[MTLE] RA 10173 Data Privacy Act of 2012

The Data Privacy Act of 2012

21st century law to address 21st century crimes and concerns.

It (1) protects the privacy of individuals while ensuring free flow of information to promote innovation and growth;

(2) regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data; and

(3) ensures that the Philippines complies with international standards set for data protection through National Privacy Commission (NPC).

National Privacy Commission (NPC)

Ensures that the Philippines complies with international standards set for data protection

National Privacy Commission (NPC)

protects individuals personal information and upholds the right to privacy by regulating the processing of personal information

Definitions and General Provisions

Sections 1-6

The National Privacy Commission

Sections 7-10

Rights of Data Subjects and Obligations of personal information controllers and processors

Sections 11-21

Provisions Specific to Government

Sections 22-24

Penalties

Sections 25-37

45

Number of sections of RA 10173

Chapters of RA 10173

(memorize)

RA 10173

AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES

Data Privacy Act of 2012

Sec. 1: Short Title of RA 10173

Sec 2. Declaration of Policy

Protect the fundamental human right of privacy, of communication while ensuring free flow of information

Vital role of information and communications technology in nation- building

To ensure that personal information in information and communications systems in the government and in the private sector are secured and protected

Commission

The national privacy commission created by RA 10173

Consent

refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.

This shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

Data Subject

refers to an individual whose personal information is processed

Personal Information

refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Personal Information Controller

refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

Personal Information Processor

refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

Processing

refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

Privileged Information

refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute this.

Sensitive Personal Information

refers to personal information:

(1) About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers (SSS), previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept classified.

1) individual who is or was an officer or employee of a government institution

2) individual who is or was performing service under contract for a government institution

3) discretionary benefit of a financial nature

4) Personal information processed for journalistic, artistic, literary or research purposes

5) necessary in order to carry out the functions of public authority

6) banks and other financial institutions

7) Personal information originally collected from residents of foreign jurisdictions

Keywords on the Section 4, Scope and exemptions of RA 10173

Information about any individual who is or was an officer or employee of a government institution

Officer or employee of the government institution

Title, business address and office telephone number

classification, salary range and responsibilities of the position

The name of the individual on a document prepared

Information about an individual who is or was performing service under contract for a government institution

services performed (incl. terms of the contract and the name of the individual given in the course of the performance of those services)

Information relating to any discretionary benefit of a financial nature

granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit

Information necessary in order to carry out the functions of public authority

the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies

Republic Act No. 1405; Republic Act No. 6426, and Republic Act No. 9510

RA 53

publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.

1) Personal info about a philippine citizen or resident

2) Entity has a link with the Philippines (about Pinoys)

3) processing is done in connection with a business that is targeting or offering goods or services to individuals in the Philippines.

4) Other Philippine links

What are the three keywords on the Sec 6. Extraterritorial Application of the Law

Entities with Philippine Links

A contract is entered in the Philippines

A juridical entity has central management and control in the country

An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine

The entity carries on business in the Philippines

The personal information was collected or held by an entity in the Philippines

[Sec 7] Functions of the National Privacy Commission

1. Ensure compliance of personal information controllers

2. Receive complaints, institute investigations, facilitate or enable settlement of complaints, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report

3. Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers

4. Provide assistance on matters relating to privacy or data protection

5. Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions

6. Propose legislation, amendments or modifications to Philippine laws

7. Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection

8. Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws

9. Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations

10. Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.

[Sec 7] Functions of the National Privacy Commission KEYWORDS

Ensure compliance – personal information controllers, enforcement, monitoring.

Complaints handling – receive, investigate, facilitate settlement, report, publicize.

Privacy codes – review, approve, reject, modify, voluntary adherence.

Assistance – privacy matters, data protection support, guidance.

Advisory role – statutes, regulations, procedures, advisory opinions, interpretation.

Legislative proposals – propose laws, amendments, legal modifications.

International coordination – regulators, private agents, regional initiatives, cooperation.

Cross-border agreements – negotiate, contract, privacy law implementation.

Support to businesses – assist companies, foreign laws, data protection compliance.

Cross-border enforcement – international cooperation, enforcement facilitation.

National Privacy Commission (NPC)

They hall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession

[Sec 9] Organizational Structure of the Commission

Department of Information and Communications Technology

Privacy Commissioner - Chairman of the Commission.

Two Deputy Privacy Commissioners

President

Who appoints the members of the commission

Department of Information and Communications technology

Under what government agency is the PNC

Privacy Commissioner

Who is the chairman of the PNC

1) Data processing Systems

2) Policies and Planning

What are the roles of each of the two deputy privacy commissioners

Privacy Commissioner Qualifications

must be at least thirty-five years of age

good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy

Shall enjoy the benefits, privileges and emoluments equivalent to the rank of Secretary

1) 30 years old and above

2) good moral

3) recognized expertise in IT and data privacy

4) equivalent to rank of secretary

Keywords on the Privacy Commissioner Qualifications

secretary

The Privacy Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of _______

Atty. John Henry D Naga

Current PNC Chairman

1) Recognized expertise in information and communications technology and data privacy

2) Undersecretary rank

Details on the position of Deputy Privacy Commissioners

Atty. Jose Amelito S Belarmino II

Atty. Nerisa N De Jesus

Current PNC deputies

5 years

In the section 10. Secretariat, Majority of the members of the Secretariat must have served for at least how many years in any agency of the government

General Data Privacy Principles

Collected for specified and legitimate purposes

Processed fairly and lawfully;

Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date

Adequate and not excessive in relation to the purposes for which they are collected and processed;

Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed

"As long as it is necessary"

General Data Privacy principles states that the retainment of data must be how long for the the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law

