Privacy_Government and Privacy Law (RJEG)

8/9/2019 Privacy_Government and Privacy Law (RJEG)

1/26

Government and Privacy Law

INTRODUCTION

Last August 15, 2012, the Data Privacy Act of 2012 (DPA) has been signed into law !tsought "to #rotect the funda$ental hu$an right of #rivacy, of co$$unication while ensuring freeflow of infor$ation to #ro$ote innovation and growth % 1 !ts inter#retation clause 2 #rovides that"&a'ny doubt in the inter#retation of any #rovision of this Act shall be liberally inter#reted in a$anner $indful of the rights and interests of the individual about who$ #ersonal infor$ation is#rocessed % !t was brought about by the tate s recognition of its "inherent obligation to ensurethat #ersonal infor$ation in infor$ation and co$$unications syste$s in govern$ent and in the#rivate sector are secured and #rotected % * As can be gleaned fro$ the Act s Declaration of Policy, the DPA has two #ri$ary as#ects + the govern$ent as#ect and the #rivate sector as#ect

his article will focus on the govern$ent as#ect of the Act !t will loo- into therelationshi# of the DPA to govern$ent collection, #rocessing, and #rotection of data fro$ aco$#liance stand#oint he #ur#ose of this article is to #rovide a wal-through of what thegovern$ent should do or not do to co$#ly with the #rovisions of the Act + to #revent #ossible#roble$s in the future !t also see-s to lay down the acts by which govern$ent $ay be heldaccountable and their corres#onding #enalties

he outline of this article will be as follows.

First is a discussion of the sco#e !t will see- to answer the /uestion, what -inds of infor$ationare #rotected by the Act + what are included e cluded 3ho are the actors

Second is the $eat of the article + what are the areas in the DPA that have to be co$#lied withby the govern$ent 3hat are the #rinci#les that govern govern$ent collection, #rocessing, and#rotection of data 3hat are the rights of a #erson in relation to his #ersonal infor$ation

Third is a discussion of the i$#le$entation as#ect of the DPA !t will loo- into the enforce$entof the #rovisions of the DPA + fro$ the creation of a new govern$ent body, the 4ational Privacy

o$$ission (4P ), to the for$ation of the Act s i$#le$enting rules and regulations !t will alsodiscuss the res#onsibilities of #ersonal infor$ation controllers and the govern$ent as regardsthe security of #ersonal infor$ation and sensitive #ersonal infor$ation

1 ection 2 of the DPA

2 ection *6 of the DPA

3 ection 2 of the DPA


2/26

Lastly, fourth deals with the accountability and enforce$ent as#ect of the Act 3hat are the actsby which the govern$ent and its agents $ay be held accountable to 3hat are thecorres#onding #enalties for each 3hat are the re$edies of the #erson aggrieved

I. SCOPE

ection 7 of the DPA, which deals with its sco#e, #rovides that the Act shall a##ly to thefollowing.

1 As to sub8ect $atter, the #rocessing of all ty#es of #ersonal infor$ation

2 As to actors, any natural and 8uridical #erson involved in #ersonal infor$ation #rocessing

A. As to Su !ect "atter

Inc#usions

As cited above, the DPA a##lies to #rocessing of all ty#es of #ersonal infor$ation he-ey words here are. processing and personal information

i Processing

Processing , as defined in ection * (8), "refers to any o#eration or any set of o#erations#erfor$ed u#on #ersonal infor$ation including, but not li$ited to, the collection, recording,organi9ation, storage, u#dating or $odification, retrieval, consultation, use, consolidation,bloc-ing, erasure or destruction of data %

he enu$eration #rovided in the above:cited #rovision is not e haustive ;irst, the act of #rocessing is defined as "any% o#eration or set of o#erations #erfor$ed over #ersonalinfor$ation


3/26

2 3hether or not, fro$ the infor$ation, the identity of an individual can be reasonably anddirectly ascertained by the entity holding the infor$ation= or

* 3hether or not the infor$ation when #ut together with other infor$ation would directly andcertainly identify an individual

he -ey, therefore, is whether fro$ the infor$ation, standing alone or co$bined withother infor$ation, an individual can be identified

