Republic of the Philippines information is not processed by equipment operating

Congress of the Philippines automatically in response to instructions given for that purpose,
Metro Manila the set is structured, either by reference to individuals or by
Fifteenth Congress reference to criteria relating to individuals, in such a way that
Second Regular Session specific information relating to a particular person is readily
accessible.
Begun and held in Metro Manila, on Monday, the twenty-fifth
day of July, two thousand eleven. (f) Information and Communications System refers to a system
for generating, sending, receiving, storing or otherwise
[REPUBLIC ACT NO. 10173] processing electronic data messages or electronic documents
and includes the computer system or other similar device by or
which data is recorded, transmitted or stored and any procedure
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN
related to the recording, transmission or storage of electronic
INFORMATION AND COMMUNICATIONS SYSTEMS IN THE
data, electronic message, or electronic document.
GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS
PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER
PURPOSES (g) Personal information refers to any information whether
recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly
Be it enacted, by the Senate and House of Representatives of the
ascertained by the entity holding the information, or when put
Philippines in Congress assembled:
together with other information would directly and certainly
identify an individual.
CHAPTER I
GENERAL PROVISIONS
(h) Personal information controller refers to a person or
organization who controls the collection, holding, processing or
SECTION 1. Short Title. – This Act shall be known as the “Data use of personal information, including a person or organization
Privacy Act of 2012”. who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or
SEC. 2. Declaration of Policy. – It is the policy of the State to her behalf. The term excludes:
protect the fundamental human right of privacy, of
communication while ensuring free flow of information to (1) A person or organization who performs such functions as
promote innovation and growth. The State recognizes the vital instructed by another person or organization; and
role of information and communications technology in nation-
building and its inherent obligation to ensure that personal
(2) An individual who collects, holds, processes or uses personal
information in information and communications systems in the
information in connection with the individual’s personal, family
government and in the private sector are secured and protected.
or household affairs.
SEC. 3. Definition of Terms. – Whenever used in this Act, the
(i) Personal information processor refers to any natural or
following terms shall have the respective meanings hereafter set
juridical person qualified to act as such under this Act to whom a
forth:
personal information controller may outsource the processing of
personal data pertaining to a data subject.
(a) Commission shall refer to the National Privacy Commission
created by virtue of this Act.
(j) Processing refers to any operation or any set of operations
performed upon personal information including, but not limited
(b) Consent of the data subject refers to any freely given, specific, to, the collection, recording, organization, storage, updating or
informed indication of will, whereby the data subject agrees to modification, retrieval, consultation, use, consolidation, blocking,
the collection and processing of personal information about erasure or destruction of data.
and/or relating to him or her. Consent shall be evidenced by
written, electronic or recorded means. It may also be given on
(k) Privileged information refers to any and all forms of data
behalf of the data subject by an agent specifically authorized by
which under the Rules of Court and other pertinent laws
the data subject to do so.
constitute privileged communication.
(c) Data subject refers to an individual whose personal
(l) Sensitive personal information refers to personal information:
information is processed.

(1) About an individual’s race, ethnic origin, marital status, age,

(d) Direct marketing refers to communication by whatever means
color, and religious, philosophical or political affiliations;
of any advertising or marketing material which is directed to
particular individuals.
(2) About an individual’s health, education, genetic or sexual life
of a person, or to any proceeding for any offense committed or
(e) Filing system refers to any act of information relating to
alleged to have been committed by such person, the disposal of
natural or juridical persons to the extent that, although the
such proceedings, or the sentence of any court in such Republic Act No. 1405, otherwise known as the Secrecy of Bank
proceedings; Deposits Act; Republic Act No. 6426, otherwise known as the
Foreign Currency Deposit Act; and Republic Act No. 9510,
(3) Issued by government agencies peculiar to an individual otherwise known as the Credit Information System Act (CISA);
which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials, (f) Information necessary for banks and other financial
suspension or revocation, and tax returns; and institutions under the jurisdiction of the independent, central
monetary authority or Bangko Sentral ng Pilipinas to comply with
(4) Specifically established by an executive order or an act of Republic Act No. 9510, and Republic Act No. 9160, as amended,
Congress to be kept classified. otherwise known as the Anti-Money Laundering Act and other
applicable laws; and
SEC. 4. Scope. – This Act applies to the processing of all types of
personal information and to any natural and juridical person (g) Personal information originally collected from residents of
involved in personal information processing including those foreign jurisdictions in accordance with the laws of those foreign
personal information controllers and processors who, although jurisdictions, including any applicable data privacy laws, which is
not found or established in the Philippines, use equipment that being processed in the Philippines.
are located in the Philippines, or those who maintain an office,
branch or agency in the Philippines subject to the immediately SEC. 5. Protection Afforded to Journalists and Their Sources.
succeeding paragraph: Provided, That the requirements of – Nothing in this Act shall be construed as to have amended or
Section 5 are complied with. repealed the provisions of Republic Act No. 53, which affords the
publishers, editors or duly accredited reporters of any
This Act does not apply to the following: newspaper, magazine or periodical of general circulation
protection from being compelled to reveal the source of any
news report or information appearing in said publication which
(a) Information about any individual who is or was an officer or
was related in any confidence to such publisher, editor, or
employee of a government institution that relates to the position
reporter.
or functions of the individual, including:

