REPUBLIC ACT 10173 – DATA PRIVACY ACT OF 2012
Section 3(g) of the Data Privacy Act provides that personal information is “any
information whether recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly ascertained by the entity holding
the information, or when put together with other information would directly and certainly
identify an individual.” In other words, any information that alludes to theidentify of a
specific person is considered personal information.
But the Data Privacy Act makes a further distinction between personal information
and sensitive personal information, the latter intended by the law to be afforded a
substantially greater degree of protection.
The enumeration of what constitutes sensitive personal information is exclusive.
Section 3(l) of the Data Privacy Act provides that personal information is considered
“sensitive” if it refers to: (a) an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations; (b) an individual’s health, education, genetic
or sexual life of a person, or to any proceeding for any offense committed or alleged to have
been committed by such person, the disposal of such proceedings, or the sentence of any
court in such proceedings; (c) information issued by government agencies peculiar to an
individual which includes, but not limited to, social security numbers, previous or current
health records, licenses or its denials, suspension or revocation, and tax returns; or (d)
information specifically established by an executive order or an act of Congress to be kept
classified.1
SEC. 11. General Data Privacy Principles. – The processing of personal information shall
be allowed, subject to compliance with the requirements of this Act and other laws
allowing disclosure of information to the public and adherence to the principles of
transparency, legitimate purpose and proportionality.
Personal information must, be:
(a) Collected for specified and legitimate purposes determined and declared before, or
as soon as reasonably practicable after collection, and later processed in a way compatible
with such declared, specified and legitimate purposes only;
(b) Processed fairly and lawfully;
(c) Accurate, relevant and, where necessary for purposes for which it is to be used the
processing of personal information, kept up to date; inaccurate or incomplete data must
be rectified, supplemented, destroyed or their further processing restricted;
1
Data Privacy Philippines
�(d) Adequate and not excessive in relation to the purposes for which they are collected
and processed;
(e) Retained only for as long as necessary for the fulfillment of the purposes for which
the data was obtained or for the establishment, exercise or defense of legal claims, or for
legitimate business purposes, or as provided by law; and
(f) Kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the data were collected and
processed: Provided, That personal information collected for other purposes may lie
processed for historical, statistical or scientific purposes, and in cases laid down in law may
be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by
said laws authorizing their processing.
SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of
personal information shall be permitted only if not otherwise prohibited by law, and when
at least one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment
of a contract with the data subject or in order to take steps at the request of the data
subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the
personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject,
including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply
with the requirements of public order and safety, or to fulfill functions of public authority
which necessarily includes the processing of personal data for the fulfillment of its
mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the
personal information controller or by a third party or parties to whom the data is disclosed,
except where such interests are overridden by fundamental rights and freedoms of the data
subject which require protection under the Philippine Constitution.
�SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of
sensitive personal information and privileged information shall be prohibited, except in
the following cases:
(a) The data subject has given his or her consent, specific to the purpose prior to the
processing, or in the case of privileged information, all parties to the exchange have given
their consent prior to processing;
(b) The processing of the same is provided for by existing laws and
regulations: Provided, That such regulatory enactments guarantee the protection of the
sensitive personal information and the privileged information: Provided, further, That the
consent of the data subjects are not required by law or regulation permitting the
processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or
another person, and the data subject is not legally or physically able to express his or her
consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of
public organizations and their associations: Provided, That such processing is only confined
and related to the bona fide members of these organizations or their associations: Provided,
further, That the sensitive personal information are not transferred to third
parties: Provided, finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a
medical practitioner or a medical treatment institution, and an adequate level of protection
of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection
of lawful rights and interests of natural or legal persons in court proceedings, or the
establishment, exercise or defense of legal claims, or when provided to government or
public authority.