4ote that the for$ of infor$ation is i$$aterial he definition refers to "any infor$ationwhether recorded in a $aterial for$ or not % !t is, therefore, sub$itted that infor$ation inelectronic for$ can also be classified as #ersonal infor$ation, #rovided that it co$#lies with anyof the tests cited above

iii ensitive Personal !nfor$ation

3ithin the $ilieu of Personal !nfor$ation is a -ind of #ersonal infor$ation that re/uires a

s#ecial treat$ent + Sensitive Personal Information his is es#ecially true for the govern$entbecause the DPA itself #rovides a se#arate cha#ter s#ecifically for the security govern$entinfor$ation of this -ind ha#ter >!! of the DPA is entitled " ecurity of ensitive Personal!nfor$ation in ?overn$ent % !t deals with the res#onsibilities of the heads of agencies,re/uire$ents relating to access, and its a##licability to govern$ent contractors

;urther$ore, the distinction between #ersonal infor$ation and sensitive #ersonalinfor$ation beco$es relevant when read with ections 12 and 1* of the Act, which #rovides for the $anner by which #ersonal infor$ation and sensitive #ersonal infor$ation can be lawfully#rocessed ection 1*, when co$#ared to ection 12 (criteria by which #ersonal infor$ation$ay be #rocessed in general), is stricter he difference in treat$ent will be discussed in further

detail in the Compliance Aspect section below

ensitive #ersonal infor$ation is defined, under ection * (l), by enu$eration !t statesthat sensitive #ersonal infor$ation refers to #ersonal infor$ation.

1 About an individual s race, ethnic origin, $arital status, age, color, and religious, #hiloso#hical or #olitical affiliations=

2 About an individual s health, education, genetic or se ual life of a #erson, or to any #roceeding for anyoffense co$$itted or alleged to have been co$$itted by such #erson, the dis#osal of such #roceedings,or the sentence of any court in such #roceedings=

* !ssued by govern$ent agencies #eculiar to an individual which includes, but not li$ited to, socialsecurity nu$bers, #revious or c$:rent health records, licenses or its denials, sus#ension or revocation,and ta returns= and

7 #ecifically established by an e ecutive order or an act of ongress to be -e#t classified

As can be gleaned above, sensitive #ersonal infor$ation is a subset of #ersonalinfor$ation @ence, in order to be considered sensitive #ersonal infor$ation, the infor$ation


4/26

$ust first /ualify as #ersonal infor$ation, i e , it $ust co$#ly with any of the tests cited in the#receding subsection Also, since the ter$ is defined by enu$eration, it is therefore li$ited tothe ite$s #rovided therein + expressio unius est exclusio alterius ("the e #ress $ention of onething e cludes all others%)

3e ta-e s#ecial notice of (*) because of it is govern$ental as#ect nder (*), any#ersonal infor$ation issued by govern$ent agencies beco$es sensitive #ersonal infor$ationhis is i$#ortant because, as #rovided above, the DPA, under ection 1*, re/uires stricter

conditions in the #rocessing of sensitive #ersonal infor$ation

ection *(l)(*) #rovides for a conversion he act of govern$ent agencies of issuinginfor$ation #eculiar to an individual is converted fro$ being $erely #ersonal infor$ation tosensitive #ersonal infor$ation !n other words, #ersonal infor$ation fro$ govern$ent beco$essensitive #ersonal infor$ation when it is issued by the agency having custody over theinfor$ation herefore, all #ersonal infor$ation issued by govern$ent agencies beco$essensitive #ersonal infor$ation he effect of this conversion #rocess when read with ections 12

and 1* will be discussed below in the Compliance Aspect section

Also, note that the enu$eration under ection *(l)(*) is not e haustive !t uses the#hrase "not li$ited to % herefore, other #ersonal infor$ation, not s#ecifically enu$erated, whenissued by a govern$ent agency will be classified as sensitive #ersonal infor$ation

E$c#usions


5/26

ection 7 also #rovides for infor$ation e cluded fro$ the a##lication of the DPA 7 ;or the #ur#oses of this article, the following e clusions are significant because they relate togovern$ent infor$ation.