SEC. 6. Extraterritorial Application. – This Act applies to an act

(1) The fact that the individual is or was an officer or employee of
done or practice engaged in and outside of the Philippines by an
the government institution;
entity if:
(2) The title, business address and office telephone number of
(a) The act, practice or processing relates to personal information
the individual;
about a Philippine citizen or a resident;
(3) The classification, salary range and responsibilities of the
(b) The entity has a link with the Philippines, and the entity is
position held by the individual; and
processing personal information in the Philippines or even if the
processing is outside the Philippines as long as it is about
(4) The name of the individual on a document prepared by the Philippine citizens or residents such as, but not limited to, the
individual in the course of employment with the government; following:

(b) Information about an individual who is or was performing (1) A contract is entered in the Philippines;
service under contract for a government institution that relates
to the services performed, including the terms of the contract,
(2) A juridical entity unincorporated in the Philippines but has
and the name of the individual given in the course of the
central management and control in the country; and
performance of those services;

(3) An entity that has a branch, agency, office or subsidiary in the

(c) Information relating to any discretionary benefit of a financial
Philippines and the parent or affiliate of the Philippine entity has
nature such as the granting of a license or permit given by the
access to personal information; and
government to an individual, including the name of the individual
and the exact nature of the benefit;
(c) The entity has other links in the Philippines such as, but not
limited to:
(d) Personal information processed for journalistic, artistic,
literary or research purposes;
(1) The entity carries on business in the Philippines; and
(e) Information necessary in order to carry out the functions of
public authority which includes the processing of personal data (2) The personal information was collected or held by an entity in
for the performance by the independent, central monetary the Philippines.
authority and law enforcement and regulatory agencies of their
constitutionally and statutorily mandated functions. Nothing in Back To Top
this Act shall be construed as to have amended or repealed
CHAPTER II underlying data privacy principles embodied in this
THE NATIONAL PRIVACY COMMISSION Act: Provided, further,That such privacy codes may include
private dispute resolution mechanisms for complaints against
SEC. 7. Functions of the National Privacy Commission. – To any participating personal information controller. For this
administer and implement the provisions of this Act, and to purpose, the Commission shall consult with relevant regulatory
monitor and ensure compliance of the country with international agencies in the formulation and administration of privacy codes
standards set for data protection, there is hereby created an applying the standards set out in this Act, with respect to the
independent body to be known as the National Privacy persons, entities, business activities and business sectors that
Commission, winch shall have the following functions: said regulatory bodies are authorized to principally regulate
pursuant to the law: Provided, finally. That the Commission may
review such privacy codes and require changes thereto for
(a) Ensure compliance of personal information controllers with
purposes of complying with this Act;
the provisions of this Act;

(k) Provide assistance on matters relating to privacy or data

(b) Receive complaints, institute investigations, facilitate or
protection at the request of a national or local agency, a private
enable settlement of complaints through the use of alternative
entity or any person;
dispute resolution processes, adjudicate, award indemnity on
matters affecting any personal information, prepare reports on
disposition of complaints and resolution of any investigation it (l) Comment on the implication on data privacy of proposed
initiates, and, in cases it deems appropriate, publicize any such national or local statutes, regulations or procedures, issue
report: Provided, That in resolving any complaint or investigation advisory opinions and interpret the provisions of this Act and
(except where amicable settlement is reached by the parties), other data privacy laws;
the Commission shall act as a collegial body. For this purpose, the
Commission may be given access to personal information that is (m) Propose legislation, amendments or modifications to
subject of any complaint and to collect the information necessary Philippine laws on privacy or data protection as may be
to perform its functions under this Act; necessary;

(c) Issue cease and desist orders, impose a temporary or (n) Ensure proper and effective coordination with data privacy
permanent ban on the processing of personal information, upon regulators in other countries and private accountability agents,
finding that the processing will be detrimental to national participate in international and regional initiatives for data
security and public interest; privacy protection;

