LITEB (Module 5 - DATA PRIVACY ACT OF 2012

R.A. 10173

The Data Privacy Act of 2012

R.A. 10173 (DATA PRIVACY ACT OF 2012)

It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.

Personal data

Is unique to the consumer. It can include a customer’s name, credit card information, computer IP address, gender, or social security number.

Engagement data

Illustrates how customers access a website, such as a website, mobile application, email, text message, or social media.

Behavioral data

Describes how customers behave — their purchase history, search history, and every keystroke and mouse movement they make.

Attitudinal data

Includes customer satisfaction and feelings. It also includes their opinions about a product and shopping experiences.

When was R.A. 10173 approved?

Approved: AUG. 15, 2012

Principles of Data Privacy

The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality

Transparency.

The data subject (an end user whose personal data can be collected) must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.

Legitimate purpose.

The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.

Proportionality.

The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.

Collection of personal data must be:

Declared, Specified and with Legitimate purpose

Personal information

is one or more data point from which the identity of an individual is obvious or can be reasonably and directly determined by the entity holding it.

Some examples of personal information: name address phone number date of birth signature email address

Sensitive personal information

is a type of personal information. Unlike some personal information, however, sensitive information may result in discrimination or harm if it is mishandled. Some examples of sensitive information includes any information or opinion about an individual’s:

1. refer to an individual’s: race, ethnic origin, marital status, age, color, affiliations (religious, philosophical, or political), health, education, genetic or sexual life;

2. refer to any proceeding for any offense allegedly or actually committed by an individual, including the disposal of or the court’s sentence in such proceeding;

3. are issued by government agencies peculiar to an individual (e.g., social security number, previous or current health records, licenses [including its denials, suspension, or revocation], tax returns, etc.);

4. are classified, as established by an Executive Order or a law enacted by Congress.

All processing of sensitive and personal information is prohibited except in certain circumstances.

Consent of the data subject;

Pursuant to law that does not require consent;

Necessity to protect life and health of a person;

Necessity for medical treatment;

Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or regulation.

Privileged information

refers to all data classified under the (Philippine) Rules of Court and other laws as “privileged communication”.

Under the Rules of Court, in particular, they refer to:

1. any communication shared in confidence between husband and wife;

2. any communication or advice between an attorney and a client

3. any advice or treatment given, or any information acquired by a doctor from a patient

4. any confession made by a person to a minister or priest, as well as any advice subsequently given by the latter to that person

5. communication made to a public officer in official confidence

National Privacy Commission

an independent body created under R.A. 10173 or the Data Privacy Act of 2012, mandated to administer and implement the provisions of the Act, and to monitor and ensure compliance of the country with international standards set for data protection.

Salient features of Republic Act 10173

Companies who subcontract processing of personal information to 3rd party shall have full liability and cannot pass the accountability of such responsibility.

Salient features of Republic Act 10173

Data subject has the right to know if their personal information is being processed. The person can demand information such as the source of info, how their personal information is being used, and copy of their information. One has the right to request removal and destruction of one’s personal data unless there is an legal obligation that required for it to be kept or processed. (Section 16 and 18)

Salient features of Republic Act 10173

If the data subject has already passed away or became incapacitated (for one reason or another), their legal assignee or lawful heirs may invoke their data privacy rights. (Section 17)

Salient features of Republic Act 10173

Personal information controllers must ensure security measures are in place to protect the personal information they process and be compliant with the requirements of this law. (Section 20 and 21)

Salient features of Republic Act 10173

In case a personal information controller systems or data got compromised, they must notify the affected data subjects and the National Privacy Commission. (Section 20)

Salient features of Republic Act 10173

Heads of government agencies must ensure their system compliance to this law (including security requirements). Personnel can only access sensitive personal information off-site, limited to 1000 records, in government systems with proper authority and in a secured manner. (Section 22)

Salient features of Republic Act 10173

Government contractors who have existing or future deals with the government that involves accessing of 1000 or more records of individuals should register their personal information processing system with the National Privacy Commission. (Section 25)

Who must register?

Any professional or organization must register if:

1. It has 250 or more employees;

2. It processes sensitive personal information of 1,000 or more individuals;

3. Its processing may likely pose a risk to the rights and freedoms of data subjects.

Why should you register?

1. A legal requirement

2. Good for company brand/reputation

3. Boost compliance readiness

4. Avoid complaints

5. Avoid hefty penalties provided under the law

Provided penalties (up to 5 million as per sec. 33) on the processing of personal information and sensitive personal information based on the following acts:

– Unauthorized processing

– Negligence

– Improper disposal

– Unauthorized purposes

– Unauthorized access or intentional breach

– Concealment of security breaches

– Malicious and unauthorized disclosure

Salient features of Republic Act 10173

For public officers (working in government), an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied. (sec. 36)

The right to be informed

Your personal should never be collected, processed and stored by any organization without your explicit consent, unless otherwise provided by law. Personal information controllers (PICs) should notify you if your data have been compromised, in a timely manner.

