[06.19] Data Privacy Act and its Implication to Research V2.pdf

Individual rights pertaining to one’s personal information

What rights does the Data Privacy Act of 2012 strengthen?

Unauthorized processing of personal information

What activity does Republic Act 10173 penalize?

European Union’s Data Protection Directive

What is the Data Privacy Act patterned after?

9 chapters and 45 sections

How many chapters and sections does the Data Privacy Act have?

Processing of all types of personal information

What does the Data Privacy Act apply to, according to Section 4?

Personal information controllers and processors who, although not found or established in the Philippines, use equipment located in the Philippines

To whom does the Act apply, even if they are not established in the Philippines, provided they use equipment there?

Processing for journalistic, artistic, literary or research purposes

What type of processing is the Act generally stated NOT to apply to, according to Section 4?

Subject to the requirements of applicable laws, regulations, and ethical standards

What qualifier applies to the processing of personal information for research purposes?

14 rules and 75 sections

How many rules and sections does the Implementing Rules and Regulations (IRR) have?

Personal information that will be processed for research purposes

What type of information is exempt from the Act and Rules, but only to the minimum extent necessary?

Intended for a public benefit

What must the research purposes be intended for, as a qualifier for non-applicability of the Act?

Upholding the strict confidentiality of participants’ personal information

What is a limitation set on the non-applicability of certain privacy rights on research?

The declared purpose found in the original consent

For what purpose only can data be used, according to the IRR limitations?

It is publicly available OR Has the consent of the data subject for purpose of research

What two conditions allow for further processing of Personal Data collected from a party other than the Data Subject for research purposes?

Adequate safeguards are in place AND no decision directly affecting the data subject shall be made on the basis of the data collected or processed

What two provisions must be met when allowing further processing of personal data for research?

Scientific and statistical research

The limitations on rights (preceding sections) are not applicable if processed personal data are used only for the needs of this type of research.

No activities are carried out and no decisions are taken regarding the data subject

What is the condition applied to the use of personal data for scientific and statistical research, limiting the rights of the data subject?

Review by the Commission

What body may review the processing of personal data for research purposes, public functions, or commercial activities?

The minimum extent necessary

To what extent shall any limitations on the rights of the data subject be applied to achieve the purpose of said research or investigation?

To uncover issues and concerns relating to the impact of the Data Privacy Act on research involving human participants AND to offer practical guidance to Filipino researchers and ethics review committees

What are the twofold objectives of the 2021 primer and its companion data privacy toolkit?

Ethical standards

The processing of data when it comes to research is subject to this.

Ethics review committee

What committee mitigates the potential assault on the privacy of individuals and/or groups in research?

Balance between the protection of the right to privacy, and the need to generate knowledge or foster innovation

What does ethics review seek to achieve regarding personal information processing in research?

Human participants

What term is used interchangeably with human subjects?

A living individual about whom an investigator conducting research obtains information or biospecimens through intervention or interaction

What is one definition of a human participant?

Personal information

What term refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify the individual?

Sensitive personal information

What category of information includes details about an individual’s race, ethnic origin, marital status, age, color, religion, philosophical, or political affiliations?

Health, education, genetic or sexual life

What three sensitive life details are included in sensitive personal information?

Previous or current health records

What specific government-issued information is classified as sensitive personal information?

Personal data

What ad hoc term in the Implementing Rules and Regulations refers to personal information, sensitive personal information, and privileged information?

Privileged information

What refers to any and all forms of data which, under the Rules of Court and other pertinent laws, constitute privileged communication?

Patient-doctor, lawyers-client, husband-wife communications

What are three examples of privileged information?

Data subject

What is an individual whose personal information is processed?

Research participants

Who could be simultaneously research subjects and data subjects?

Third-party data subjects

What group of data subjects in research may not be research subjects and have unlikely consented to the processing of their personal information?

Copying, deleting, sharing, storing, transferring of personal data

What are five examples of activities that constitute "processing" of personal data?

Right to be informed, Right to object, Right to access, Right to rectification, Right to erasure or blocking, Right to damages, Right to data portability, Right to file a complaint

What are the eight privacy rights of study participants under the Data Privacy Act?

Right to be Informed

What fundamental privacy right empowers data subjects to consider courses of action to protect their own privacy and interest?

Without consent

Under what condition should personal data never be collected, processed, and stored by the researcher?

Purpose of the research, risks and benefits, data utilization plan during the study, storage, dissemination, publishing, and archival

What are four key pieces of information participants need to be informed of regarding the research?

Before the entry of his or her personal data into the processing system

When should the data subject be notified and furnished with information, or at the next practical opportunity?

Description of the personal data to be entered into the system

What specific information must the data subject be notified of regarding their personal data?

Identity and contact details of the personal data controller or its representative

What specific contact information must the data subject be notified of?

The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission

What specific rights must the data subject be notified of?

Right to Access

What right allows data subjects to obtain from an organization or a researcher a copy of any information relating to them?

Right to Rectification

What right allows individuals to have inaccurate records or personal data corrected or completed if incomplete?

Right to Erasure or Blocking

What right allows the data subject to suspend, withdraw, or order the blocking, removal, or destruction of his or her personal data from the filing system?

The personal data is incomplete, outdated, false, or unlawfully obtained

What is one condition that allows a data subject to exercise the right to erasure or blocking?

