RA 10173 Data Privacy Act of 2012 PDF
Document Details
Uploaded by Deleted User
2012
Tags
Summary
This document is a summary of the Data Privacy Act of 2012 (RA 10173) in the Philippines. It defines key terms, including personal information controller (PIC) and personal information processor (PIP). The document highlights the principles of data processing, including transparency, legitimate purpose, and proportionality.
Full Transcript
RA 10173 DATA PRIVACY ACT OF 2012 Long Title — An Act Protecting Individual Personal Information in Information and Communication Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for other Purposes DEFINITION of TERMS 1. Personal Infor...
RA 10173 DATA PRIVACY ACT OF 2012 Long Title — An Act Protecting Individual Personal Information in Information and Communication Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for other Purposes DEFINITION of TERMS 1. Personal Information Controller (PIC) The individual, corporations, or body who decides what to do with data. 2. Personal Information Processor (PIP) A person or organization that processes personal data on behalf of a personal information controller (PIC), without using it for their own purposes. 3. Consent of the Data Subject Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. The agreement must inform: a. Purpose, nature, and extent of processing; b. Period of consent/instruction; c. Rights as a data subject. 4. Breach A security incident that: a. Leads to unlawful or unauthorized processing of personal, sensitive, or privileged information; b. Compromises the availability, integrity, or confidentiality of personal data. PURPOSE -Chapter 1 Section 2. It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth 1. Protects the Privacy of the Individuals while ensuring free flow of information to promote innovation and growth 2. Regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of Personal Data 3. Ensures that the Philippines Complies with International Standards set for data protection PERSONAL INFORMATION VS SENSITIVE PERSONAL INFORMATION Personal Information Sensitive Personal Information Personal information, also known as personal Type of personal information that requires data, is any information about a particular strict protection. It includes details that could individual that can be used to identify, locate, reveal a person's preferences, opinions, and or contact a person. other vulnerable information that could be used to discriminate and harm a person. This includes, but not limited to: This includes, but not limited to: Name Race or ethnic origin Address Criminal record Phone number Religious belief E-mail Address Medical record Birthday Political affiliations Location Sexual orientation PROCESSING of PERSONAL INFORMATION and SENSITIVE PERSONAL INFORMATION Processing of Personal Information Processing of Sensitive Personal The processing of personal information shall be allowed Information if it adheres to ALL the ff: The processing of sensitive personal information shall be allowed if it complies to ONE of the ff: 1. PRINCIPLES OF TRANSPARENCY 1. The consent of data subject has to The data subject must know: be given a. What personal data will be collected b. How the personal data will be collected c. Why personal data will be collected The data processing policies of the PIC must be known to the data subject. The information to be provided to the data subject must be in clear and plain language. 2. LEGITIMATE PURPOSE PRINCIPLE 2. The processing is necessary and is Data collected must always be related to the fulfillment of the collected only for the specific, explicit, contract with the data subject in order and legitimate purposes of the PIC. to take steps at the request of the Data that is not compatible with the data subject prior to entering into a purpose of the data collection shall contract not be processed. 3. PRINCIPLE OF PROPORTIONALITY 3. The processing is necessary for The amount of data collected for compliance with a legal obligation processing should be adequate, relevant, and not excessive in to which the PIC (Personal proportion to the purpose of the data Information Controller) is subject processing. Efforts should be made to limit the processed data to the minimum necessary. 4. The processing is necessary to protect vitality important interests of the data subject including life and health 5. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority 6. The processing is necessary for the purposes of the legitimate interests pursued by the PIC, except where such interests are overridden by fundamental rights and freedoms of the data subject RIGHTS of the DATA SUBJECT Summary of Data Subject's Rights under RA 10173 The Data Privacy Act of 2012 grants individuals several rights over their personal information: 1. Right to be Informed: -Individuals have the right to know if their personal information is being processed. -They should be informed about the purpose, scope, and duration of processing. 2. Right of Access: -Individuals can request access to their personal data, including how it is being used and shared. 3. Right to Rectification: -Individuals can request the correction of inaccurate or incomplete personal data. 4. Right to Erasure or Blocking: -Individuals can request the deletion or blocking of their personal data if it is no longer necessary or is being processed unlawfully. 5. Right to Data Portability: -Individuals can request a copy of their personal data in a digital format that can be transferred to another data controller. 6. Right to Object: -Individuals can object to the processing of their personal data, especially for direct marketing purposes. 7. Right to Damages: -Individuals can seek compensation for damages caused by the misuse of their personal information. 8. Right to File a Complaint: -Individuals can file a complaint with the National Privacy Commission regarding any violation of their data privacy rights. 9. Right to Transmit Rights: -Individuals can designate heirs or assigns to exercise their data privacy rights after their death or incapacity. EXAMPLES: GUIDE QUESTIONS: RA 10173 May a teacher/professor search the contents of a student’s cellular phone? NO! Any search through a student’s cellular phone without justification under a law or regulation is UNLAWFUL, and may be considered as “unauthorized processing of data” However, there are exceptions: If it was done under s student’s consent [EXCEPT if the student is a minor] If it is required by the student’s life and health, or by national emergency Is an indirect form of consent valid? Example: “By continuing to avail xxx of products and services:, you explicitly authorize xxx, its employees, duly authorized representatives, related companies and third-party service providers, to use, process and share personal data needed in the administration of your xxx” NO! Consent under the Data Privacy Act has 3 requirements, none of which are seen in an indirect consent: Consent must be freely given Details about what the consent is being asked must be specific There must be an informed indication of will Are handwritten signatures considered sensitive personal information? NO! It is possible that one may share a similar signature as another person. Moreover, some signatures do not, in any way, show signs of identity of a person. However, these may be considered personal information when used to identify an individual such as signature affixed on the name of the person. Are usernames, password, IP and MAC address, location cookies and birthday (month and day only) considered personal information? YES! Only when they are combined with other pieces of information that may allow an individual to be distinguished from others. PROHIBITED ACTS of RA 10173 1. Unauthorized processing of personal information and sensitive personal information - Process (sensitive) personal information WITHOUT the consent of the data subject or WITHOUT being authorized under the Data Privacy Act or any other law - Punishment: Minimum fine of Php 500,000 to Php 4,000,000 AND an imprisonment with a minimum period of 1 year to 6 years 2. Accessing personal information and sensitive personal information due to negligence - Provided access to (sensitive) personal information due to negligence or was unauthorized under the Data Privacy Act or any existing law - Punishment: Minimum fine of Php 500,000 to Php 4,000,000 AND an imprisonment with a minimum period of 1 year to 6 years 3. Improper disposal of (sensitive) personal information - Negligently dispose, discard, or abandon the (sensitive) personal information of an individual in an area accessible to the public or placed the (sensitive) personal information of an individual in a container for trash collection - Punishment: Minimum fine of Php 100,000 to Php 1,000,000 AND an imprisonment with a minimum period of 6 months to 3 years 4. Processing of personal information and sensitive personal information for unauthorized purposes - Process personal information for purposes not authorized by the data subject or not otherwise authorized by the Data Privacy Act or under existing laws - Punishment: Minimum fine of Php 500,000 to Php 2,000,000 AND an imprisonment with a minimum period of 1 year and 6 months to 7 years 5. Unauthorized access or intentional breach - Knowingly and unlawfully violate data confidentiality and security data systems where personal and sensitive personal information is stored - Punishment: Minimum fine of Php 500,000 to Php 2,000,000 AND an imprisonment with a minimum period of 1 year to 3 years 6. Malicious disclosure - Discloses to a third party unwarranted or false information with malice or in bad faith relative to any (sensitive) personal information obtained by such PIC or PIP - Punishment: Minimum fine of Php 500,000 to Php 1,00,000 AND an imprisonment with a minimum period of 1 year and 6 months to 5 years NOTABLE CRIMES First Conviction for RA 10173: Allegedly the “customer care professional” of BPO accessed several credit card accounts of a client without an actual call or request from the real owners. The accused also illegally accessed personal identification cards and changed them into temporary PINs, and a consistent amount of 500 dollars was withdrawn from all the said credit cards. Later on the accused was found guilty of unauthorized access and processing of a client's account. The client was an American citizen with an account at a Philippine company. The accused was sentenced to imprisonment for one year and six months to five years and a fine of 500,000 pesos.
