RA 10173

Study online at [Link]

1. REPUBLIC ACT "An act protecting individual personal information in infor-

NO. 10173 mation and communications systems in the government
and the private sector, creating for this purpose a National
Privacy Commission, and for other purposes."

2. Edgardo Angara Principal author

3. Benigno Aquino Approved by

4. August 15, 2012 Approved on

5. SECTION 1. This Act shall be known as the "Data Privacy Act of

Short title 2012".

6. SEC. 2. Declara- It is the policy of the State to protect the

tion of Policy fundamental human right of privacy, of communication
while ensuring free flow
of information to promote innovation and growth. The State
recognizes the vital
role of information and communications technology in na-
tion-building and its
inherent obligation to ensure that personal information in
information and
communications systems in the government and in the
private sector are secured
and protected.

7. SEC. 3. Definition a) Commission

of Terms b) Consent of Data
c) Data subject
d) Direct marketing
e) Filing system
f) Information and Communications system
g) Personal information
h) Personal information controller
i) Personal information processor
j) Processing
k) Privileged information
l) Sensitive personal information (SPI)

1 / 12
 RA 10173
Study online at [Link]
8. Commission shall refer to the National Privacy Commission created by
virtue
of this Act.

9. Consent of the - Freely given

data subject - Indication of will of the data subject to collect and process
his/her personal data
- Evidenced in written, electronic or recorded
- It may also be given
on behalf of the data subject by an agent specifically
authorized by the data
subject to do so.

10. Data Subject refers to an individual whose personal information is

processed.

11. Direct marketing refers to communication by whatever means of any

advertising or marketing material which is directed to par-
ticular individuals.

12. Filing system refers to any act of information relating to natural or juridi-
cal
persons to the extent that, although the information is not
processed by
equipment operating automatically in response to instruc-
tions given for that
purpose, the set is structured, either by reference to indi-
viduals or by reference to
criteria relating to individuals, in such a way that specific
information relating to
a particular person is readily accessible.

13. Information and refers to a system for generating,

Communica- sending, receiving, storing or otherwise processing elec-
tions System tronic data messages or
electronic documents and includes the computer system
or other similar device
by or which data is recorded, transmitted or stored and any
procedure related to
the recording, transmission or storage of electronic data,
2 / 12
 RA 10173
Study online at [Link]
electronic message, or
electronic document.

14. Personal infor- refers to any information whether recorded in a material

mation form or not, from which the identity of an individual is
apparent or can be
reasonably and directly ascertained by the entity holding
the information, or
when put together with other information would directly
and certainly identify
an individual.

15. Personal infor- refers to a person or organization who controls

mation controller the collection, holding, processing or use of personal in-
formation, including a
person or organization who instructs another person or
organization to collect,
hold, process, use, transfer or disclose personal informa-
tion on his or her behalf.

16. Personal con- (1) A person or organization who performs such functions
troller excludes: as instructed by
another person or organization; and
(2) An individual who collects, holds, processes or uses
personal information in
connection with the individual's personal, family or house-
hold affairs.

17. Personal infor- refers to any natural or juridical person qualified

mation proces- to act as such under this Act to whom a personal informa-
sor tion controller may
outsource the processing of personal data pertaining to a
data subject.

18. Processing refers to any operation or any set of operations performed

upon
personal information including, but not limited to, the col-
lection, recording,
organization, storage, updating or modification, retrieval,

3 / 12
 RA 10173
Study online at [Link]
consultation, use,
consolidation, blocking, erasure or destruction of data.

19. Privileged infor- refers to any and all forms of data which under the
mation Rules of Court and other pertinent laws constitute privi-
leged communication.

20. Sensitive Per- refers to personal information:

sonal Informa- (1) About an individual's race, ethnic origin, marital status,
tion age, color, and
religious, philosophical or political affiliations;
(2) About an individual's health, education, genetic or
sexual life of a person, or
to any proceeding for any offense committed or alleged to
have been committed
by such person, the disposal of such proceedings, or the
sentence of any court in
such proceedings;
(3) Issued by government agencies peculiar to an individ-
ual which includes, but
not limited to, social security numbers, previous or cm-rent
health records,
licenses or its denials, suspension or revocation, and tax
returns; and
(4) Specifically established by an executive order or an act
of Congress to be kept
classified.

21. SEC. 4. Scope This Act applies to the processing of all types of personal
information and to any natural and juridical person in-
volved in personal
information processing including those personal informa-
tion controllers and
processors who, although not found or established in the
Philippines, use
equipment that are located in the Philippines, or those who
maintain an office,
branch or agency in the Philippines subject to the imme-
diately succeeding

4 / 12
 RA 10173
Study online at [Link]
paragraph: Provided, That the requirements of Section 5
are complied with.