1 !nfor$ation about an individual who is or was an officer or e$#loyee of a govern$ent institution thatrelates to the position or functions of the individual=

2 !nfor$ation about an individual who is or was #erfor$ing service under contract for a govern$entinstitution that relates to the services performed , including the ter$s of the contract, and the na$e of theindividual given in the course of the #erfor$ance of those services=

* !nfor$ation relating to any discretionary benefit of a financial nature such as the granting of a license or #er$it given by the govern$ent to an individual, including the na$e of the individual and the e act natureof the benefit=

7 !nfor$ation necessary in order to carry out the functions of public authority which includes the#rocessing of #ersonal data for the #erfor$ance by the inde#endent, central $onetary authority and lawenforce$ent and regulatory agencies of their constitutionally and statutorily $andated functions= and

5 Personal infor$ation originally collected from residents of foreign urisdictions in accordance with thelaws of those foreign 8urisdictions, including any a##licable data #rivacy laws, which is being #rocessed inthe Phili##ines (e$#hasis su##lied)

ection 7, in enu$erating these e clusions, uses the word "and % herefore, they areconsidered e haustive Any other infor$ation, which is considered #ersonal infor$ation withinthe definition of the ter$, is sub8ect to the #rovisions of the DPA

i !nfor$ation 4ecessary in Brder to arry But the ;unctions of Public Authority

7 his Act does not a##ly to the following. (a) !nfor$ation about any individual who is or was an officer or e$#loyeeof a govern$ent institution that relates to the #osition or functions of the individual, including.(1) he fact that the individual is or was an officer or e$#loyee of the govern$ent institution=(2) he title, business address and office tele#hone nu$ber of the individual=(*) he classification, salary range and res#onsibilities of the #osition held by the individual= and(7) he na$e of the individual on a docu$ent #re#ared by the individual in the course of e$#loy$ent withthe govern$ent=

(b) !nfor$ation about an individual who is or was #erfor$ing service under contract for a govern$ent institution thatrelates to the services #erfor$ed, including the ter$s of the contract, and the na$e of the individual given in thecourse of the #erfor$ance of those services=(c) !nfor$ation relating to any discretionary benefit of a financial nature such as the granting of a license or #er$itgiven by the govern$ent to an individual, including the na$e of the individual and the e act nature of the benefit=(d) Personal infor$ation #rocessed for 8ournalistic, artistic, literary or research #ur#oses=(e) !nfor$ation necessary in order to carry out the functions of #ublic authority which includes the #rocessing of #ersonal data for the #erfor$ance by the inde#endent, central $onetary authority and law enforce$ent and

regulatory agencies of their constitutionally and statutorily $andated functions 4othing in this Act shall be construedas to have a$ended or re#ealed Ce#ublic Act 4o 1705, otherwise -nown as the ecrecy of an- De#osits Act=Ce#ublic Act 4o E72E, otherwise -nown as the ;oreign urrency De#osit Act= and Ce#ublic Act 4o F510, otherwise-nown as the redit !nfor$ation yste$ Act ( ! A)=(f) !nfor$ation necessary for ban-s and other financial institutions under the 8urisdiction of the inde#endent, central$onetary authority or ang-o entral ng Pili#inas to co$#ly with Ce#ublic Act 4o F510, and Ce#ublic Act 4o F1E0,as a$ended, otherwise -nown as the Anti:


6/26

"!nfor$ation necessary in order to carry out the functions of #ublic authority%, which isection 7 #ar 2(e) of the Act, is of #articular i$#ortance because its broad sco#e and its

a##arent conflict with ha#ter >!! on ecurity of ensitive Personal !nfor$ation in ?overn$ent

!ts broad sco#e $ay #ose as a #roble$ in the enforce$ent of the DPA because any#ublic authority $ay invo-e this e clusion to his benefit !n that case, no #ublic authority will beheld accountable for any breach on the ground that the infor$ation #rocessed was necessary tocarry out its functions ut while it is broad, it cannot be said, with finality, that such discretion isunconfined his is because the #olicy in enforcing the #rovisions of the DPA is clearly #rovidedin ection 2, which #rovides for the #rotection "the funda$ental hu$an right of #rivacy, of co$$unication while ensuring free flow of infor$ation to #ro$ote innovation and growth %!!) !t is sub$itted, however,that this conflict can be resolved by li$iting the sco#e of this #rovision Although the #rovisions#ea-s of "all infor$ation%, it does not necessarily $ean that it #ertains to all infor$ation in thecustody of the #ublic authority because it is /ualified by the #hrase "necessary in order to carryout his functions % @ence, it could be said that the e clusion #ertains only to a subset of infor$ation that are actually necessary for the #ublic authority s functions o illustrate, anGlection Bfficer, in the #erfor$ance of his duty, would only re/uire certain #ieces of infor$ationsuch as the voter s identification nu$ber (>!4), the voter s na$e, and his #recinct nu$ber= butnot the voter s $arital status, religious and #olitical affiliations, which are sensitive #ersonalinfor$ation not necessary for his functions and are, therefore, sub8ect to ha#ter >!!