The personal data is being used for purpose not authorized by the data subject

What is one condition that allows a data subject to exercise the right to erasure or blocking related to unauthorized use?

Right to Damages and Right to File a Complaint

What right do data subjects have if they feel their information has been misused or improperly disclosed, violating the Data Privacy Act?

Right to Data Portability

What right enables data subjects to copy or transmit personal data from one device to another in an electronic or structured format?

Right to Object

What right allows a person to object if the data processing is not part of the agreement?

The investigator or researcher must stop their research work and the use of personal information or data of the study subject

What must the investigator or researcher do when data subjects object or withhold their consent?

When the participant decided to withdraw consent

What is one time that data subjects can object, which they can do at any time?

When data concerns information that is prejudicial

What is one instance where the data subject can exercise the right to erasure or blocking related to prejudicial information?

When they were a child at the time of data collection

When can a data subject, now an adult, decide whether they would still be part of the research or not, using their right to object?

Lawful heirs and assigns

Who may invoke the rights of the data subject after their death or incapacitation?

Strict confidentiality

Under what condition should personal information be used for scientific and statistical research, limiting the rights of the data subject?

Transparency, Legitimacy of Purpose, Proportionality, Limited Use, Disclosure, and Retention, Consent, Accountability, Security

What are the seven principles of data privacy covered by the Data Privacy Act?

Transparency

What principle requires that the purpose of processing a person’s data should be determined and disclosed before its collection?

Legitimacy of Purpose

What principle requires that the collection and processing of information must be compatible with the declared and specific purpose, and not contrary to the law, morals, or public policy?

Proportionality

What principle requires that data subject information must be adequate and not excessive in relation to the purposes for which they were collected and processed?

Limited Use, Disclosure, and Retention

What principle mandates that retention of data must only be for as long as necessary?

Consent

What principle provides an important legal basis for processing personal data in research?

Accountability

What principle lies with the personal information controller?

Personal information controller

Who is a person or an organization who controls the collection, holding, processing, or use of personal information?

Personal information processor

Who is a natural or juridical person qualified to act as such, to whom a personal information controller may outsource the processing of personal data?

Security

What principle requires a researcher to implement reasonable and appropriate physical, technical, and organizational security measures?

Accidental loss, Accidental Destruction

What are two examples of "Natural Dangers" against which personal information must be protected?

Unlawful access, Fraudulent misuse, Unlawful destruction, alteration, and contamination

What are three examples of "Human Dangers" against which personal information must be protected?

Selection bias

What operational issue arises from compliance with privacy regulation, where individuals who give consent do not accurately reflect the target population?

Filipino culture

What is one factor related to selection bias, due to being a highly relational society where people tend to help friends (e.g., pakikisama)?

Lengthy and complicated consent forms

What specific operational factor can be a deterrent for participant participation?

Additional costs and staff hours

What is one operational issue related to the resources required for privacy compliance?

Timely access to health or other vital information

What is one operational issue regarding accessibility that can burden research efficiency?

Scholarly integrity of the research output

What does transparency and openness in sharing data help ensure?

Data sharing agreements

What enables collaboration and data sharing involving human subjects?

Information life cycle, Privacy by Design, Security, Data Protection Officer

What are the four components of Privacy and Welfare Protection in Research?

Collection, Handling, Risk assessment, Protection, Disposal

What are the five steps in the Information Life Cycle?

Collection

What step in the Information Life Cycle involves considering whether it is necessary to collect and hold that much personal information?

Disposal

What step in the Information Life Cycle involves reidentifying and destroying personal information when it is no longer needed?

Privacy by Design

What concept compels heads of institutions, project lead researchers, or principal investigators to make privacy protection an integral part of the research operations and procedures?

Physical, Technical, and Organizational

What are the three types of security measures in Privacy by Design?

Filing cabinets that are locked

What is an example of a physical security measure for paper-based data?

Use of passwords and/or encryption

What is an example of a physical security measure for digital data?

Pseudonymization

What is a technical security measure that involves processing personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information?

Monitor for security breaches, Security software for data protection, Encryption

What are three examples of technical security measures?

Organizational security measures

What security measure is needed for the smooth employment of the security system agreed upon with the institution?

Data Protection Officer

Who is needed to oversee all of the security measures mentioned?

De-identification

What measure should be given utmost importance in cases where information is to be shared or released, allowing other researchers to use the dataset for secondary use?

Confidentiality

What factor helps people trust in the investigator or study team?

Quality and integrity

Aside from privacy and security, what two elements are needed in data governance?

Opt-in format

What format is used in the Philippines, where citizens have the right to say whether they want their data to be included in a research study/project?

Opt-out format

What format is used in other countries (e.g., UK), where all citizens' health data can be used for research unless they choose otherwise?

Generalizability of findings

What is limited in the Philippines due to the opt-in format and selection bias?

PhilHealth

What government institution was mentioned in the context of needing further security measures to prevent data breach?

To provide an overall framework for compliance with the privacy regulations in a manner facilitative of scientific research as a general public interest

What is the purpose of the data privacy principles?

Data privacy is just a component of data governance

What is the relationship between data privacy and data governance?

Risk assessment

What step in the Information Life Cycle involves assessing the risks associated with the collection of personal information?

Obtaining information or biospecimens through intervention or interaction

What is one way a researcher obtains information from a human participant?