22. SEC. 4. Scope This Act does not apply to the following:
does not apply to (a) Information about any individual who is or was an
the following: officer or employee of a
government institution that relates to the position or func-
tions of the individual,
including:
(1) The fact that the individual is or was an officer or
employee of the
government institution;
(2) The title, business address and office telephone num-
ber of the individual;
(3) The classification, salary range and responsibilities of
the position held by the
individual; and
(4) The name of the individual on a document prepared by
the individual in the
course of employment with the government;
(b) Information about an individual who is or was perform-
ing service under
contract for a government institution that relates to the
services performed,
including the terms of the contract, and the name of the
individual given in the
course of the performance of those services;
5
(c) Information relating to any discretionary benefit of a
financial nature such as
the granting of a license or permit given by the government
to an individual,
including the name of the individual and the exact nature
of the benefit;
(d) Personal information processed for journalistic, artistic,
literary or research
purposes;
(e) Information necessary in order to carry out the func-
tions of public authority
5 / 12
 RA 10173
Study online at [Link]
which includes the processing of personal data for the
performance by the
independent, central monetary authority and law enforce-
ment and regulatory
agencies of their constitutionally and statutorily mandated
functions. Nothing in
this Act shall be construed as to have amended or re-
pealed Republic Act No.
1405, otherwise known as the Secrecy of Bank Deposits
Act; Republic Act No.
6426, otherwise known as the Foreign Currency Deposit
Act; and Republic Act
No. 9510, otherwise known as the Credit Information Sys-
tem Act (CISA);
(f) Information necessary for banks and other financial
institutions under the
jurisdiction of the independent, central monetary authority
or Bangko Sentral ng
Pilipinas to comply with Republic Act No. 9510, and Re-
public Act No. 9160, as
amended, otherwise known as the Anti-Money Launder-
ing Act and other
applicable laws; and
(g) Personal information originally collected from residents
of foreign
jurisdictions in accordance with the laws of those foreign
jurisdictions, including
any applicable data privacy laws, which is being
processed in the Philippines.

23. SEC. 5. Protec- Nothing in this Act

tion Afforded to shall be construed as to have amended or repealed the
Journalists and provisions of Republic
Their Sources Act No. 53, which affords the publishers, editors or duly
accredited reporters of
any newspaper, magazine or periodical of general circu-
lation protection from
being compelled to reveal the source of any news report
or information
6 / 12
 RA 10173
Study online at [Link]
appearing in said publication which was related in any
confidence to such
publisher, editor, or reporter.

24. SEC. 6. Extrater- This Act applies to an act done or practice

ritorial Applica- engaged in and outside of the Philippines by an entity if:
tion
(a) The act, practice or processing relates to personal
information about a
Philippine citizen or a resident;
(b) The entity has a link with the Philippines, and the entity
is processing
personal information in the Philippines or even if the pro-
cessing is outside the
Philippines as long as it is about Philippine citizens or
residents such as, but not
limited to, the following:

(1) A contract is entered in the Philippines;

(2) A juridical entity unincorporated in the Philippines but
has central
management and control in the country; and
(3) An entity that has a branch, agency, office or subsidiary
in the Philippines
and the parent or affiliate of the Philippine entity has
access to personal
information; and
(c) The entity has other links in the Philippines such as, but
not limited to:
(1) The entity carries on business in the Philippines; and
(2) The personal information was collected or held by an
entity in the
Philippines.

25. SEC. 7. Func- To administer and

tions of the implement the provisions of this Act, and to monitor and
National Privacy ensure compliance of
Commission the country with international standards set for data pro-
tection, there is hereby

7 / 12
 RA 10173
Study online at [Link]
created an independent body to be known as the National
Privacy Commission,
winch shall have the following functions:

26. National Privacy Commission in-charge of the different guidelines stated in

Commission the law RA 10173.

27. Functions (There 1. Ensure compliance of personal information

are a total of 2. Controllers
10 functions but 3. Receive complaints
mentioned below 4. Issue cease or desist orders
are the only ones 5. Imposing a temporary or permanent ban on the pro-
related to HIS): cessing of personal information
6. Monitor compliance
- Monitor compliance of other gov't agencies or instrumen-
talities in their securities and technical measures
7. Recommend to the DOJ the prosecution and imposition
of penalties
8. Coordinate with data privacy regulators in other coun-
tries
9. Assist Philippine companies doing business abroad to
respond to foreign privacy or data protection laws and
regulations

28. SEC.9. Organiza- Attached to DICT

tional Structure The Privacy Commissioner shall be assisted by
of Commission two (2) Deputy Privacy Commissioners, one to be respon-
sible for Data
Processing Systems and one to be responsible for Policies
and Planning. The
Privacy Commissioner and the two (2) Deputy Privacy
Commissioners shall be
appointed by the President of the Philippines for a term of
three (3) years, and
may be reappointed for another term of three (3) years.
Vacancies in the
Commission shall be filled in the same manner in which
the original
appointment was made.

