Information is considered as one of the important organizational assets and plays a critical role to the success of a business. It is a powerful tool in a data-driven economy. Given this, information is required to be protected and entities are made to be accountable on what they do with the information and how they protect the privacy and security of the information in their custody. Thus, Congress passed Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”).
What is objective of DPA?
To protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected
Who are required to comply with DPA?
The DPA requires the following entities who are considered as personal information controller or processor (“PIC” or “PIP”), including:
1. Identified entities
- banks and non-bank financial institutions, including pawnshops and non-stock savings and loan associations
- telco networks and ISPs
- universities, colleges, schools and training institutions
- hospitals, clinics, diagnostic or therapeutic facilities, etc.
- insurance and pre-need companies, including insurance brokers
- businesses involved in direct marketing, networking and those with reward cards and loyalty programs; and
- pharmaceutical companies engaged in research
2. All natural and juridical entities employing at least 250 employees are required to register;
3. Natural and juridical entities employing less than 250 employees are also required to register if the data processing:
- is likely to pose a risk to the rights and freedoms of data subjects
- is not occasional (once a year), or
- includes sensitive personal information of at least 1,000 individuals
A PIC refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf.
A PIP refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
3. Who are the Data Subjects?
Data Subjects refers to an individual whose personal, sensitive personal, or privileged information is processed.
- Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Sensitive personal information refer to the following personal information:
- About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
4. What are the pillars of compliance?
- Registering with the National Privacy Commission and Appointing a Data Protection Officer
- Conducting a Privacy Impact Assessment (PIA) - This is a process of identifying, assessing, evaluating and managing the risks presented in the processing of information and determining the level of compliance with the DPA. The results of the PIA are the baseline in establishing a control framework in the processing of information.
- Creating a Data Privacy Manual – This is the control framework and guide in ensuring compliance with the DPA. It encapsulates the privacy and data protection protocols that must be observed and carried out within the organization for specific circumstances in the data cycle directed towards the fulfillment and realization of the rights of the data subjects.
- Implementing Privacy and Data Protection Measures
- Exercising Breach Reporting Procedures – This includes (a) implementing a security incident management policy; and (b) organizing a security incident response team.
5. Why is there a need to comply with the DPA?
Any violation of the DPA carries with it civil, criminal and administrative penalties and sanctions. These violations include the following:
- Unauthorized processing
- Access due to negligence
- Improper disposal
- Processing for Unauthorized purposes,
- Unauthorized access or intentional breach
- Concealment of security breaches
- Malicious disclosure
- Unauthorized disclosure
The penalties include fines and periods of imprisonment for each of these violations, ranging from P100,000 to P5,000,000 and six months to seven years imprisonment. The National Privacy Commission can likewise issue cease and desist order (CDO) which prevents the entity from processing information.
6. Our Firm's Experience
The Firm's practice on data privacy emerged to address the needs of its clients in various industries, which are considered to be personal information controller or processor. The Firm's experience on data privacy includes:
- Conducting privacy impact assessment
- Drafting and institutionalizing data privacy policies
- Drafting and review of privacy notices/statements and contracts such as employment contracts, service agreements, and data sharing and outsourcing agreements
- Conduct of security awareness programs
- Advising Data Protection and Compliance Officers on data privacy compliance and reporting
The Firm has partnered with a leading information security specialist, which handles the technical aspect of the data privacy compliance.