 What is the Data Privacy Act?

Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to
protect all forms of information, be it private, personal, or sensitive. It is meant to cover both
natural and juridical persons involved in the processing of personal information.

 What is the scope of the Data Privacy Act?

As mentioned earlier, the Data Privacy Act applies to any natural or juridical persons
involved in the processing of personal information. It also covers those who, although not
found or established in the Philippines, use equipment located in the Philippines, or those
who maintain an office, branch, or agency in the Philippines.
 What is processing of personal information?
 Under Sec. 3(j) of the Data Privacy Act, “[p]rocessing refers to any operation or any
set of operations performed upon personal information including, but not limited to,
the collection, recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of data.”

 In other words, processing of personal information is any operation where personal

information is involved. Whenever your information is, among other things, collected,
modified, or used for some purpose, processing already takes place.

 What is personal information?

 Under Sec. 3(j) of the Data Privacy Act, “[p]rocessing refers to any operation or any
set of operations performed upon personal information including, but not limited to,
the collection, recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of data.”

 In other words, processing of personal information is any operation where personal

information is involved. Whenever your information is, among other things, collected,
modified, or used for some purpose, processing already takes place.

 What is privileged information?

Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all forms
of data which under the Rules of Court and other pertinent laws constitute privileged
communication.” One such example would be any information given by a client to his
lawyer. Such information would fall under attorney-client privilege and would, therefore, be
considered privileged information.

 Does the difference between personal information and sensitive personal information matter?
Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all forms
of data which under the Rules of Court and other pertinent laws constitute privileged
communication.” One such example would be any information given by a client to his
 lawyer. Such information would fall under attorney-client privilege and would, therefore, be
considered privileged information.
 Is there a difference between personal information and sensitive personal information?
 Yes. While personal information refers to information that makes you readily
identifiable, sensitive personal information, as defined in Sec. 3(l) of the Data Privacy
Act, refers to personal information:

 (1) About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
 (2) About an individual’s health, education, genetic or sexual life of a person, or to
any proceeding for any offense committed or alleged to have been committed by
such person, the disposal of such proceedings, or the sentence of any court in such
proceedings;
 (3) Issued by government agencies peculiar to an individual which includes, but not
limited to, social security numbers, previous or cm-rent health records, licenses or its
denials, suspension or revocation, and tax returns; and
 (4) Specifically established by an executive order or an act of Congress to be kept
classified.
 Therefore, any information that can be categorized under any of the enumerated
items are considered sensitive personal information.

 Are there any exceptions to the application of the Data Privacy Act?
 The Data Privacy Act explicitly states that its provisions are not applicable in the
following cases:
 (a) Information about any individual who is or was an officer or employee of a
government institution that relates to the position or functions of the individual,
including:
 (1) The fact that the individual is or was an officer or employee of the government
institution;
 (2) The title, business address and office telephone number of the individual;
 (3) The classification, salary range and responsibilities of the position held by the
individual; and
 (4) The name of the individual on a document prepared by the individual in the
course of employment with the government;
 (b) Information about an individual who is or was performing service under contract
for a government institution that relates to the services performed, including the
terms of the contract, and the name of the individual given in the course of the
performance of those services;
 (c) Information relating to any discretionary benefit of a financial nature such as the
granting of a license or permit given by the government to an individual, including the
name of the individual and the exact nature of the benefit;
 (d) Personal information processed for journalistic, artistic, literary or research
purposes;
  (e) Information necessary in order to carry out the functions of public authority which
includes the processing of personal data for the performance by the independent,
central monetary authority and law enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions. Nothing in this Act shall be
construed as to have amended or repealed Republic Act No. 1405, otherwise known
as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as
the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as
the Credit Information System Act (CISA);
 (f) Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko Sentral ng
Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other applicable
laws; and
 (g) Personal information originally collected from residents of foreign jurisdictions in
accordance with the laws of those foreign jurisdictions, including any applicable data
privacy laws, which is being processed in the Philippines.

 Can there be more than one person who shall perform the functions of a Data Protection
Officer in a organization?
Yes. The Implementing Rules and Regulations of the Data Privacy Act speaks of an
individual or individuals who shall perform the functions of a Data Protection Officer or a
Compliance Officer.

 How is privileged information treated by the Data Privacy Act?

Much like sensitive personal information, the processing of privileged information is
prohibited by the law.

 What are the cases where the processing of sensitive personal information and privileged
information is allowed?
 Section 13 of the Data Privacy Act enumerates the cases where sensitive personal
information and privileged information may be processed. These are the following:
 (a) The data subject has given his or her consent, specific to the purpose prior to the
processing, or in the case of privileged information, all parties to the exchange have
given their consent prior to processing;
 (b) The processing of the same is provided for by existing laws and regulations:
Provided, That such regulatory enactments guarantee the protection of the sensitive
personal information and the privileged information: Provided, further, That the
consent of the data subjects are not required by law or regulation permitting the
processing of the sensitive personal information or the privileged information;
 (c) The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express his
or her consent prior to the processing;
 (d) The processing is necessary to achieve the lawful and noncommercial objectives
of public organizations and their associations: Provided, That such processing is
 only confined and related to the bona fide members of these organizations or their
associations: Provided, further, That the sensitive personal information are not
transferred to third parties: Provided, finally, That consent of the data subject was
obtained prior to processing;
 (e) The processing is necessary for purposes of medical treatment, is carried out by
a medical practitioner or a medical treatment institution, and an adequate level of
protection of personal information is ensured; or
 (f) The processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise or defense of legal claims, or when
provided to government or public authority.