8 / 12
 RA 10173
Study online at [Link]
29. DICT Department of Information and Communications Technol-
ogy

30. 1 privacy com- 3 MAIN OFFICERS OF NPC

missioner (chair-
man)
2 deputy privacy
commissioners

31. 3 years Tenure of service of the 3 main officers

32. Appointed by Who appoints NPC officers?

President of the
Philippines

33. Commissioner 1 privacy commissioner (chairman)

Raymund Liboro

34. Deputy Commis- Deputy Commissioner (1)

sioner Ivy Patdu

35. Deputy Com- Deputy Commissioner (2)

missioner Dondi
Mapa

36. SEC. 8. Confiden- The commissioner shall ensure at all times the confi-
tiality dentiality of any personal information that comes to its
knowledge and possession

37. SEC. 9. Organiza- Attached to DICT (Department of Information and Com-

tional Structure munications Technology)
of the Commis-
sion NPC has 3 main officers:
- 1 privacy commissioner (chairman)
- 2 deputy privacy commissioners

38. thirty-five (35) The Privacy Commissioner must be at least

years _________________ years of age and of
good moral character, unquestionable integrity and known
probity, and a
9 / 12
 RA 10173
Study online at [Link]
recognized expert in the field of information technology
and data privacy.

39. SEC. 12. Cri- (a) The data subject has given his or her consent;
teria for Law- (b) The processing of personal information is necessary
ful Processing of and is related to the
Personal Infor- fulfillment of a contract with the data subject or in order to
mation take steps at the
request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a
legal obligation to which
the personal information controller is subject;
(d) The processing is necessary to protect vitally important
interests of the data
subject, including life and health;
(e) The processing is necessary in order to respond to
national emergency, to
comply with the requirements of public order and safety, or
to fulfill functions of
public authority which necessarily includes the processing
of personal data for
the fulfillment of its mandate; or
12
(f) The processing is necessary for the purposes of the
legitimate interests
pursued by the personal information controller or by a third
party or parties to
whom the data is disclosed, except where such interests
are overridden by
fundamental rights and freedoms of the data subject which
require protection
under the Philippine Constitution.

40. SEC. 13. Sen- The processing

sitive Personal of sensitive personal information and privileged informa-
Information and tion shall be prohibited,
Privileged Infor- except in the following cases:
mation (a) The data subject has given his or her consent, specific
to the purpose prior to

10 / 12
RA 10173
Study online at [Link]
the processing, or in the case of privileged information, all
parties to the
exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing
laws and
regulations: Provided, That such regulatory enactments
guarantee the protection
of the sensitive personal information and the privileged
information: Provided,
further, That the consent of the data subjects are not
required by law or regulation
permitting the processing of the sensitive personal infor-
mation or the privileged
information;
(c) The processing is necessary to protect the life and
health of the data subject or
another person, and the data subject is not legally or
physically able to express
his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and
noncommercial
objectives of public organizations and their associations:
Provided, That such
processing is only confined and related to the bona fide
members of these
organizations or their associations: Provided, further, That
the sensitive personal
information are not transferred to third parties: Provided,
finally, That consent of
the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical
treatment, is carried out
by a medical practitioner or a medical treatment institution,
and an adequate
level of protection of personal information is ensured; or
13
(f) The processing concerns such personal information as
is necessary for the
protection of lawful rights and interests of natural or legal
11 / 12
 RA 10173
Study online at [Link]
persons in court
proceedings, or the establishment, exercise or defense of
legal claims, or when
provided to government or public authority.

41. SEC. 16. Rights (a) Be informed whether personal information pertaining
of the Data Sub- to him or her shall be,
ject. are being or have been processed;
(b) Be furnished the information indicated hereunder be-
fore the entry of his or
her personal information into the processing system of the
personal information
controller, or at the next practical opportunity:
(1) Description of the personal information to be entered
into the system;
(2) Purposes for which they are being or are to be
processed;
(3) Scope and method of the personal information pro-
cessing;
14
(4) The recipients or classes of recipients to whom they
are or may be disclosed;
(5) Methods utilized for automated access, if the same is
allowed by the data
subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal infor-
mation controller or its
representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction,
as well as the right to
lodge a complaint before the Commission.

42. Chapter VIII Penalties

12 / 12