ii Personal !nfor$ation ollected fro$ 4on:Cesident Aliens

4u$ber 5, or ection 7 #ar 2(g), is also i$#ortant because it is a declaration on the #artof the Phili##ine Ce#ublic that infor$ation relating to non:resident aliens 5, #rovided they arecollected in accordance with laws of their ho$e tate, are not sub8ect to the #rotection grantedby the DPA his $ay #ose #roble$s in our international dealings with other countries in generaland international trade relations in #articular Also, while it includes "a##licable data #rivacylaws% of those foreign 8urisdictions, it is i$#ortant to note that it refers only to "collection% of infor$ation @ence, while the infor$ation $ight be #rotected by the foreign data #rivacy law inthe collection stage, the #rotection does not e tend to the other $odes of #rocessing + holding,

using, transferring and disclosing + once the infor$ation enters our country

5 Although the law uses the #hrase "residents of foreign 8urisdiction%, which can refer to both non:resident ;ili#inociti9ens or non:resident aliens, it is sub$itted that it only refers to non:resident aliens because ec E of the DPA#rotects off:shore #rocessing of data of "Phili##ine iti9ens% without distinction whether or not they are residents ofthe Phili##ines


7/26

%. As to Actors

As to the actors sub8ect of the DPA, ection 7 #rovides that it #ertains to "any natural and 8uridical #erson involved in #ersonal infor$ation #rocessing % he -ey here is "#erson involvedin #ersonal infor$ation #rocessing % ection * #rovides at least * #ersons involved in the#rocessing of #ersonal infor$ation + data sub8ect, #ersonal infor$ation controller, and #ersonalinfor$ation #rocessor

i Data ub8ect

!ata sub ect refers to "an individual whose #ersonal infor$ation is #rocessed % his#ertains to the individual whose identity can be traced fro$ the infor$ation he data sub8ect isi$#ortant because it is his #rivacy that is #rotected by the Act As the #erson #rotected by the

Act, the data sub8ect is granted certain enforceable rights as #rovided in ha#ter !>, Cights of aData ub8ect hese rights will be discussed in further detail in the Compliance section of thisarticle

ii Personal !nfor$ation ontroller

ection *(h) defines who a #ersonal infor$ation controller is A personal informationcontroller refers to a #erson or organi9ation who controls the collection, holding, #rocessing or use of #ersonal infor$ation, including a #erson or organi9ation who instructs another #erson or organi9ation to collect, hold, #rocess, use, transfer or disclose #ersonal infor$ation on his or her behalf he ter$ e cludes.

1 A #erson or organi9ation who #erfor$s such functions as instructed by another #erson or organi9ation=and

2 An individual who collects, holds, #rocesses or uses #ersonal infor$ation in connection with theindividual s #ersonal, fa$ily or household affairs

he DPA defines #ersonal infor$ation controller by way of inclusion and e clusion yway of inclusion, it is defined as any #erson or organi9ation who.

1 ontrols the collection, holding, #rocessing, or use of #ersonal infor$ation= or

2 !nstructs another #erson or organi9ation to collect, hold, use, transfer or disclose #ersonalinfor$ation on his or her own behalf

he word "#erson% is un/ualified @ence, it can refer to both natural and 8uridical#ersons nder the ivil ode, a #erson is classified either as a natural #erson or a 8uridical#erson Huridical #ersons are of #articular interest in this article because the ter$ includes the

tate and its #olitical subdivisions E !t is therefore sub$itted that the govern$ent and itsagencies can be considered as #ersonal infor$ation controllers #rovided they #erfor$ thefunctions #rovided for in the definition + whether they actually control the #ersonal infor$ation or

6 Article 77 of the ivil ode


8/26

$erely instructs another to #erfor$ the functions for the$, e g , by outsourcing And as #ersonalinfor$ation controllers, they are sub8ect to certain obligations #rovided for in the DPA &or 'ur'oses o( t)is artic#e* w)en t)e term +'ersona# in(ormation contro##er, is used* it isunderstood to inc#ude t)e -overnment and it a-encies.

