Rules and Regulations (IRR) Legal and Compliance Department 05 September 2017 Data Privacy Act (DPA) of 2012
An Act protecting individual personal
information and communication systems in the Government and the Private Sector, creating for this purpose a National Privacy Commission, and for other purposes. Objectives ❖ To safeguard the fundamental human right of every individual to privacy while ensuring free flow of information for innovation, growth, and national development; ❖ Regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation,blocking, erasure or destruction of personal data; ❖ Ensures that the Philippines complies with international standards set for data protection through National Privacy Commission (NPC). Coverage
Data Privacy Act of 2012 applies to
the processing of personal data by any natural and juridical person. This includes act done or practice engage in and outside the Philippines. KEY CONCEPTS
Personal Information refers to any
information, whether recorded in a material form or not, from which the identity of an individual is apparent of can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. (R.A. 10173, Section 3.l) KEY CONCEPTS Sensitive Personal Information refers to personal information:
1. About an individual’s race, ethnic origin, marital
status, age, color, and religious, philosophical or political affiliations; 2. About an individual’s health, education, genetic, or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; 3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive
order or an act of Congress to be kept classified. (R.A. 10173, Section 3.t) Exception (Special Cases)
1. Information processed for purposes of allowing public
access to information that fall within the matters of public concern;
1. Personal information processed for journalistic,
artistic or literary purpose, in order to uphold freedom of speech, of expression, or of the press, subject to requirements of other applicable law or regulations; Exception (Special Cases)
3. Personal information that will be processes for
research purpose, intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards;
4. Information necessary in order to carry out the
functions of public authority, in accordance with a constitutionally or statutorily mandated function pertaining to law enforcement or regulatory function, including the performance of the functions of the independent, central monetary authority, subject to restrictions provided by law. Exception (Special Cases)
5. Information necessary for banks, other financial
institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas, and other bodies authorized by law, to the extent necessary to comply with R.A. No. 9510 (Credit Information System Act), R.A. 9160 (Anti-Money Laundering Act).
6. Personal information originally collected from residents
of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines. Mandate
The National Privacy Commission (NPC) is the
body mandated to administer and implement this Act, and to monitor and ensure compliance with international standards set for personal data protection. NPC’s FIVE DATA PRIVACY GUIDELINES
1. Appoint a DATA PROTECTION OFFICER
(DPO) 2. Conduct PRIVACY IMPACT ASSESSMENT (PIA) 3. Create a PRIVACY MANAGEMENT PROGRAM (PMP) 4. Implement Privacy and Data Protection measures 5. Regularly Exercise Breach Reporting Procedures (BRP) Appointing a DATA PROTECTION OFFICER (DPO)
Designating a DPO is the first essential step
towards compliance. You cannot register your systems with the NPC unless you have a DPO. Conduct Privacy Impact Assessment
Privacy Impact Assessment is a process
undertaken and used by a government agency to evaluate and manage the impact of its program, process and/or measure on data privacy. Create Privacy Management Program
Your PRIVACY MANAGEMENT PROGRAMS
(PMP) serves to align everyone in the organization in the same direction, to facilitate compliance with the Data Privacy Act and issuances of the NPC, and to help your organization in mitigating the impact of a data breach. Implement Privacy and Data Protection measures
The measures laid out in your privacy and data
protection policies should not remain theoretical. They must continuously be assessed, reviewed and revise as necessary, while training must be regularly conducted. Regularly exercise your Breach Reporting Procedures
Upon the discovery of a personal data breach,
or reasonable suspicion thereof, it is important to conduct an initial assessment of the breach, to mitigate its impact, and to notify both the affected data subjects and the NPC within 72 hours of discovery. General Data Privacy Principles
The processing of personal data shall be
allowed, subject to compliance with the requirements of the Act and other laws allowing disclosure of information to the public, and adherence to the principles of transparency, legitimate purpose, and proportionality. Enforcement of the Data Privacy Act
1. Registration of Personal Data Processing
Systems operating in the country that involves accessing or requiring sensitive personal information of at least 1,000 individuals; 2. Notification of Automated Processing Operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject; Enforcement of the Data Privacy Act
3. Annual Report of the Summary of
documented security incidents and personal data breaches;
4. Compliance with other requirements that
may be provided in other issuances of the Commission. Rules on Accountability
Personal Information Controller (PIC) is
responsible for any personal data under its control or custody, including information that have been outsourced or transferred to a PIP or third party for processing.
PIC shall be accountable for complying with the
requirements of this Act, these Rules and other issuances of the Commission. Penalties