(d) Compel or petition any entity, government agency or (o) Negotiate and contract with other data privacy authorities of
instrumentality to abide by its orders or take action on a matter other countries for cross-border application and implementation
affecting data privacy; of respective privacy laws;

(e) Monitor the compliance of other government agencies or (p) Assist Philippine companies doing business abroad to respond
instrumentalities on their security and technical measures and to foreign privacy or data protection laws and regulations; and
recommend the necessary action in order to meet minimum
standards for protection of personal information pursuant to this (q) Generally perform such acts as may be necessary to facilitate
Act; cross-border enforcement of data privacy protection.

(f) Coordinate with other government agencies and the private SEC. 8. Confidentiality. – The Commission shall ensure at all times
sector on efforts to formulate and implement plans and policies the confidentiality of any personal information that comes to its
to strengthen the protection of personal information in the knowledge and possession.
country;
SEC. 9. Organizational Structure of the Commission. – The
(g) Publish on a regular basis a guide to all laws relating to data Commission shall be attached to the Department of Information
protection; and Communications Technology (DICT) and shall be headed by a
Privacy Commissioner, who shall also act as Chairman of the
(h) Publish a compilation of agency system of records and Commission. The Privacy Commissioner shall be assisted by two
notices, including index and other finding aids; (2) Deputy Privacy Commissioners, one to be responsible for
Data Processing Systems and one to be responsible for Policies
(i) Recommend to the Department of Justice (DOJ) the and Planning. The Privacy Commissioner and the two (2) Deputy
prosecution and imposition of penalties specified in Sections 25 Privacy Commissioners shall be appointed by the President of the
to 29 of this Act; Philippines for a term of three (3) years, and may be reappointed
for another term of three (3) years. Vacancies in the Commission
shall be filled in the same manner in which the original
(j) Review, approve, reject or require modification of privacy
appointment was made.
codes voluntarily adhered to by personal information
controllers:Provided, That the privacy codes shall adhere to the
The Privacy Commissioner must be at least thirty-five (35) years (d) Adequate and not excessive in relation to the purposes for
of age and of good moral character, unquestionable integrity and which they are collected and processed;
known probity, and a recognized expert in the field of
information technology and data privacy. The Privacy (e) Retained only for as long as necessary for the fulfillment of
Commissioner shall enjoy the benefits, privileges and the purposes for which the data was obtained or for the
emoluments equivalent to the rank of Secretary. establishment, exercise or defense of legal claims, or for
legitimate business purposes, or as provided by law; and
The Deputy Privacy Commissioners must be recognized experts
in the field of information and communications technology and (f) Kept in a form which permits identification of data subjects for
data privacy. They shall enjoy the benefits, privileges and no longer than is necessary for the purposes for which the data
emoluments equivalent to the rank of Undersecretary. were collected and processed: Provided, That personal
information collected for other purposes may lie processed for
The Privacy Commissioner, the Deputy Commissioners, or any historical, statistical or scientific purposes, and in cases laid down
person acting on their behalf or under their direction, shall not in law may be stored for longer periods: Provided, further,That
be civilly liable for acts done in good faith in the performance of adequate safeguards are guaranteed by said laws authorizing
their duties. However, he or she shall be liable for willful or their processing.
negligent acts done by him or her which are contrary to law,
morals, public policy and good customs even if he or she acted The personal information controller must ensure implementation
under orders or instructions of superiors: Provided, That in case a of personal information processing principles set out herein.
lawsuit is filed against such official on the subject of the
performance of his or her duties, where such performance is
SEC. 12. Criteria for Lawful Processing of Personal Information. –
lawful, he or she shall be reimbursed by the Commission for
The processing of personal information shall be permitted only if
reasonable costs of litigation.
not otherwise prohibited by law, and when at least one of the
following conditions exists:
SEC. 10. The Secretariat. – The Commission is hereby authorized
to establish a Secretariat. Majority of the members of the
(a) The data subject has given his or her consent;
Secretariat must have served for at least five (5) years in any
agency of the government that is involved in the processing of
personal information including, but not limited to, the following (b) The processing of personal information is necessary and is
offices: Social Security System (SSS), Government Service related to the fulfillment of a contract with the data subject or in
Insurance System (GSIS), Land Transportation Office (LTO), order to take steps at the request of the data subject prior to
Bureau of Internal Revenue (BIR), Philippine Health Insurance entering into a contract;
Corporation (PhilHealth), Commission on Elections (COMELEC),
Department of Foreign Affairs (DFA), Department of Justice (c) The processing is necessary for compliance with a legal
(DOJ), and Philippine Postal Corporation (Philpost). obligation to which the personal information controller is
subject;
Back To Top
CHAPTER III (d) The processing is necessary to protect vitally important
PROCESSING OF PERSONAL INFORMATION interests of the data subject, including life and health;

