. 3(g)) SENSITIVE (PERSONAL) INFORMATION Refers to information: 1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; 2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; 3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, and 4. Specifically established by an executive order or an act of Congress to be kept classified (DPA, Sec. 3(l)) PRIVILEGED INFORMATION Any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication (DPA, Sec. 3(k)) PERSONAL VS. SENSITIVE INFORMATION Personal information may be processed provided that the requirements of the DPA are complied with. On the other hand, the processing of sensitive personal information is, in general, prohibited. The DPA provides the specific cases where processing of sensitive personal information is allowed. APPLICABILITY OF DPA The DPA shall apply to processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch, or agency in the Philippines (DPA, Sec. 4) EXTRATERRITORIAL APPLICABILITY The DPA is applicable to any act done or practice engaged in and outside of the Philippines by an entity if: 1. The act, practice, or processing relates to personal information about a Philippine citizen or a resident; 2. The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to the following: 1. A contract is entered in the Philippines 2. A juridical entity unincorporated in the Philippines but has central management and control in the country 3. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information 3. The entity has other links in the Philippines such as but not limited to: 1. The entity carries on business in the Philippines; and 2. The Personal information was collected or held by an entity in the Philippines (DPA, Sec. 6) NON-APPLICABILITY OF DPA The DPA does not apply to the following information: 1. Information about any individual who is or was an officer or employee of a government institution that relates to his official position or functions, including a. The fact that the individual is or was an officer or employee of the government institution b. The title, business address and office telephone number of the individual c. The classification, salary range and responsibilities of the position held by the individual, and d. The name of the individual on a document prepared by the individual in the course of employment with the government 2. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services NON-APPLICABILITY OF DPA The DPA does not apply to the following information: 3. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit; 4. Personal information processed for journalistic, artistic, literary or research purposes 5. Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions NON-APPLICABILITY OF DPA The DPA does not apply to the following information: 6. Information necessary for banks and other financial institutions under the jurisdiction of BSP to comply with the AMLA and other applicable laws; and 7. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines (DPA, Sec. 4) DPA DOES NOT AMEND BANK SECRECY LAWS Nothing in this Act shall be construed as to have amended or repealed: 1. R.A. No. 1405, otherwise known as the Secrecy of Bank Deposits Act 2. R.A. No. 6426 , otherwise known as the Foreign Currency Deposit Act 3. R.A. No. 9510 , otherwise known as the Credit Information System Act PROTECTION AFFORDED TO JOURNALISTS Nothing in this Act shall be construed as to have amended or repealed the provisions of R.A. No. 53, which affords publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter (DPA, Sec. 5) PROCESSING OF PERSONAL INFORMATION PROCESSING Any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data (DPA, Sec. 3(j)) PROCESSING OF PERSONAL INFORMATION PERSONAL INFORMATION PROCESSOR Any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject (DPA, Sec. 3(i)) PROCESSING OF PERSONAL INFORMATION PERSONAL INFORMATION CONTROLLER A person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf (DPA, Sec. 3(h)) PROCESSING OF PERSONAL INFORMATION WHO ARE NOT CONSIDERED AS PERSONAL INFORMATION CONTROLLER 1. A person or organization who performs such functions as instructed by another person or organization; and 2. An individual who collects, holds, processes, or uses personal information in connection with the individual’s personal, family or household affairs (DPA, Sec. 3(h)) GENERAL RULES ON PROCESSING OF PERSONAL INFORMATION Information Processed General Rule Personal Information Permitted unless prohibited by law (DPA, Sec. 11&12) Sensitive Information Prohibited unless permitted by law (DPA, Sec. 13) CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION 1. It is not otherwise prohibited by law; and 2. At least one of the following: a. The data subject has given his or her consent; b. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract c. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject d. The processing is necessary to protect vitally important interest of the data subject, including life and health e. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or f. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution (DPA, Sec. 12) EXCEPTIONAL CASES WHEN PROCESSING OF SENSITIVE INFORMATION PERMITTED 1. The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to the processing; 2. The processing of the same without the consent of the data subject is provided for by existing laws and regulations which guarantee the protection of the sensitive personal information and the privileged information 3. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing EXCEPTIONAL CASES WHEN PROCESSING OF SENSITIVE INFORMATION PERMITTED 4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations and provided that: (a) such processing is only confined and related to the bona fide members of these organizations or their associations; (b) the sensitive personal information shall not be transferred to third parties; and (c) that consent of the data subject was obtained prior to processing 5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured 6. The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority (DPA, Sec. 13) GENERAL DATA PRIVACY PRINCIPLES The processing of personal information shall be allowed, subject to: 1. Compliance with the requirements of this Act and other laws allowing disclosure of information to the public; and 2. Adherence to the principles of Transparency, Legitimate Purpose, and Proportionality (DPA, Sec. 11) TRANSPARENCY The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language (IRR of DPA, Sec. 18(a)) LEGITIMATE PURPOSE The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy (IRR of DPA, Sec. 18(b)) PROPORTIONALITY The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means (IRR of DPA, Sec. 18(c)) GENERAL PRINCIPLES IN COLLECTION, PROCESSING, AND RETENTION OF PERSONAL DATA The processing of personal data shall adhere to the following general principles: 1. Collection must be for a declared, specified and legitimate purpose 2. Personal data shall be processed fairly and lawfully 3. Processing should ensure data quality 4. Personal data should not be retained longer than necessary 5. Any authorized further processing shall have adequate safeguards (IRR of DPA, Sec. 19) GENERAL PRINCIPLES FOR DATA SHARING Further processing of personal data collected from a party other than the data subject shall be allowed under any of the following conditions: 1. When it is expressly authorized by law provided that: (a) there are adequate safeguards for data privacy and security; and, (b) processing adheres to the principle of transparency, legitimate purpose and proportionality 2. When, in the private sector, the data subject consents to data sharing, and conditions are complied with 3. When the personal data is publicly available, or has the consent of the data subject for purpose of research, provided, that: (a) adequate safeguards are in place; and, (b) no decision directly affecting the data subject shall be made on the basis of the data collected or processed 4. Data sharing between government agencies for the purpose of a public function or provision of a public service shall be covered by a data sharing agreement (IRR of DPA, Sec. 20) RIGHTS OF A DATA SUBJECT RIGHT TO BE INFORMED The data subject must be notified and furnished with information on description, purpose, basis, scope, method, recipients, controller’s identity, period and existence of rights, before the entry of his or her personal data into the processing system (IRR of DPA, Sec. 34(a)). RIGHT TO WITHHOLD CONSENT TO CHANGE IN DATA The data subject must be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.The personal information controller shall no longer process the data unless: 1. The personal data is needed pursuant to a subpoena; 2. The collection and processing are for obvious purposes; or 3. The information is being collected and processed as a result of a legal obligation (IRR of DPA, Sec. 34(b)). RIGHT TO ACCESS DATA The data subject has the right to reasonable access, upon demand, to the following: 1. Contents of his/her personal data that were processed; 2. Sources from which personal data were obtained; 3. Names and addresses of recipients of the personal data; 4. Manner by which such data were processed; 5. Reasons for the disclosure of the personal data to recipients, if any; 6. Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject; 7. Date when his/her personal data concerning the data subject were last accessed and modified; and 8. The designation, name or identity, and address of the personal information controller (IRR of DPA, Sec. 34(c)). RIGHT TO RECTIFICATION The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable (IRR of DPA, Sec. 34(d)) RIGHT TO ERASURE OR BLOCKING The data subject shall have the right to suspend, withdraw or order the blocking, removal, or destruction of his/her personal data from the personal information controller’s filing system (IRR of DPA, Sec. 34(e)). This right may be exercised upon discovery and substantial proof of any of the following: 1. The personal data is incomplete, outdated, false, or unlawfully obtained; 2. The personal data is being used for purpose not authorized by the data subject; 3. The personal data is no longer necessary for the purposes for which they were collected; 4. The data subject withdraws consent or objects to the processing, and there is no legal ground or overriding legitimate interest for the processing; 5. The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized; 6. The processing is unlawful; and 7. The personal information controller or personal information processor violated the rights of the data subject (IRR of DPA, Sec. 34(e)) RIGHT TO DAMAGES The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his/her rights and freedoms as data subject (IRR of DPA, Sec. 34(f)). RIGHT TO DATA PORTABILITY Where his/her personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the personal information controller a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject (IRR of DPA, Sec. 36) TRANSMISSIBILITY OF RIGHTS OF DATA SUBJECT The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section (DPA, Sec. 17) LIMITATION ON RIGHTS OF DATA SUBJECT The provisions of the DPA are not applicable if the processed personal information are only for: 1. The needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject; and 2. The processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative, or tax liabilities of a data subject. Provided, That the personal information shall be held under strict confidentiality and shall be used only for declared purpose (IRR of DPA, Sec. 37). PRINCIPLE OF ACCOUNTABILITY Each personal information controller: 1. Is responsible for personal information under its control or custody, including information that have been transferred to a third party processing, whether domestically or internationally, subject to cross-border arrangement and cooperation; 2. Is accountable for complying with the requirements of the DPA, and shall use contractual or other reasonable means to provide a comparable level of protection while the information are being processed by a third party; and 3. Shall designate individual/s who are accountable for the organization’s compliance with this Act, whose identity shall be made known to any data subject upon request (DPA, Sec. 21) SECURITY MEASURES FOR THE PROTECTION OF PERSONAL DATA DUTY TO EXERCISE CONTROL AND SUPERVISION The personal information controller and personal information processor shall take steps to ensure that any natural person acting under their authority and who has access to personal data, does not process them except upon their instructions, or as required by law. The security measures shall: 1. Aim to maintain the availability, integrity and confidentiality of personal data. 2. Be intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing; and 3. Be implemented to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination (DPA, Sec. 25) PROHIBITED ACTS UNAUTHORIZED PROCESSING OF PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION Processing of personal information without the consent of the data subject, or without being authorized under this Act or any existing law (DPA, Sec. 25) ACCESSING PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION DUE TO NEGLIGENCE Providing access to personal information without being authorized under this Act or any existing law (DPA, Sec. 26) IMPROPER DISPOSAL OF PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION Knowingly or negligently disposing, discarding, or abandoning the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection (DPA, Sec. 27). PROCESSING OF PERSONAL INFORMATION AND SENSITIVE PERSONAL INFORMATION FOR UNAUTHORIZED PURPOSES Processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws (DPA, Sec. 28) UNAUTHORIZED ACCESS OR INTENTIONAL BREACH Knowingly and unlawfully, or violating data confidentiality and security data systems, breaking in any way into any system where personal and sensitive personal information is stored (DPA, Sec.29) CONCEALMENT OF SECURITY BREACHES INVOLVING SENSITIVE PERSONAL INFORMATION Intentionally or by omission concealing the fact of security breach after having knowledge and of the obligation to notify the National Privacy Commission (DPA, Sec. 30) MALICIOUS DISCLOSURE Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, disclosing unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her (DPA, Sec. 31) UNAUTHORIZED DISCLOSURE Any personal information controller or personal information processor or any of its officials, employees or agents, disclosing to a third party personal information not covered by the immediately preceding section without the consent of the data subject (DPA, Sec. 32) LARGE-SCALE Committed when personal information of at least 100 persons is harmed, affected or involved as the result of the above-mentioned actions (DPA, Sec. 35) RESTITUTION Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code (DPA, Sec. 37)

Data Privacy Act PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue