Cybersecurity o Privacy means trust.
Trust means
Implementing the Data Privacy Act of 2012
Complying with the IRR on the Data Privacy Act
Commissioner Domingo Mapa, National Privacy Commission (NPC)
 What is the actual value of data?
o In the information age, people are increasingly coming
to the realisation that data has actual value.
o Cybercriminals, in particular (but not only) identity
thieves, can leverage the most obscure sources of data
to their ends—and to users’ disadvantage.
o Online businesses like Uber, AirBnB, and Facebook use
personal information to run their entire business
model.
 “Data is the only sustainable competitive
advantage,” and in the digital economy, it is the
new oil.
o In terms of social and political issues, data has also
been used to problem solve things as complex as
elections to as mundane and seemingly unavoidable as
mosquito season.
 Clearly, data IS valuable, and it can be leveraged to our
advantage. However, it is important that that data is collected,
used, and disposed of responsibly. Therefore, our goal with
data should be to “ensure the free flow of information to
promote innovation & growth, while protecting the
fundamental human right to privacy.”
 In line with this, Sec. 2 of RA 10173 sets the basic human right
to privacy as a fundamental cornerstone in data innovation
and development.
1 This is defined as information concerning a person’s civil personality, which
may include things such as gender, religion, civil status, family relations, and the
like.
2 Data Subject: Person about whom data is being collected.
F. J. Bautista
sum non mea
business/relationship.
o Privacy is the key to a free economy of information &
innovation.
o As a rule, the Data Privacy Act operates to protect only
personal information.1
 Some key sections of RA 10173:
o Secs. 11-21: Rights of Data Subjects, Obligations of
PIPs & PICs
o Secs. 22-24: Specific Provisions on Government Data
Subjects, Personal Information Processors (PIPs), and
Personal Information Collectors (PICs)
o Secs. 25-37: Penal Clauses
 Basic Rights of the Data Subject2
o Right to be informed that data is being collected
o Right to object to the collection of said data
o Right to access the information being collected
o Right to block, remove, or correct data
o Right to data portability
o Right to complain & be indemnified for violations of
the abovementioned rights
 Basic Cyber-Hygiene
o Data Vigilance – Being aware and vigilant about the
data we put online.
o Software Updating – Being up-to-date on software that
protects and stores your data.
o Password Hygiene – Being conscious of the need to
change, protect, and store passwords properly.
 Basic Legal Obligations3 of PIPs and PICs
o Appoint a Data Processing Officer/Data Privacy
Compliance Officer
3This is a legal obligation for all PIPs and PICs; Under Sec. 7 of RA 10173,
violation of the law may be punished by penalties of up to 6 years of
imprisonment, and up to PhP 5 million in fines.
 o Where collecting data, adhere to the standards of
Transparency, Legitimate Purpose, and
Proportionality
 Transparency – Ensure that there are no
surprises from any of the stakeholders
regarding the data collected
 Legitimate Purpose – Ensure that the data
collected is that required by law, and is not
contrary to public morals
 Proportionality – Ensure that the data collected
is only to the extent absolutely necessary, and
that the collection is commensurate to the
benefits of the same.
o Maintain the Confidentiality, Integrity, and Availability
of Data
o Follow proper breach procedure4
o Register all data collection systems with the NPC5
 Accountability is more important than mere compliance.
Cybercrime in Numbers
P/Supt. Jay Guillermo, PNP Anti-Cybercrime Group Assistant Head
 Under RA 10173, all crimes punishable under the Revised
Penal Code, committed through means of electronic data or
communication may fall into the category of cybercrime.6
 The PNP-ACG has recorded almost 10,000 instances of
cybercrime since it was founded in 2012, and according to
P/Supt. Guillermo, an estimated 2/3 of cybercrime cases go
unreported, or are not categorized as cybercrime by local
police precincts.
4 IRR 38-42 & 57, and Circular No. 16-03 require reporting of any breaches
within 72 hours; Failure to do so is punishable by up to 8 months of
imprisonment and up to PhP 1 million in fines
5 RA 10173 sets the deadline for system registration to September of 2017.
6 RA 1175 has categorized smartphones as computers, and crimes committed by
and through the use of such devices may be classed as cybercrimes as well.
F. J. Bautista
sum non mea
o Crimes such as Online Estafa, Online Libel, Online
Threat, and Identity Theft are the most common, while
instances of Rape (with intimidation), Online
Gambling, and Cybersquatting have also been
recorded.
Best Practices for Complying with the Data Privacy Act
Atty. John Paul Gaba, ACCRA Law
 Scope of Application
o The Data Privacy Act applies to the personal data of
natural persons.7
o To clarify, the law does not specifically protect classes
of data, but the broader right to privacy.
o In connection with this, the NPC is empowered by law
to issue compliance orders, and cease & desist orders
to PIPs and PICs who compromise data.
 The NPC can also request the DOJ to investigate
violations with criminal intent.
 As a rule, the terms PIPs and PICs cover all data handling
levels; However comprehensive or minute, any collection or
processing of personal data is covered by the law.
o PIPs and PICs have the legal obligation to maintain the
integrity, confidentiality and availability of the data
they collect and process.
 The Data Privacy Act covers the personal data of all Filipino
citizens, whether here or abroad, in addition to any personal
data collected or processed in the Philippines.
o The Act also covers both physical and digital
processing
7 By example, while the data of a corporation may be made public as it is not a
natural person, such a corporation’s articles of incorporation cannot be made
public without consent, as the personal data of the corporation’s incorporators
is present on the document.
 Types of Personal Information
o Sensitive Personal Information
 Generally, encompasses information
concerning personal circumstances and civil
capacity, including sex, race, religion, marital
status, employment history, and the like
 Collection and Processing is prohibited, save in
certain exceptional cases.
 The law imposes a higher standard of
protection on such information
o Regular Personal Information
 All other information not classed as sensitive

F. J. Bautista
sum non mea