You are on page 1of 27

DATA PRIVACY ACT OF 2012

R. A. 10173

AN ACT PROTECTING INDIVIDUAL PERSONAL


INFORMATION IN INFORMATION AND
COMMUNICATIONS SYSTEMS IN THE GOVERNMENT
AND THE PRIVATE SECTOR, CREATING FOR THIS
PURPOSE A NATIONAL PRIVACY COMMISSION, AND
FOR OTHER PURPOSES
Purpose of the Law
Due to modernization and demands of the
private sector and government for a free flow
of information, there is a need to put
limitations to uphold data privacy and protect
the fundamental right to privacy.

Created the National Privacy Commission


Data Privacy
Right to control ones personal information which
consists any data used to identify an individual

The law gives the person the right of control on


What data to be collected
How will it be collected
Why will it be collected
How long the data will be used
Parties
Data Subject individuals whose personal
information is processed

Personal Information Controller natural/juridical


person who controls the processing of personal
data

Personal Information Processor natural/juridical


to whom PIC may outsource data
SCOPE
The law applies to processing of personal data
of any natural and juridical person in the
government or private sector.

They apply to any act done or practice


engaged in and outside the Philippines, if:
1. The data subject is found in the Philippines
2. The data subject is a Philippine citizen or
Philippine resident
3. Processing is done in the Philippines
Not Applicable
The law does not apply to the following:
Officer or government employee as to
the fact that he is an employee of the government
title, office address and telephone number
classification, salary range, and responsibilities held
his or her name in a document prepared during his or her employment

One who performs service under contract for a government


institution, only in so far as it relates to such service,
including his name and terms of contract.

If a benefit of financial nature is conferred upon the discretion


of the government (i.e. granting of license or permit)
Journalistic, artistic or literary purpose
Research intended for public benefit
Information necessary to carry out the
functions of public authority
Information necessary for the banks and other
financial institutions
Data Sharing
Disclosure or transfer to a third party of personal
data under the custody of a personal information
controller or personal information processor.

Data sharing is allowed if


Authorized by law
Data subject consents
Adheres to the principles of transparency,
legitimitate purpose and proportionality
General Data Privacy Principles
Principle of Transparency
The data subject must be aware of the nature,
purpose, and extent of the processing of his or her
personal data

Legitimate Purpose
It must not be contrary to law, morals, or
public policy

Principle of Proportionality
It must be adequate, relevant, suitable,
necessary, and not excessive in relation to a
declared and specified purpose
Rights of the Data Subject

Right to be Informed
The data subject has a right to be informed
whether personal data pertaining to him are
being processed.
Rights of the Data Subject
Right to Object
The data subject can withhold the personal
information unless needed pursuant to a
subpoena, or of legal obligation.

Right to Access
The data subject has the right to know the
contents of the data processed, identity of the
controller as well as the reasons for disclosure.
Rights of the Data Subject
Right to Rectification
The data subject has the right to dispute
the inaccuracy or error in the personal data

Right to Erasure or Blocking


The data subject can suspend, withdraw
or order the blocking, removal or destruction of
his or her personal data from the personal
information controllers filing system.
Rights of the Data Subject
Right to Damages
The data subject can be indemnified for
any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained
or unauthorized use of personal data, taking into
account any violation of his or her rights and
freedoms as data subject.
Right of Data Portability
Where his or her personal data is
processed by electronic means and in a
structured and commonly used format, the
data subject shall have the right to obtain from
the personal information controller a copy of
such data in an electronic or structured format
that is commonly used and allows for further
use by the data subject.
Security of Sensitive Personal
Information in the Government
Responsibility of Heads of Agencies
All sensitive personal information
maintained by the government, its agencies, and
instrumentalities shall be secured.

The head of each government agency or


instrumentality shall be responsible for
complying with the security requirements.
Requirements
a. On-site and Online Access
No employee of the government shall have
access to sensitive personal information on
government property or through online facilities unless
he or she the employee has received a security
clearance from the head of the source agency. Such
employee can only be granted a security clearance
when the performance of his or her official functions
or the provision of a public service directly depends on
and cannot otherwise be performed unless access to
the personal data is allowed.
b. Off-site access

Sensitive personal information maintained by an


agency may not be transported or accessed from a
location off or outside of government property,
whether by its agent or employee, unless the head of
agency has ensured the implementation of privacy
policies and appropriate security measures. A request
for such transportation or access shall be submitted to
and approved by the head of agency. The request
must include proper accountability mechanisms in the
processing of data.
Applicability to Government Contractors

In entering into any contract with a private


service provider that may involve accessing or requiring
sensitive personal information from one thousand
(1,000) or more individuals, a government agency shall
require such service provider and its employees to
register their personal data processing system with
the Commission in accordance with the Act and these
Rules.
Punishable Acts
Unauthorized Processing
Accessing Information Due to Negligence
Improper Disposal
Unauthorized Purposes
Unauthorized Access or Intentional Breach
Concealment of Security Breaches
Malicious Disclosure
Unauthorized Disclosure
National Privacy Commission

Mandate

To administer and implement the provisions of


law
To ensure and monitor compliance
POWERS OF NPC
Rule-Making
Advisory
Public education
Compliance and Monitoring
Complaints and Investigations
Enforcement
RULE MAKING
Recommending organizational, physical and
technical security measures for personal data
protection
Issuing guidelines, rules and regulations
ADVISORY
Commenting on the implication on data privacy of proposed
national or local statutes, regulations or procedures, issuing
advisory opinions, and interpreting the provisions of the Act
and other data privacy laws;

Reviewing, approving, rejecting, or requiring modification of


privacy codes voluntarily adhered to by personal information
controllers

Assisting Philippine companies doing business abroad to


respond to data protection laws and regulations.
PUBLIC EDUCATION
Publishing, on a regular basis, a guide to all laws
relating to data protection;
COMPLIANCE AND MONITORING
Ensuring compliance by personal information
controllers with the provisions of the Act;

Monitoring the compliance of all government


agencies or instrumentalities as regards their security
and technical measures, and recommending the
necessary action in order to meet minimum
standards for protection of personal data pursuant to
the Act;
COMPLAINTS AND INVESTIGATIONS
Receiving complaints and instituting
investigations regarding violations of the Act
Summoning witnesses, and requiring the
production of evidence
Facilitating or enabling settlement of
complaints and adjudication.
Preparing reports on the disposition of
complaints and investigation
ENFORCEMENT
The Commission shall perform all acts as may be
necessary to effectively implement the Act,
these Rules, and its other issuances, and to
enforce its Orders, Resolutions or Decisions,
including the imposition of administrative
sanctions, fines, or penalties.

You might also like