SEC. 11. General Data Privacy Principles. – The processing of (e) The processing is necessary in order to respond to national
personal information shall be allowed, subject to compliance emergency, to comply with the requirements of public order and
with the requirements of this Act and other laws allowing safety, or to fulfill functions of public authority which necessarily
disclosure of information to the public and adherence to the includes the processing of personal data for the fulfillment of its
principles of transparency, legitimate purpose and mandate; or
proportionality.
(f) The processing is necessary for the purposes of the legitimate
Personal information must, be:, interests pursued by the personal information controller or by a
third party or parties to whom the data is disclosed, except
(a) Collected for specified and legitimate purposes determined where such interests are overridden by fundamental rights and
and declared before, or as soon as reasonably practicable after freedoms of the data subject which require protection under the
collection, and later processed in a way compatible with such Philippine Constitution.
declared, specified and legitimate purposes only;
SEC. 13. Sensitive Personal Information and Privileged
(b) Processed fairly and lawfully; Information. – The processing of sensitive personal information
and privileged information shall be prohibited, except in the
following cases:
(c) Accurate, relevant and, where necessary for purposes for
which it is to be used the processing of personal information,
kept up to date; inaccurate or incomplete data must be rectified, (a) The data subject has given his or her consent, specific to the
supplemented, destroyed or their further processing restricted; purpose prior to the processing, or in the case of privileged
information, all parties to the exchange have given their consent (a) Be informed whether personal information pertaining to him
prior to processing; or her shall be, are being or have been processed;

(b) The processing of the same is provided for by existing laws (b) Be furnished the information indicated hereunder before the
and regulations: Provided, That such regulatory enactments entry of his or her personal information into the processing
guarantee the protection of the sensitive personal information system of the personal information controller, or at the next
and the privileged information: Provided, further, That the practical opportunity:
consent of the data subjects are not required by law or
regulation permitting the processing of the sensitive personal (1) Description of the personal information to be entered into the
information or the privileged information; system;

(c) The processing is necessary to protect the life and health of (2) Purposes for which they are being or are to be processed;
the data subject or another person, and the data subject is not
legally or physically able to express his or her consent prior to the
(3) Scope and method of the personal information processing;
processing;
(4) The recipients or classes of recipients to whom they are or
(d) The processing is necessary to achieve the lawful and
may be disclosed;
noncommercial objectives of public organizations and their
associations: Provided, That such processing is only confined and
related to the bona fide members of these organizations or their (5) Methods utilized for automated access, if the same is allowed
associations: Provided, further, That the sensitive personal by the data subject, and the extent to which such access is
information are not transferred to third parties: Provided, authorized;
finally, That consent of the data subject was obtained prior to
processing; (6) The identity and contact details of the personal information
controller or its representative;
(e) The processing is necessary for purposes of medical
treatment, is carried out by a medical practitioner or a medical (7) The period for which the information will be stored; and
treatment institution, and an adequate level of protection of
personal information is ensured; or (8) The existence of their rights, i.e., to access, correction, as well
as the right to lodge a complaint before the Commission.
(f) The processing concerns such personal information as is
necessary for the protection of lawful rights and interests of Any information supplied or declaration made to the data subject
natural or legal persons in court proceedings, or the on these matters shall not be amended without prior notification
establishment, exercise or defense of legal claims, or when of data subject: Provided, That the notification under subsection
provided to government or public authority. (b) shall not apply should the personal information be needed
pursuant to a subpoena or when the collection and processing
SEC. 14. Subcontract of Personal Information. – A personal are for obvious purposes, including when it is necessary for the
information controller may subcontract the processing of performance of or in relation to a contract or service or when
personal information: Provided, That the personal information necessary or desirable in the context of an employer-employee
controller shall be responsible for ensuring that proper relationship, between the collector and the data subject, or
safeguards are in place to ensure the confidentiality of the when the information is being collected and processed as a result
personal information processed, prevent its use for unauthorized of legal obligation;
purposes, and generally, comply with the requirements of this
Act and other laws for processing of personal information. The (c) Reasonable access to, upon demand, the following:
personal information processor shall comply with all the
requirements of this Act and other applicable laws. (1) Contents of his or her personal information that were
processed;
SEC. 15. Extension of Privileged Communication. – Personal
information controllers may invoke the principle of privileged (2) Sources from which personal information were obtained;
communication over privileged information that they lawfully
control or process. Subject to existing laws and regulations, any
(3) Names and addresses of recipients of the personal
evidence gathered on privileged information is inadmissible.
information;

