DATA PRIVACY ACT OF 2012 (REPUBLIC ACT 10173)

-an Act that safeguards the fundamental human right of every individual to privacy in the
information and communications technology whether in the government or private sector while
ensuring free flow of information for innovation, growth, and national development
SCOPE OF APPLICATION

-applies to processing of personal information by any natural or juridical person from the gov't or private
sector

• NPC-National Privacy Commission

-who monitors and ensures compliance of the country with the international standards set for data
protection

-who investigates and give penalties in cases of data breach or violation of privacy

DATA PROTECTION OFFICER

-accountable for ensuring compliance by the PIC or PIP with the Data Privacy Act, its IRR, related
issuances of the National Privacy Commission, and other applicable laws and regulations relating to data
privacy and security

TERMINOLOGIES

• Consent of the data subject

-freely given, specific and clear indication of will, whereby the data subject agrees to the collection and
processing of his/her personal, sensitive personal and privileged information

• Data Sharing

-the disclosure or transfer to a third party of personal data under the custody of a PIC or PIP

-but in the case of PIP, such disclosure or transfer must have been instructed by the PIC concerned

• Direct Marketing

-communication by whatever means of any advertising and marketing materials which is directed to
particular individuals

• Personal Data

-refers to all types of personal information

A. Personal information (PI)-refers to any information, whether recorded in material form or not, from
which the identify of an individual is apparent/obvious or can be reasonably and directly ascertained by
the entity holding the information, or when put together with other information, would directly and
certainly identify an individual

DISCLAIMER: THIS MATERIAL IS FOR INTERNAL USE ONLY

B. Sensitive Personal Information (SPI)-race, ethnic origin, color, religious/political affiliations

-marital status, sexual preference

-current and previous health records, social security numbers, licenses issued and denials, suspension or
revocation, tax returns

C. Privileged information-refers to any and all forms of information, under the Rules of court and
pertinent/applicable laws constitute or form part of privileged information

STAKEHOLDERS

1. Data subject-refers to an individual whose personal, sensitive personal and privileged information is
being processed

2. Personal Information Controller-a natural or juridical person, or any other body that controls the
processing of personal data, or instructs another to process personal data on its behalf

3. Personal Information Processor- a natural or juridical person, or any other body, to whom a PIC may
outsource or instruct to process the personal data of a data subject

Processing- set of operations performed upon personal data which includes collection, recording,
organization, storage, updating and modification, retrieval, consolidation, blocking, consultation, use,
erasure or destruction of personal data

-could be automated or manual

Profiling-automated processing of personal data consisting of the use of personal data to evaluate,
analyze or predict aspects relating to a person's performance at work, economic situation, health,
interests

GENERAL PRINCIPLES OF DATA PRIVACY

1. TRANSPARENCY- The data subject must be aware of the nature, purpose, and extent of the
processing of his or her personal data, including the risks and safeguards involved, the
identity of personal information controller, his or her rights as a data subject, and how these
can be exercised
2. LEGITIMATE PURPOSE- The processing of information shall be compatible with a declared
and specified purpose which must not be contrary to law, morals, or public policy.
3. PROPORTIONALITY- The processing of information shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a declared and specified purpose
RIGHTS OF THE DATA SUBJECT

1. Right to be informed- right to be informed whether personal data pertaining to him or her
shall be, are being, or have been processed, including the existence of automated decision-
making and profiling
2. Right to Object- the right to object to the processing of his or her personal data, including
processing for direct marketing, automated processing or profiling
3. Right to Access-right to access the content of his/her personal data, how obtained, how
processed, who are the recipients

DISCLAIMER: THIS MATERIAL IS FOR INTERNAL USE ONLY

 4. Right to Correct/Rectify- right to dispute the inaccuracy or error in the personal data and
have the personal information controller correct it immediately and accordingly, unless the
request is vexatious or otherwise unreasonable
5. Right to Blocking or Erasure- right to suspend, withdraw or order the blocking, removal or
destruction of his or her personal data from the personal information controller’s filing
system
6. Right to Data Portability-right to have a copy of his/her personal data in an electronic or
structured format
7. Right to Damages- right to be indemnified for any damages sustained due to inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data
8. Right to file a complaint- if the above rights are violated, an individual can file a complaint
before the NPC

Security incident-any event or occurrence that affects or may affect the data protection or compromise
the Confidentiality, Integrity and Availability of personal data

-includes incidents that leads to personal data breach if not for safety measures that should have been
put in place

TYPES OF DATA BREACH

A. CONFIDENTIALITY BREACH

- resulting from the unauthorized disclosure of or access to personal data

B. INTEGRITY BREACH

- resulting from alteration of personal data

C. AVAILABILITY BREACH

- resulting from loss, accidental or unlawful destruction of personal data

Personal Data Breach

-refers to nonobservance/violation of security leading to accidental or unlawful/illegal

destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed

IMPACT OF DATA BREACHES TO A COMPANY OR BUSINESS

• Loss of reputation

• Loss of marketability

• Legal liabilities

BREACH NOTIFICATION

Within 24hrs - Report to DPO

Within 48hrs - DPO Reports to NPC

DISCLAIMER: THIS MATERIAL IS FOR INTERNAL USE ONLY

REQUIRED MEASURES TO BE IMPLEMENTED

1. TECHNICAL MEASURE
Examples:
• Disclaimer in email signature
• Encryption
• Passwords
• Back-ups
• Access Control
• Remote Access
• Sharing Data (via email, portals)

2. ORGANIZATIONAL MEASURE
Examples:
• Data Privacy Policy, procedure, guidance and training
• Human Resource
• Procurement (including contract)

3. PHYSICAL MEASURE
Examples
• Building Access Control
• Secure Office Storage
• Control Over Physical Documents
• Secure Disposal

DISCLAIMER: THIS MATERIAL IS FOR INTERNAL USE ONLY

What is Privacy Impact Assessment?

-a tool for identifying and assessing privacy risk throughout the development life cycle of a program or a
system.

-states what personal data collected, how the information is maintained and how it will be protected
and shared.

For any Data Privacy concerns, kindly email us at:

[email protected]

DISCLAIMER: THIS MATERIAL IS FOR INTERNAL USE ONLY