“Data Privacy Act of 2012”

(R. A. No. 10173) and Its Implementing

Rules and Regulations (IRR)
Legal and Compliance Department
05 September 2017
Data Privacy Act (DPA) of 2012

An Act protecting individual personal

information and communication
systems in the Government and the
Private Sector, creating for this
purpose a National Privacy
Commission, and for other purposes.
Objectives
❖ To safeguard the fundamental human right of every
individual to privacy while ensuring free flow of
information for innovation, growth, and national
development;
❖ Regulates the collection, recording, organization,
storage, updating or modification, retrieval,
consultation, use, consolidation,blocking, erasure or
destruction of personal data;
❖ Ensures that the Philippines complies with
international standards set for data protection
through National Privacy Commission (NPC).
Coverage

Data Privacy Act of 2012 applies to

the processing of personal data by any
natural and juridical person. This
includes act done or practice engage
in and outside the Philippines.
KEY CONCEPTS

Personal Information refers to any

information, whether recorded in a material
form or not, from which the identity of an
individual is apparent of can be reasonably and
directly ascertained by the entity holding the
information, or when put together with other
information would directly and certainly identify
an individual. (R.A. 10173, Section 3.l)
KEY CONCEPTS
Sensitive Personal Information refers to
personal information:

1. About an individual’s race, ethnic origin, marital

status, age, color, and religious, philosophical
or political affiliations;
2. About an individual’s health, education, genetic,
or sexual life of a person, or to any proceeding
for any offense committed or alleged to have
been committed by such individual, the disposal
of such proceedings, or the sentence of any
court in such proceedings;
3. Issued by government agencies peculiar to
an individual which includes, but is not limited
to, social security numbers, previous or
current health records, licenses or its denials,
suspension or revocation, and tax returns; and

4. Specifically established by an executive

order or an act of Congress to be kept
classified. (R.A. 10173, Section 3.t)
Exception (Special Cases)

1. Information processed for purposes of allowing public

access to information that fall within the matters of
public concern;

1. Personal information processed for journalistic,

artistic or literary purpose, in order to uphold freedom
of speech, of expression, or of the press, subject to
requirements of other applicable law or regulations;
Exception (Special Cases)

3. Personal information that will be processes for

research purpose, intended for a public benefit, subject
to the requirements of applicable laws, regulations, or
ethical standards;

4. Information necessary in order to carry out the

functions of public authority, in accordance with a
constitutionally or statutorily mandated function
pertaining to law enforcement or regulatory function,
including the performance of the functions of the
independent, central monetary authority, subject to
restrictions provided by law.
Exception (Special Cases)

5. Information necessary for banks, other financial

institutions under the jurisdiction of the independent,
central monetary authority or Bangko Sentral ng Pilipinas,
and other bodies authorized by law, to the extent
necessary to comply with R.A. No. 9510 (Credit
Information System Act), R.A. 9160 (Anti-Money
Laundering Act).

6. Personal information originally collected from residents

of foreign jurisdictions in accordance with the laws of
those foreign jurisdictions, including any applicable data
privacy laws, which is being processed in the Philippines.
Mandate

The National Privacy Commission (NPC) is the

body mandated to administer and implement
this Act, and to monitor and ensure
compliance with international standards set
for personal data protection.
NPC’s FIVE DATA PRIVACY GUIDELINES

1. Appoint a DATA PROTECTION OFFICER

(DPO)
2. Conduct PRIVACY IMPACT ASSESSMENT
(PIA)
3. Create a PRIVACY MANAGEMENT
PROGRAM (PMP)
4. Implement Privacy and Data Protection
measures
5. Regularly Exercise Breach Reporting
Procedures (BRP)
Appointing a DATA PROTECTION
OFFICER (DPO)

Designating a DPO is the first essential step

towards compliance. You cannot register your
systems with the NPC unless you have a DPO.
Conduct Privacy Impact Assessment

Privacy Impact Assessment is a process

undertaken and used by a government agency
to evaluate and manage the impact of its
program, process and/or measure on data
privacy.
Create Privacy Management Program

Your PRIVACY MANAGEMENT PROGRAMS

(PMP) serves to align everyone in the
organization in the same direction, to
facilitate compliance with the Data Privacy
Act and issuances of the NPC, and to help your
organization in mitigating the impact of a data
breach.
Implement Privacy and Data
Protection measures

The measures laid out in your privacy and data

protection policies should not remain
theoretical. They must continuously be
assessed, reviewed and revise as necessary,
while training must be regularly conducted.
Regularly exercise your Breach
Reporting Procedures

Upon the discovery of a personal data breach,

or reasonable suspicion thereof, it is
important to conduct an initial assessment of
the breach, to mitigate its impact, and to
notify both the affected data subjects and the
NPC within 72 hours of discovery.
General Data Privacy Principles

The processing of personal data shall be

allowed, subject to compliance with the
requirements of the Act and other laws allowing
disclosure of information to the public, and
adherence to the principles of transparency,
legitimate purpose, and proportionality.
Enforcement of the Data Privacy Act

1. Registration of Personal Data Processing

Systems operating in the country that
involves accessing or requiring sensitive
personal information of at least 1,000
individuals;
2. Notification of Automated Processing
Operations where the processing becomes the
sole basis of making decisions that would
significantly affect the data subject;
Enforcement of the Data Privacy Act

3. Annual Report of the Summary of

documented security incidents and personal
data breaches;

4. Compliance with other requirements that

may be provided in other issuances of the
Commission.
Rules on Accountability

Personal Information Controller (PIC) is

responsible for any personal data under its
control or custody, including information that
have been outsourced or transferred to a PIP or
third party for processing.

PIC shall be accountable for complying with the

requirements of this Act, these Rules and other
issuances of the Commission.
Penalties