y way of e clusion, the definition e cludes the #erson or organi9ation instructed by the#ersonal infor$ation controller and individuals who collect for household affairs he first set of e cluded of #ersons or organi9ations, which are those instructed by the #ersonal infor$ationcontroller, can be considered as personal information processor who is sub8ect to a different setof obligations under the Act

iii Personal !nfor$ation Processor

ection *(i) defines personal information processor as "any natural or 8uridical #erson/ualified to act as such under this Act to who$ a #ersonal infor$ation controller $ay outsourcethe #rocessing of #ersonal data #ertaining to a data sub8ect % ;ro$ the stand#oint of

govern$ent, these $ay refer to third:#arty inter$ediaries that #rocess #ersonal infor$ation inbehalf of the govern$ent (e g , tradco$ or#oration in relation to the Land rans#ortationBffice)

C. E$traterritoria# A''#ication

he sco#e of the DPA does not only #ertain to sub8ect $atter or actors, but also includesterritorial e tent As a general #rinci#le, Phili##ine laws shall only be enforced within Phili##ineterritory ut the DPA s#ecifically carves an e ce#tion to this rule his is #rovided in ection Ethereof

G E "xtraterritorial Application# $ his Act a##lies to an act done or #ractice engaged in andoutside of the Phili##ines by an entity if.

(a) he act, #ractice or #rocessing relates to #ersonal infor$ation about a Phili##ine citi9en or a resident=

(b) he entity has a lin- with the Phili##ines, and the entity is #rocessing #ersonal infor$ation in thePhili##ines or even if the #rocessing is outside the Phili##ines as long as it is about Phili##ine citi9ens or residents such as, but not li$ited to, the following.

(1) A contract is entered in the Phili##ines=

(2) A 8uridical entity unincor#orated in the Phili##ines but has central $anage$ent and control inthe country= and

(*) An entity that has a branch, agency, office or subsidiary in the Phili##ines and the #arent or affiliate of the Phili##ine entity has access to #ersonal infor$ation= and

(c) he entity has other lin-s in the Phili##ines such as, but not li$ited to.


9/26

(1) he entity carries on business in the Phili##ines= and

(2) he #ersonal infor$ation was collected or held by an entity in the Phili##ines

II. CO"PLIANCE ASPECT

he co$#liance as#ect of the DPA focuses on two areas + the re/uire$ents of lawful#rocessing of #ersonal and sensitive #ersonal infor$ation= and the rights of the data sub8ect

he first deals with the general #rinci#les ( ec 11) that a##ly to all #ersonal infor$ationincluding sensitive #ersonal infor$ation and the s#ecific conditions by which #ersonalinfor$ation ( ec 12) and sensitive #ersonal infor$ation ( ec 1*) can be lawfully #rocessed3hile the second deals on the enforceable rights of the data sub8ect relating to the #rotection of his #ersonal infor$ation

A. Law(u# Processin-

Lawful #rocessing involves a two ste# #rocess ;irst, before any #ersonal infor$ationcan be #rocessed, the #ersonal infor$ation controller $ust first co$#ly with ection 11. ?eneralData Privacy Princi#les And second, the #ersonal infor$ation controller or the #ersonalinfor$ation #rocessor, as the case $ay be, shall deter$ine whether the infor$ation is $erely#ersonal infor$ation, which re/uires co$#liance of ection 12, or sensitive #ersonalinfor$ation, in which case ection 1* $ust be co$#lied with

i ?eneral Data Privacy Princi#les

ection 11 I #rovides for the general #rinci#les of data #rivacy !t states that #rocessing of #ersonal infor$ation is allowed, sub8ect to the re/uire$ents of the DPA and other laws allowing

I G 11 %eneral !ata Privacy Principles# + he #rocessing of #ersonal infor$ation shall be allowed, sub8ect toco$#liance with the re/uire$ents of this Act and other laws allowing disclosure of infor$ation to the #ublic andadherence to the #rinci#les of trans#arency, legiti$ate #ur#ose and #ro#ortionality Personal infor$ation $ust, be.(a) ollected for s#ecified and legiti$ate #ur#oses deter$ined and declared before, or as soon as reasonably#racticable after collection, and later #rocessed in a way co$#atible with such declared, s#ecified and legiti$ate#ur#oses only=(b) Processed fairly and lawfully=(c) Accurate, relevant and, where necessary for #ur#oses for which it is to be used the #rocessing of #ersonalinfor$ation, -e#t u# to date= inaccurate or inco$#lete data $ust be rectified, su##le$ented, destroyed or their further #rocessing restricted=(d) Ade/uate and not e cessive in relation to the #ur#oses for which they are collected and #rocessed=(e) Cetained only for as long as necessary for the fulfill$ent of the #ur#oses for which the data was obtained or for the establish$ent, e ercise or defense of legal clai$s, or for legiti$ate business #ur#oses, or as #rovided by law=and