[Sec 12] Criteria for Lawful Processing of Information

The data subject has given his or her consent;

Personal information is necessary and is related to the fulfillment of a contract

For compliance with a legal obligation

Necessary to protect vitally important interests

To respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority

For the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed

Consent

Necessary for contract

Obligation Compliance

Protect interests

For National emergency, concerns, order, safety

Legitimate interests of the controller

What are the different criteria for lawful processing of information (keywords)

[Sec 13] Sensitive Personal Information and Privileged Information Processing

a) Consent of the Data Subject or All Parties Involved (for privileged info)

b) Allowed by Law or Regulation

c) Necessary to Protect Life or Health

d) Processing by Non-Commercial Public Organizations

e) Necessary for Medical Treatment

f) For Legal Rights, Court Cases, or Government Requirements

[Sec 14] Subcontract of Personal Information

A personal information controller may subcontract the processing of personal information

Section 14

What section indicates that a personal information controller can outsource processors of personal information

[Sec 15] Extension of Privileged Communication

Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered on privileged information is inadmissible.

If a controller lawfully handles privileged information (like doctor-patient or lawyer-client communications), they can refuse to disclose it. Also, under the law, any evidence obtained from such privileged information cannot be used in court, unless allowed by existing laws.

Section 16. Rights of the Data Subject

Be informed whether personal information pertaining to him or her shall be, are being or have been processed

Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity

Description of the personal information to be entered into the system;

Purposes for which they are being or are to be processed;

Scope and method of the personal information processing;

The recipients or classes of recipients to whom they are or may be disclosed;

Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;

The identity and contact details of the personal information controller or its representative;

The period for which the information will be stored; and

The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission

Sec 16. Rights of the Data Subject KEYWORDS

Right to be informed

If your data will be, is being, or has been processed.

The following must be disclosed to you before or at the next practical opportunity:

✅ What data is being collected

✅ Why it is being processed

✅ How it will be processed

✅ Who it may be shared with

✅ If there will be any automated access (like algorithms or AI)

✅ Who the data controller is and how to contact them

✅ How long your data will be kept

✅ Your rights (to access, correct, complain)

Right to Access

You can ask for and receive access to:

📄 The content/details of your data being processed

🔍 Where the data was sourced from

🏢 Who it was shared with (names and addresses)

⚙️ How it was processed

📢 Why it was disclosed to others

🤖 Automated processes (like profiling) that affect decisions about you

📅 When your data was last accessed or changed

👤 Who is handling your data (the PIC or representative)

✔ Contents of Your Data Processed

✔ Recipients' Names and Addresses

✔ Manner of Processing

✔ Reasons for Disclosure

✔ Automated Decision-Making

✔ Date of Last Access/Modification

✔ Identity and Contact of the PIC

✔ Right to Dispute Inaccuracies

✔ Right to Suspend, Withdraw, or Delete

✔ Right to Be Indemnified

Rights of the Data Subject on reasonable access to, upon demand

Lawful Heirs

In the Sec 17, Transmissibility of Rights of the Data Subject, who are lawfully qualified?

electronic means and in a structured and commonlyused format

Section 18. Right to Data Portability

scientific and statistical research

Section 19. Non-Applicability

Section 20. Security of Personal Information

Under Section ___ of the Data Privacy Act (RA 10173), personal information controllers (PICs) are required to:

> implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data from unauthorized access, use, or natural dangers. These measures should consider the nature of the data, processing risks, organizational size, best practices, and cost.

> Ensure that third-party processors and their own employees uphold strict confidentiality.

> In case of a data breach involving sensitive or potentially harmful information, the PIC must promptly notify both the National Privacy Commission and affected individuals, unless the notification would compromise public interest or an ongoing criminal investigation.

Personal Information Controller

must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information

shall implement reasonable and appropriate measures to protect personal information against natural dangers

Personal Information Controller

Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or hindering of their functioning or availability;

A security policy with respect to the processing of personal information

A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach

Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach.

Personal Information Controller

must further ensure that third parties processing personal information on its behalf shall implement the security measures

employees, agents or representatives of a personal information controller who are involved in the processing

shall operate and hold personal information under strict confidentiality if the personal information are not intended for public disclosure

Personal Information Controller

shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person

Commission

In evaluating if notification is unwarranted, the _____________ may take into account compliance by the personal information controller with this section and existence of good faith in the acquisition of personal information

Commission

may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects

may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach

personal information controller

According to the Sec 21. Principles of Accountability:

Each ____________ is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.

✔ complying with the requirements

✔ designate an individual or individuals who are accountable for the organization's compliance

Head of the Agencies

Under, Section 22, who are responsible for:

All sensitive personal information maintained by the government, its agencies and instrumentalities shall be secured

Complying with the security requirements

Onsite and Online Access

Off-site access

Section 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information

what are the two main types of access?

Onsite and Online Access

No employee of the government shall have access to sensitive personal information on government property or through online facilities

Off-site Access

sensitive personal information maintained by an agency may not be transported or accessed from a location off government property

✔ Deadline for Approval or Disapproval

✔ Limitation to One thousand (1,000) Records

✔ Encryption

1,000 records

Number of limitation of records of off-site access

Applicability to Government Contractors

Section 24

Section 34. Extent of Liability

If the offender is a corporation, partnership or any juridical person

If the offender is a juridical person

If the offender is an alien

If the offender is a public official or employee (Sections 27 and 28)

Sec 35. Large-scale

at least one hundred (100) persons is harmed, affected or involved

large scale or not?

Offense committed by Public Officer

Section 36

Restitution

Section 37

Interpretation

Section 38

IRR (90 days from the effectivity)

Section 39

Reports and Information

Section 40

Human Security Act of 2007

RA 9372

RA 9372

Law repealed by RA 10173