Back To Top
(4) Manner by which such data were processed;
CHAPTER IV
RIGHTS OF THE DATA SUBJECT
(5) Reasons for the disclosure of the personal information to
recipients;
SEC. 16. Rights of the Data Subject. – The data subject is entitled
to:
(6) Information on automated processes where the data will or preceding sections are not applicable to processing of personal
likely to be made as the sole basis for any decision significantly information gathered for the purpose of investigations in relation
affecting or will affect the data subject; to any criminal, administrative or tax liabilities of a data subject.

(7) Date when his or her personal information concerning the Back To Top
data subject were last accessed and modified; and CHAPTER V
SECURITY OF PERSONAL INFORMATION
(8) The designation, or name or identity and address of the
personal information controller; SEC. 20. Security of Personal Information. – (a) The personal
information controller must implement reasonable and
(d) Dispute the inaccuracy or error in the personal information appropriate organizational, physical and technical measures
and have the personal information controller correct it intended for the protection of personal information against any
immediately and accordingly, unless the request is vexatious or accidental or unlawful destruction, alteration and disclosure, as
otherwise unreasonable. If the personal information have been well as against any other unlawful processing.
corrected, the personal information controller shall ensure the
accessibility of both the new and the retracted information and (b) The personal information controller shall implement
the simultaneous receipt of the new and the retracted reasonable and appropriate measures to protect personal
information by recipients thereof: Provided, That the third information against natural dangers such as accidental loss or
parties who have previously received such processed personal destruction, and human dangers such as unlawful access,
information shall he informed of its inaccuracy and its fraudulent misuse, unlawful destruction, alteration and
rectification upon reasonable request of the data subject; contamination.

(e) Suspend, withdraw or order the blocking, removal or (c) The determination of the appropriate level of security under
destruction of his or her personal information from the personal this section must take into account the nature of the personal
information controller’s filing system upon discovery and information to be protected, the risks represented by the
substantial proof that the personal information are incomplete, processing, the size of the organization and complexity of its
outdated, false, unlawfully obtained, used for unauthorized operations, current data privacy best practices and the cost of
purposes or are no longer necessary for the purposes for which security implementation. Subject to guidelines as the
they were collected. In this case, the personal information Commission may issue from time to time, the measures
controller may notify third parties who have previously received implemented must include:
such processed personal information; and
(1) Safeguards to protect its computer network against
(f) Be indemnified for any damages sustained due to such accidental, unlawful or unauthorized usage or interference with
inaccurate, incomplete, outdated, false, unlawfully obtained or or hindering of their functioning or availability;
unauthorized use of personal information.
(2) A security policy with respect to the processing of personal
SEC. 17. Transmissibility of Rights of the Data Subject. – The information;
lawful heirs and assigns of the data subject may invoke the rights
of the data subject for, which he or she is an heir or assignee at (3) A process for identifying and accessing reasonably
any time after the death of the data subject or when the data foreseeable vulnerabilities in its computer networks, and for
subject is incapacitated or incapable of exercising the rights as taking preventive, corrective and mitigating action against
enumerated in the immediately preceding section. security incidents that can lead to a security breach; and

