DATA PRIVACY ACT

August 24, 2016

When was RA 10173 promulgated?

72 sections

How many sections does RA 10173 have?

Sensitive personal information

Section 3.Definitions

personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2. About an individual’s health, education, genetic or sexual life of a person

3. Issued by government agencies peculiar to an individual’s social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns

4. Specifically established by an executive order or an act of Congress to be kept classified.

Security Incident

Section 3.Definitions

is an event or occurrence that tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data.

Public Authority

Section 3.Definitions

refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions

Privileged information

Section 3.Definitions

refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication

Profiling

Section 3.Definitions

refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person

Personal information Processor

Section 3.Definitions

refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject

Personal Data breach

Section 3. Definitions

refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed

Personal Data

Section 3. Definitions

refers to all types of personal information

Information and Communications System

Section 3. Definitions

refers to a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded

Filing system

Section 3.Definitions

refers to any set of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible

Data marketing

Section 3.Definitions

refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals

Data sharing

Section 3. Definitions

the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor

Data Processing Systems

Section 3. Definitions

refers to the structure and procedure by which personal data is collected and further processed in an information and communications system

Consent of the Data Subject

Section 3. Definitions

refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information.

Commission

Section 3.Definitions

refers to the National privacy Commission

Act

Section 3.Definitions

refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012

Data Privacy Act of 2012 or RULES

RA 10173

• Protect the fundamental human right of privacy, of communication while ensuring free flow of information

• Vital role of information and communications technology in nation-building

• To ensure that personal information are secured and protected.

Section 2.Declaration of Policy

National Privacy Commission

Section 3. Definition of Terms

Commission

Data subject

Section 3.Definition of Terms

individual whose personal information is being processed

Personal information

Section 3.Definition of Terms

any info whether recorded in material form or not, from which the identity of an individual is apparent

Personal information controller

Section 3.Definition of Terms

refers to any natural or juridical person or organization who controls the collection, holding, processing or use of personal information

Processing

Section 3.Definition of Terms

any operation or any set of operations performed upon personal data

government institution

Section 4.Scope -Does not apply

• any individual who is or was an officer or employee

• performing service under contract

discretionary benefit

Section 4.Scope -Does not apply

• a financial nature

Republic Act No. 53

Section 7.Protection Afforded to Journalists & Sources

publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication

Privacy Commissioner: Raymund Enriquez Liboro

Section 13.Organizational Structure of the Commission

• must be at least thirty-five years of age

• good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy

Deputy Privacy Commissioner: Ivy D. Patdu & Damian Domingo O. Mapa

Section 13.Organizational Structure of the Commission

• recognized experts in the field of information and communications technology and data privacy

• One shall be responsible for Data Processing Systems, while the other shall be responsible for Policies and Planning

3 years, additional 3 years reappointment (3-6 years)

Section 13.Organizational Structure of the Commission

Term

5 years:

• Social Security System (SSS)

• Government Service Insurance System (GSIS)

• Land Transpo Office (LTO)

• Bureau of Internal Revenue (BIR)

• PhilHealth

• COMELEC

• Dep of Foreign Affairs (DFA)

• Dep of Justice (DOJ)

• PH Postal Corp. (Philpost)

Section 14.Secretariat

must have served ___ in any of the ff government agencies

General Data Privacy Principles

Section 17.

Criteria for Lawful Processing of Personal Info

Section 21.

Sensitive Personal Info & Privileged Info

Section 22.

Subcontract of Personal Info

Section 43.

Extension of Privileged Communication

Section 23.

Rights of Data Subject

Section 34.

Transmissibility of Rights of Data Subject

Section 35.

Lawful heirs

Right to Data Portability

Section 36.

Electronic means and in a structured and commonly used format

Responsibility of Heads of Agencies

Section 30.

On-site and Online Access

Section 31.Requirements Relating to Access by Agency Personnel to Sensitive Personal Info

• unless the employee has received a security clearance from the head of the source agency

Off-site Access

Section 31.Requirements Relating to Access by Agency Personnel to Sensitive Personal Info

• unless the head of the agency has ensured the implementation of privacy, policies, and appropriate security measures

2 business days

Section 31.Requirements Relating to Access by Agency Personnel to Sensitive Personal Info -Off-site Access

• In the case of any request submitted to the head of an agency, the head of the agency shall approve or disapprove the request within ___

not more than 1000 records

Section 31.Requirements Relating to Access by Agency Personnel to Sensitive Personal Info -Off-site Access

• If a request is approved

Encryption

Section 31.Requirements Relating to Access by Agency Personnel to Sensitive Personal Info -Off-site Access

• for purposes of off-site access shall be secured by the use of ___

Applicability to Government Contractors

Section 32.

• In entering into any contract that may involve accessing or requiring sensitive personal information from one thousand (1,000) or more individuals, an agency shall require a contractor and its employees to register their personal information processing system