BPL

Data Privacy Act and IRR RA 10173 - September 8, 2012 September 9, 2016

Chapter 1 - General Provisions

Sec 1: Short Title

Data Privacy Act of 2012

Sec 2: Declaration of Policy

Protect human right of privacy

Ensure free flow of information

Protect personal information

Ensure compliance with International Standards for Data Protection

Sec 3: Definition of Terms

Commission - NPC

Consent of the data subject - freely given, specific, informed indication of

will, whereby the data subject agrees to the collection and processing of
personal information about him or her.

Consent shall be evidenced by written, electronic or recorded means.

It may also be given on behalf of the data subject by an agent specifically

authorized by the data subject to do so.

Data Subject - individual whose personal, sensitive personal, or privileged

information is processed

Data Processing Systems - refers to the way personal data is collected and
managed in an information system or filing system. It includes how the data
is processed, why it's being processed, and what the intended result of the
processing is.

Direct Marketing - communication through advertising to individuals

Data Sharing - natural or juridical person, or any other body who controls
the processing of personal data, or instructs another to process personal
data on its behalf.

Filing System - is a way of organizing information about people (whether

individuals or organizations) so that even though the information isn’t
processed by computers, it’s arranged in a way that makes it easy to find
details about a specific person quickly.

Information and Communications System - system for processing electronic

data messages or documents

Personal Data - all types of personal information

Personal data breach - breach of security leading to the accidental or

unlawful destruction, disclosure of or access to personal data transmitted or
stored.

Personal information - any information which the identity of an individual is

apparent or can be reasonably and directly ascertained

Personal information controller - is a person or organization that manages

how personal information is collected, stored, or used. This includes those
who give instructions to others to handle personal information on their
behalf. However, this term doesn’t apply to:

Someone who only follows instructions from another person or organization.

An individual handling personal information for their own personal, family, or
household matters.

Personal information processor - person to whom a personal information

controller may outsource to process data.

Processing - refers to any action done with personal information, such as

collecting, organizing, storing, updating, retrieving, using, blocking, erasing,
or destroying the data.

Profiling - automated systems to process personal data in order to assess or

predict certain aspects of a person, such as their work performance, financial
status, health, preferences, behavior, or movements.

Privileged information - any and all forms of data which under the Rules of
Court and other pertinent laws constitute privileged communication.

Public Authority - government entity

Security Incident - event or occurrence that affects or tends to affect data

protection, or may compromise the availability, integrity and confidentiality
of personal data. It includes incidents that would result to a personal data
breach, if not for safeguards that have been put in place;

Sensitive personal information

(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person,

or to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence
of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes,
but not limited to, social security numbers, previous or current health
records, licenses or its denials, suspension or revocation, and tax returns;
and

(4) Specifically established by an executive order or an act of Congress to be

kept classified.

Sec 4: Scope

Applies to all types of personal information

Applies to natural and juridical persons in personal information processing

Applies to those not in the Philippines but use equipment in the Philippines or
who has an office or branch in the Philippines

NOT APPLICABLE TO:

(a) Information about officer or employee of a government institution that

relates to the position including:

(1) The fact that the individual is an officer or employee of the government
institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by
the individual; and

(4) The name of the individual on a document prepared by the individual in

the course of employment with the government;

(b) Information about an individual who is or was performing service under

contract for a government institution that relates to the services performed,
including the terms of the contract, and the name of the individual given in
the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such
as the granting of a license or permit given by the government to an
individual, including the name of the individual and the exact nature of the
benefit;

(d) Personal information processed for journalistic, artistic, literary or

research purposes;

(e) Information necessary in order to carry out the functions of public

authority which includes the processing of personal data for the performance
by the independent, central monetary authority and law enforcement and
regulatory agencies of their constitutionally and statutorily mandated
functions. Nothing in this Act shall be construed as to have amended or
repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank
Deposits Act; Republic Act No. 6426, otherwise known as the Foreign
Currency Deposit Act; and Republic Act No. 9510, otherwise known as the
Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko Sentral
ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160,
as amended, otherwise known as the Anti-Money Laundering Act and other
applicable laws; and

(g) Personal information originally collected from residents of foreign

jurisdictions in accordance with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which is being processed in the
Philippines.

Sec 5: Protection Afforded to Journalists and their Sources

This law should not be interpreted to

Amend or repeal RA 53 which protects journalists and their sources

Sec 6: Extraterritorial Application

Even if outside the Philippines this law applies if:

(a) The act processing relates to personal information about a Philippine

citizen or a resident;

(b) The processing personal information entity has a link with the Philippines

A contract entered in the Philippines

A foreign juridical entity but has central management and control in the PH

(c) The entity has other links in the Philippines

The entity carries on business in the Philippines

The personal information was collected or held by an entity in the Philippines

Chapter 2 - The National Privacy Commission

Sec 7: Functions

Sec 8: Confidentiality

Commission shall ensure at all times the confidentiality of any personal

information that comes to its knowledge and possession

Sec 9: Organizational Structure

Attached to DICT

Headed by Privacy Commissioner and also Chairman - 3 year + 3 year term.