SEC. 18. Right to Data Portability. – The data subject shall have (4) Regular monitoring for security breaches and a process for
the right, where personal information is processed by electronic taking preventive, corrective and mitigating action against
means and in a structured and commonly used format, to obtain security incidents that can lead to a security breach.
from the personal information controller a copy of data
undergoing processing in an electronic or structured format,
(d) The personal information controller must further ensure that
which is commonly used and allows for further use by the data
third parties processing personal information on its behalf shall
subject. The Commission may specify the electronic format
implement the security measures required by this provision.
referred to above, as well as the technical standards, modalities
and procedures for their transfer.
(e) The employees, agents or representatives of a personal
information controller who are involved in the processing of
SEC. 19. Non-Applicability. – The immediately preceding sections
personal information shall operate and hold personal
are not applicable if the processed personal information are used
information under strict confidentiality if the personal
only for the needs of scientific and statistical research and, on
information are not intended for public disclosure. This
the basis of such, no activities are carried out and no decisions
obligation shall continue even after leaving the public service,
are taken regarding the data subject: Provided, That the personal
transfer to another position or upon termination of employment
information shall be held under strict confidentiality and shall be
or contractual relations.
used only for the declared purpose. Likewise, the immediately
(f) The personal information controller shall promptly notify the the use of the most appropriate standard recognized by the
Commission and affected data subjects when sensitive personal information and communications technology industry, and as
information or other information that may, under the recommended by the Commission. The head of each
circumstances, be used to enable identity fraud are reasonably government agency or instrumentality shall be responsible for
believed to have been acquired by an unauthorized person, and complying with the security requirements mentioned herein
the personal information controller or the Commission believes while the Commission shall monitor the compliance and may
(bat such unauthorized acquisition is likely to give rise to a real recommend the necessary action in order to satisfy the minimum
risk of serious harm to any affected data subject. The notification standards.
shall at least describe the nature of the breach, the sensitive
personal information possibly involved, and the measures taken SEC. 23. Requirements Relating to Access by Agency Personnel to
by the entity to address the breach. Notification may be delayed Sensitive Personal Information. – (a) On-site and Online Access –
only to the extent necessary to determine the scope of the Except as may be allowed through guidelines to be issued by the
breach, to prevent further disclosures, or to restore reasonable Commission, no employee of the government shall have access
integrity to the information and communications system. to sensitive personal information on government property or
through online facilities unless the employee has received a
(1) In evaluating if notification is unwarranted, the Commission security clearance from the head of the source agency.
may take into account compliance by the personal information
controller with this section and existence of good faith in the (b) Off-site Access – Unless otherwise provided in guidelines to
acquisition of personal information. be issued by the Commission, sensitive personal information
maintained by an agency may not be transported or accessed
(2) The Commission may exempt a personal information from a location off government property unless a request for
controller from notification where, in its reasonable judgment, such transportation or access is submitted and approved by the
such notification would not be in the public interest or in the head of the agency in accordance with the following guidelines:
interests of the affected data subjects.
(1) Deadline for Approval or Disapproval – In the case of any
(3) The Commission may authorize postponement of notification request submitted to the head of an agency, such head of the
where it may hinder the progress of a criminal investigation agency shall approve or disapprove the request within two (2)
related to a serious breach. business days after the date of submission of the request. In case
there is no action by the head of the agency, then such request is
Back To Top considered disapproved;
CHAPTER VI
ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION (2) Limitation to One thousand (1,000) Records – If a request is
approved, the head of the agency shall limit the access to not
SEC. 21. Principle of Accountability. – Each personal information more than one thousand (1,000) records at a time; and
controller is responsible for personal information under its
control or custody, including information that have been (3) Encryption – Any technology used to store, transport or
transferred to a third party for processing, whether domestically access sensitive personal information for purposes of off-site
or internationally, subject to cross-border arrangement and access approved under this subsection shall be secured by the
cooperation. use of the most secure encryption standard recognized by the
Commission.
(a) The personal information controller is accountable for
complying with the requirements of this Act and shall use The requirements of this subsection shall be implemented not
contractual or other reasonable means to provide a comparable later than six (6) months after the date of the enactment of this
level of protection while the information are being processed by Act.
a third party.
SEC. 24. Applicability to Government Contractors. – In entering
(b) The personal information controller shall designate an into any contract that may involve accessing or requiring
individual or individuals who are accountable for the sensitive personal information from one thousand (1,000) or
organization’s compliance with this Act. The identity of the more individuals, an agency shall require a contractor and its
individual(s) so designated shall be made known to any data employees to register their personal information processing
subject upon request. system with the Commission in accordance with this Act and to
comply with the other provisions of this Act including the
Back To Top immediately preceding section, in the same manner as agencies
CHAPTER VII and government employees comply with such requirements.
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT Back To Top
CHAPTER VIII
SEC. 22. Responsibility of Heads of Agencies. – All sensitive PENALTIES
personal information maintained by the government, its agencies
and instrumentalities shall be secured, as far as practicable, with
SEC. 25. Unauthorized Processing of Personal Information and processing of personal information for unauthorized purposes
Sensitive Personal Information. – (a) The unauthorized processing shall be penalized by imprisonment ranging from one (1) year
of personal information shall be penalized by imprisonment and six (6) months to five (5) years and a fine of not less than
ranging from one (1) year to three (3) years and a fine of not less Five hundred thousand pesos (Php500,000.00) but not more
than Five hundred thousand pesos (Php500,000.00) but not than One million pesos (Php1,000,000.00) shall be imposed on
more than Two million pesos (Php2,000,000.00) shall be imposed persons processing personal information for purposes not
on persons who process personal information without the authorized by the data subject, or otherwise authorized under
consent of the data subject, or without being authorized under this Act or under existing laws.
this Act or any existing law.
The processing of sensitive personal information for
(b) The unauthorized processing of personal sensitive unauthorized purposes shall be penalized by imprisonment
information shall be penalized by imprisonment ranging from ranging from two (2) years to seven (7) years and a fine of not
three (3) years to six (6) years and a fine of not less than Five less than Five hundred thousand pesos (Php500,000.00) but not
hundred thousand pesos (Php500,000.00) but not more than more than Two million pesos (Php2,000,000.00) shall be imposed
Four million pesos (Php4,000,000.00) shall be imposed on on persons processing sensitive personal information for
persons who process personal information without the consent purposes not authorized by the data subject, or otherwise
of the data subject, or without being authorized under this Act or authorized under this Act or under existing laws.
any existing law.
SEC. 29. Unauthorized Access or Intentional Breach. – The penalty
SEC. 26. Accessing Personal Information and Sensitive Personal of imprisonment ranging from one (1) year to three (3) years and
Information Due to Negligence. – (a) Accessing personal a fine of not less than Five hundred thousand pesos
information due to negligence shall be penalized by (Php500,000.00) but not more than Two million pesos
imprisonment ranging from one (1) year to three (3) years and a (Php2,000,000.00) shall be imposed on persons who knowingly
fine of not less than Five hundred thousand pesos and unlawfully, or violating data confidentiality and security data
(Php500,000.00) but not more than Two million pesos systems, breaks in any way into any system where personal and
(Php2,000,000.00) shall be imposed on persons who, due to sensitive personal information is stored.
negligence, provided access to personal information without
being authorized under this Act or any existing law. SEC. 30. Concealment of Security Breaches Involving Sensitive
Personal Information. – The penalty of imprisonment of one (1)
(b) Accessing sensitive personal information due to negligence year and six (6) months to five (5) years and a fine of not less
shall be penalized by imprisonment ranging from three (3) years than Five hundred thousand pesos (Php500,000.00) but not
to six (6) years and a fine of not less than Five hundred thousand more than One million pesos (Php1,000,000.00) shall be imposed
pesos (Php500,000.00) but not more than Four million pesos on persons who, after having knowledge of a security breach and
(Php4,000,000.00) shall be imposed on persons who, due to of the obligation to notify the Commission pursuant to Section
negligence, provided access to personal information without 20(f), intentionally or by omission conceals the fact of such
being authorized under this Act or any existing law. security breach.