Examples: Banks involved in phone banking tell their callers that the conversation with their call center agent would be recorded, and that proceeding with the call is indication of their consent. This practice is considered sufficient notice.

Entities that use CCTV to monitor public and semi-public spaces must identify its legitimate purpose

This is your right to find out whether an organization holds any personal data about you and if so, you have a right to obtain a copy of any information relating to you that they have on their computer database and/or manual filing system.

You may demand to access the following:

• The contents of your personal data that were processed.

• The sources from which they were obtained.

• Names and addresses of the recipients of your data.

• Manner by which they were processed.

• Reasons for disclosure to recipients, if there were any.

• Information on automated systems where your data is or may be available, and how it may affect you. • Date when your data was last accessed and modified • The identity and address of the personal information controller

The right to object

The right to object is most specifically applicable when organizations or personal information controllers are processing your data without your consent for the following purposes:

Direct marketing- When business organizations give you sales materials about products and services, they must explicitly inform or remind you of your right to object. If you previously acceded but wishes to opt-out, you must be given an easy way to opt-out.

Profiling- Profiling being done either for marketing or customer care purposes requires your consent as customer, or else you are justified in invoking your right to object. The right of state agents to do profiling for law enforcement purposes, however, may override your right to object.

Automated processing - In technology-driven industries, such as banking and finance, many decisions affecting individuals are arrived electronically via automatic data processing systems based on personal information stored in computerized data files. Organizations are required to notify you whether your personal data will undergo automatic processing, and inform you that you have a right to object

The right to erasure of blocking

Under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of your personal data. You can exercise this right upon discovery and substantial proof of the following:

• Your personal data is incomplete, outdated, false, or unlawfully obtained.

• It is being used for purposes you did not authorize. legal ground for its processing.

• The data is no longer necessary for the purposes for which they were collected.

• You decided to withdraw consent, or you object to its processing and there is no overriding

• The data concerns information prejudicial to the data subject — unless justified by freedom of speech, of expression, or of the press; or otherwise authorized (by court of law)

• The processing is unlawful.

• The personal information controller, or the personal information processor, violated your rights as data subject

The right to damages

You may claim compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of your rights and freedoms as data subject.

How to exercise your right to damages:

Write or speak to the organization which mishandled your personal information to see if you can reach an agreement and claim compensation. If you feel that your concern has not been satisfactorily addressed, you should write to the organization and inform them of your intent to take the matter to the court, before you start court proceedings. Talk to a legal adviser if you want to make a claim in court.

The right to file a complaint

If you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint with the NPC.

The right to rectify

You have the right to dispute and have corrected any inaccuracy or error in the data a personal information controller (PIC) hold about you. The PIC should act on it immediately and accordingly, unless the request is vexatious or unreasonable. Once corrected, the PIC should ensure that your access and receipt of both new and retracted information

The right to data portability

This right assures that you remain in full control of your data. It allows you to obtain and electronically move, copy or transfer your data in a secure manner, for further use. It enables the free flow of your personal information across the internet and organizations, according to your preference. Data portability allows you to manage your personal data in your private device, and to transmit your data from one personal information controller to another.

Example: • You may exercise this right if you intend to get a usable copy of your personal health records for the use of other doctors you may like to consult. • In banking, the right to data portability may be used to reduce the risks of being locked-in with one single service provider, thereby expanding customers’ options and improving customer experience.

Freedom of Information

Public Information and Documents

Data Privacy Act

Private and Personal Information

Freedom of Information Exec Order No. 2, s. 2016

It refers to the right of the people to information on matters of public concern. It is the right of every citizen to access official records, documents and papers pertaining to official acts, transactions or decisions, as well as to government research data used as basis for policy development (Sec. 7, Art. III, 1987 Constitution). This includes the public’s right to know the public officials’ and employees’ assets, liabilities, net worth and financial and business interests.

It empowers citizen participation in demanding for transparency and accountability from the government. Provided that it shall not put into jeopardy privacy and matters of national security.

Freedom of Information Uses

• Transparency (ex. can provide contacts of government agencies)

• Accountability (ex. can provide accomplishment reports of public officials)

• Academic Research (ex. can provide data set and statistics from different government offices)

• Innovation (ex. can provide data and information from offices like DICT, LTFRB or LTO to make mobile app to improve the way of living)