(Salary like Secretary)

Two Deputy Privacy Commissioners - 3 year + 3 year term (Salary like

Undersecretary)

Vacancy - Appointments

QUALIFICATION OF PRIVACY COMMISSIONERS

Atleast 35 years of age

Good Moral Character

Unquestionable Integrity

Recognized Expert in the Field of Information Technology and Data Privacy

QUALIFICATION OF DEPUTY

Recognized Expert in the Field of Information Technology and Data Privacy

Acts done in good faith - No Civil Liability

Acts done in bad faith - Liable

In case of lawsuit due to lawful performance - NPC reimburse

Sec 10: The Secretariat

Majority members qualifications:

(1) Serve 5 years or more in any government agency involved in processing

personal information (SSS, LTO, BIR, PhilHealth, COMELEC, DFA, DOJ and
Philpost)

RJC vs DL NPC 22-012

Facts:

RJC a student at UP Cebu filed a case against DL the College Secretary.

RJC filed a case against DL and others with the Ombudsman and that DL
attached RJC transcript of records as evidence in that case. RJC stated that
DL used his transcript of records without his consent to prove that he is
incapable of completing his Master of Science Degree on time.

RJC contends that this is in violation of the PDA.

RJC claims that it is unlawful to disclose personal data that is subject to
harassment without consent.

DL argued that the case filed was because RJC claimed that the officials
including DL is deliberately delaying his graduation for no reason.

DL only disclosed it in order to controvert the evidence. That such evidence

is necessary for defense of legal claims.

DL claims that students have reasonable expectation of privacy but this

confidentiality may be waived if the student made false statements

Issue:

Whether DLs processing of RJCs personal data violated the DPA

Rulings: RJC IS WRONG.

DL did not violate DPA.

Grades are sensitive personal information ccording to Section 3 (l) of DPA.

But not all information about education should automatically be considered
sensitive personal information.

In construing Section 3 (l) of the DPA, the provision merely speaks of

information about education which can profile an individual.

The breakdown of the grades can for sure profile RJC. It can be used to
personally identify the student. Hence it is indeed sensitive personal
information.
Since they are, the processing should be in accordance with Section 13 of
the DPA. One of the grounds stated in the provision is that it may be used for
legal claims.

In this case, however, it is the Complainant, RJC, who raised his academic
records as an issue in the Ombudsman case. The Commission stresses that
DL would not have to present RJC’s transcript of records if it were not for
RJC’s presentation of the issue on his academic records. Thus, it was RJC who
opened the door for the submission of these types of evidence.

BPL

CHAPTER III – PROCESSING OF PERSONAL INFORMATION

SECTION 11. General Data Privacy Principles.

SECTION 12. Criteria for Lawful Processing of Personal Information.

SECTION 13. Sensitive Personal Information and Privileged Information.

SECTION 14. Subcontract of Personal Information.

SECTION 15. Extension of Privileged Communication.

CHAPTER IV – RIGHTS OF THE DATA SUBJECT

SECTION 16. Rights of the Data Subject.

SECTION 17. Transmissibility of Rights of the Data Subjects.

SECTION 18. Right to Data Portability.

SECTION 19. Non-Applicability.

CHAPTER V SECURITY OF PERSONAL INFORMATION

SECTION 20. Security of Personal Information.

DPA IRR:
Rule IV. Data Privacy Principles

17 General Principles

18 Principles of Transparency, Legitimate Purpose and Proportionality

19 Principles in Collection, Processing and Retention

a Collection must be for a specified and legitimate purpose

b Personal Data shall be processed fairly and lawfully

c Processing should ensure data quality

d Personal data shall not be retained longer than necessary

e Any authorized further processing shall have adequate safeguards

20 Principles for Data Sharing

Rule V. Lawful Processing of Personal Data

21 Lawful Processing of Personal Information

22 Lawful Processing of Sensitive Personal Information and Privileged

Information

23 Extension of Privileged Communication

24 Surveillance of Subjects and Interception of Recording of

Communications

Rule VI. Security Measures for Protection of Personal Data

25 Data Privacy and Security

26 Organizational Security

27 Physical Security

28 Technical Security

29 Appropriate Level of Security

IBC vs PBI - Phishing of Email

EA and TA vs EJ - Information was used to oppose guardianship of EA to his

mother and file a criminal case against him for falsifying public documents
(marital status information)

ID Y.S. vs DS BANK - Demand Letters given to a person not designated for

that person

KGR v. BB et al. - Resume Printed and then was put in a Computer Shop

BQN bs NUQ Inc. - Getting personal information for a criminal case.

SCM vs XXX - Repeated Phone Call to get Loan

BGM vs IPP - Scammed by a Seller

RLA vs PLDT Enterprise - DSL Connection (White Pages)

Wefund Lending Corp - Juanhan Access Unauthorized

GBA v. SBG and LPL v. SBG - IT Accounting System SBG not liable.

Requisites of unauthorized processing:

(1) perpetrator processed the information of the data subject;

(2) information processed was personal information or sensitive personal

information; and

(3) processing was done without consent of the data subject, or without
being authorized under DPA or other existing law.

(4) processing is for a purpose that is neither covered by the authority given
by the data subject and could not have been reasonably foreseen by the
data subject nor otherwise authorized by law.

Requisites of legitimate interest:

(1) Legitimate interest is established;

(2) processing is necessary to fulfill the legitimate interest; and

(3) interest is legitimate or lawful and does not override fundamental rights
and freedoms of data subjects.

Proportionality Principles

(1) processing is adequate, relevant, and necessary to the declared and

specified purpose; and

(2) the means by which processing is performed is the least intrusive means
available