SEC. 27. Improper Disposal of Personal Information and Sensitive SEC. 31. Malicious Disclosure. – Any personal information
Personal Information. – (a) The improper disposal of personal controller or personal information processor or any of its
information shall be penalized by imprisonment ranging from six officials, employees or agents, who, with malice or in bad faith,
(6) months to two (2) years and a fine of not less than One discloses unwarranted or false information relative to any
hundred thousand pesos (Php100,000.00) but not more than personal information or personal sensitive information obtained
Five hundred thousand pesos (Php500,000.00) shall be imposed by him or her, shall be subject to imprisonment ranging from one
on persons who knowingly or negligently dispose, discard or (1) year and six (6) months to five (5) years and a fine of not less
abandon the personal information of an individual in an area than Five hundred thousand pesos (Php500,000.00) but not
accessible to the public or has otherwise placed the personal more than One million pesos (Php1,000,000.00).
information of an individual in its container for trash collection.
SEC. 32. Unauthorized Disclosure. – (a) Any personal information
(b) The improper disposal of sensitive personal information shall controller or personal information processor or any of its
be penalized by imprisonment ranging from one (1) year to three officials, employees or agents, who discloses to a third party
(3) years and a fine of not less than One hundred thousand pesos personal information not covered by the immediately preceding
(Php100,000.00) but not more than One million pesos section without the consent of the data subject, shall he subject
(Php1,000,000.00) shall be imposed on persons who knowingly to imprisonment ranging from one (1) year to three (3) years and
or negligently dispose, discard or abandon the personal a fine of not less than Five hundred thousand pesos
information of an individual in an area accessible to the public or (Php500,000.00) but not more than One million pesos
has otherwise placed the personal information of an individual in (Php1,000,000.00).
its container for trash collection.
(b) Any personal information controller or personal information
SEC. 28. Processing of Personal Information and Sensitive processor or any of its officials, employees or agents, who
Personal Information for Unauthorized Purposes. – The discloses to a third party sensitive personal information not
covered by the immediately preceding section without the carrying out the provisions of this Act. The Commission shall
consent of the data subject, shall be subject to imprisonment undertake whatever efforts it may determine to be necessary or
ranging from three (3) years to five (5) years and a fine of not less appropriate to inform and educate the public of data privacy,
than Five hundred thousand pesos (Php500,000.00) but not data protection and fair information rights and responsibilities.
more than Two million pesos (Php2,000,000.00).
SEC. 41. Appropriations Clause. – The Commission shall be
SEC. 33. Combination or Series of Acts. – Any combination or provided with an initial appropriation of Twenty million pesos
series of acts as defined in Sections 25 to 32 shall make the (Php20,000,000.00) to be drawn from the national government.
person subject to imprisonment ranging from three (3) years to Appropriations for the succeeding years shall be included in the
six (6) years and a fine of not less than One million pesos General Appropriations Act. It shall likewise receive Ten million
(Php1,000,000.00) but not more than Five million pesos pesos (Php10,000,000.00) per year for five (5) years upon
(Php5,000,000.00). implementation of this Act drawn from the national government.

SEC. 34. Extent of Liability. – If the offender is a corporation, SEC. 42. Transitory Provision. – Existing industries, businesses and
partnership or any juridical person, the penalty shall be imposed offices affected by the implementation of this Act shall be given
upon the responsible officers, as the case may be, who one (1) year transitory period from the effectivity of the IRR or
participated in, or by their gross negligence, allowed the such other period as may be determined by the Commission, to
commission of the crime. If the offender is a juridical person, the comply with the requirements of this Act.
court may suspend or revoke any of its rights under this Act. If
the offender is an alien, he or she shall, in addition to the In case that the DICT has not yet been created by the time the
penalties herein prescribed, be deported without further law takes full force and effect, the National Privacy Commission
proceedings after serving the penalties prescribed. If the shall be attached to the Office of the President.
offender is a public official or employee and lie or she is found
guilty of acts penalized under Sections 27 and 28 of this Act, he
SEC. 43. Separability Clause. – If any provision or part hereof is
or she shall, in addition to the penalties prescribed herein, suffer
held invalid or unconstitutional, the remainder of the law or the
perpetual or temporary absolute disqualification from office, as
provision not otherwise affected shall remain valid and
the case may be.
subsisting.

SEC. 35. Large-Scale. – The maximum penalty in the scale of

SEC. 44. Repealing Clause. – The provision of Section 7 of
penalties respectively provided for the preceding offenses shall
Republic Act No. 9372, otherwise known as the “Human Security
be imposed when the personal information of at least one
Act of 2007”, is hereby amended. Except as otherwise expressly
hundred (100) persons is harmed, affected or involved as the
provided in this Act, all other laws, decrees, executive orders,
result of the above mentioned actions.
proclamations and administrative regulations or parts thereof
inconsistent herewith are hereby repealed or modified
SEC. 36. Offense Committed by Public Officer. – When the accordingly.
offender or the person responsible for the offense is a public
officer as defined in the Administrative Code of the Philippines in
SEC. 45. Effectivity Clause. – This Act shall take effect fifteen (15)
the exercise of his or her duties, an accessory penalty consisting
days after its publication in at least two (2) national newspapers
in the disqualification to occupy public office for a term double
of general circulation.
the term of criminal penalty imposed shall he applied.
Back To Top
SEC. 37. Restitution. – Restitution for any aggrieved party shall be
governed by the provisions of the New Civil Code.
Approved,
Back To Top
CHAPTER IX
MISCELLANEOUS PROVISIONS (Sgd.) FELICIANO BELMONTE JR. Speaker of the House of Representatives
This Act which is a consolidation of Senate Bill No. 2965 and
House Bill No. 4115 was finally passed by the Senate and the
SEC. 38. Interpretation. – Any doubt in the interpretation of any
House of Representatives on June 6, 2012.
provision of this Act shall be liberally interpreted in a manner
(Sgd.) MARILYN B. BARUA-YAP Secretary General House of Representatives
mindful of the rights and interests of the individual about whom
personal information is processed. Approved: AUG 15 2012
(Sgd.) BENIGNO S. AQUINO III President of the Philippines
SEC. 39. Implementing Rules and Regulations (IRR). – Within
ninety (90) days from the effectivity of this Act, the Commission
shall promulgate the rules and regulations to effectively
implement the provisions of this Act.

SEC. 40. Reports and Information. – The Commission shall

annually report to the President and Congress on its activities in