8. R.A. 10173 (DATA PRIVACY ACT OF 2012)

R.A. 10173

Data Privacy Act of 2012 aka?

National Privacy Commission (NPC)

RA. 10173 established what commission?

1. Enforce the law

2. Issue guidelines

3. Investigate data breaches

4. Penalize any violations

ENUMERATE: roles of NPC

SHORT TITLE

section 1 states the?

DECLARATION OF POLICY

section 2 states the?

DEFINITION OF TERMS

section 3 states the?

Personal information

refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Processing

refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

Processing

These are the actions done on our personal information, from collection until the destruction of data.

Personal Information

Any data that can identify an individual, either directly or indirectly.

1. Receiving request forms

2. Encoding of patient data.

3. Analyzing results

4. Releasing results

5. Disposing of records

ENUMERATE: the procedures in processing

1. worksheets

2. duplicate of patient’s lab results

what are the records that should be disposed?

Sensitive Personal Information

personal data that is highly private and sensitive, these are data that could harm our patients

GENERAL DATA PRIVACY PRINCIPLES

section 11 states the?

Data subject

refers to an individual whose personal information is processed.

Personal information controller

as a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

(a) for a specific, declared purpose;

(b) processed lawfully and fairly;

(c) accurate and up-to-date;

(d) adequate and not excessive amount;

(e) limited retention period, kept only as long as necessary; and

(f) stored in a way that allows identification only when needed.

ENUMERATE: general data privacy principles

1. Transparency

2. Legitimate Purpose

3. Proportionality

ENUMERATE: core principles in data privacy

CRITERIA FOR LAWFUL PROCESSING OF PERSONAL INFORMATION

section 12 states the?

(a) Your data subject consents

(b) It is necessary to fulfill a contract with the subject

(c) It is necessary to comply with legal obligations

(d) It is necessary to protect vital interests of the data subject

(e) It is necessary to respond to a national emergency

(f) It is necessary for a legitimate interest of the controller or the third party

ENUMERATE:CRITERIA FOR LAWFUL PROCESSING OF PERSONAL INFORMATION

RIGHTS OF THE DATA SUBJECT

section 16 states the?

1. Right to Information

2. Right to Object

3. Right to Access

4. Right to Correct

5. Right to Erase

6. Right to Damages

7. Right to File a Complaint

ENUMERATE: patient’s right under RA 10173

● Incorrect

● Outdated

● Unlawfully obtained

● No longer needed

patient can request for deletion of their data if it is:

• if highly sensitive

• can be used for legal purposes

• has received subpoena duces tecum

what is the exception for the patient’s deletion of their data?

RESPONSIBILITY OF HEADS OF AGENCIES

section 22 states the?

1. Appoint a Data Protection Offices (DPO) -

2. Conduct a Data Privacy Impact Assessment (PIA)

3. Create a privacy knowledge management program

4. Implement a privacy and data protection policy

5. Exercise a breach reporting procedure

ENUMERATE: compliance of agencies with RA 10173