Data Privacy Act of 2012 (RA 10173)

What is the Data Privacy Act of 2012?

• A law that protects personal information in government and private sector information systems.

• Establishes the National Privacy Commission.

Why is data privacy important?

• Prevents identity theft.

• Protects individuals from fraud, denial of services, and harassment.

What are common data privacy breaches?

• Unauthorized sharing of personal data.

• Poorly secured storage of documents.

• Public posting of sensitive information.

Examples of Breaches/Potential Breach

1. COMELeak

2. Consent form in fine print

3. Unsecured storage of documents

4. Student transferred by her parent without her knowledge

5. List of top students/passers

6. Log-in procedure in a building

7. Unjustifiable collection of personal data in a school

8. Use of re-cycled papers

9. Raffle

What are the root causes of data breaches?

• 47% Malicious or criminal attacks.

• 29% System glitches.

• 24% Human error.

Who is a Data Subject?

An individual whose personal, sensitive, or privileged information is being processed.

Who is a Personal Information Controller (PIC)?

A person or organization that controls the processing of personal data.

Who is a Personal Information Processor (PIP)?

A person or organization that processes personal data on behalf of the PIC.

What is data processing?

Any operation performed on personal data, such as collection, storage, use, or destruction.

Classification of Personal Data

• Personal Information – Identifies an individual directly or indirectly.

• Sensitive Personal Information – Includes race, religion, health records, government-issued IDs, etc.

What are the 8 Rights of a Data Subject?

• Right to be informed – Know how personal data is processed.

• Right to access – Request a copy of personal data.

• Right to object – Refuse processing of personal data.

• Right to erasure/blocking – Remove or block incorrect/unlawful data.

• Right to rectify – Correct inaccurate data.

• Right to data portability – Transfer personal data to another service.

• Right to file a complaint – Report violations of data privacy rights.

• Right to damages – Seek compensation for data misuse.

The Data Life Cycle

• Create and Collect

• Store and Transmit

• Use and Distribute

• Retain

• Dispose and Destroy

Data Privacy Principles

• Transparency – Individuals must know how their data is used.

• Legitimate Purpose – Data must be used for lawful and declared purposes.

• Proportionality – Data collected must be adequate, relevant, and not excessive.

When is consent required?

• When processing personal information.

• Must be freely given, specific, and informed.

When is consent NOT required?

• If required by law.

• For public safety or national security.

• To protect the life and health of an individual.

What should organizations do to protect personal data?

• Implement organizational, physical, and technical measures.

• Limit data collection to what is necessary.

• Ensure secure storage and disposal of data.

The Data Privacy Golden Rule

"If you can’t protect it, don’t collect it."