10/26

disclosure of infor$ation and the #rinci#les of "trans#arency, legiti$ate #ur#ose, and#ro#ortionality %

!t is sub$itted that the #rinci#les are non:waivable and that co$#liance therewith is $andatoryhis is because ection 11 clearly #rovides that the "#ersonal infor$ation controller must

ensure i$#le$entation of #ersonal infor$ation #rocessing #rinci#les set out herein (e$#hasissu##lied) % Also, while it can be said that these #rinci#les can be considered rights, i e legally#rotected interests, of the data sub8ect, they cannot be waived because such waiver will becontrary to law, #ublic order, and #ublic #olicy 6

ii Lawful Processing of Personal !nfor$ation

Lawful Processing of Personal !nfor$ation is governed by ection 12 F his sectionallows the #rocessing of #ersonal infor$ation if.

1 !t is not #rohibited by law= and

2 3hen at least one of the conditions e ists.a onsent fro$ the data sub8ect

b Processing is necessary and related to the fulfill$ent of a contract with the data sub8ect

c Processing is necessary for co$#liance with a legal obligation to which the controller is sub8ect

(f) Je#t in a for$ which #er$its identification of data sub8ects for no longer than is necessary for the #ur#oses for which the data were collected and #rocessed. Provided, hat #ersonal infor$ation collected for other #ur#oses $aylie #rocessed for historical, statistical or scientific #ur#oses, and in cases laid down in law $ay be stored for longer #eriods. Provided, further, hat ade/uate safeguards are guaranteed by said laws authori9ing their #rocessing

he #ersonal infor$ation controller $ust ensure i$#le$entation of #ersonal infor$ation #rocessing #rinci#les set outherein

8 Article E of the ivil ode #rovides "Cights $ay be waived, unless the waiver is contrary to law, #ublic order, #ublic#olicy, $orals, or good custo$s or #re8udicial to a third #erson with a right recogni9ed by law %

F G 12 Criteria for La&ful Processing of Personal Information# + he #rocessing of #ersonal infor$ation shall be#er$itted only if not otherwise #rohibited by law, and when at least one of the following conditions e ists. (a) he datasub8ect has given his or her consent=(b) he #rocessing of #ersonal infor$ation is necessary and is related to the fulfill$ent of a contract with the datasub8ect or in order to ta-e ste#s at the re/uest of the data sub8ect #rior to entering into a contract=

(c) he #rocessing is necessary for co$#liance with a legal obligation to which the #ersonal infor$ation controller issub8ect=(d) he #rocessing is necessary to #rotect vitally i$#ortant interests of the data sub8ect, including life and health=(e) he #rocessing is necessary in order to res#ond to national e$ergency, to co$#ly with the re/uire$ents of #ublicorder and safety, or to fulfill functions of #ublic authority which necessarily includes the #rocessing of #ersonal datafor the fulfill$ent of its $andate= or(f) he #rocessing is necessary for the #ur#oses of the legiti$ate interests #ursued by the #ersonal infor$ationcontroller or by a third #arty or #arties to who$ the data is disclosed, e ce#t where such interests are overridden byfunda$ental rights and freedo$s of the data sub8ect which re/uire #rotection under the Phili##ine onstitution


11/26

d Processing is necessary to #rotect vitally i$#ortant interests of the data sub8ect, including lifeand health

e Processing is necessary to res#ond to national e$ergency, #ublic order, safety, and fulfill$entof #ublic functions

f Processing is necessary for the legiti$ate interest #ursued by the controller or a third #artye ce#t where such interest is overridden by funda$ental rights and freedo$ of the data sub8ect

he conditions enu$erated in ection 12 are clear e ce#t for a few, such as the onsent andLegiti$ate !nterest conditions, which re/uire so$e elaboration

a# Consent

3hen ection 11 used the word "consent%, what -ind of consent does it refer to @owdoes the data sub8ect $anifest consent he DPA, under ection *(b), defines and lays downthe for$ of consent

onsent refers to "any freely given, s#ecific, infor$ed indication of will, whereby the datasub8ect agrees to the collection and #rocessing of #ersonal infor$ation about and or relating tohi$ or her % ;ro$ the definition, it is clear that consent refers to the data sub8ect s agree$ent tohave #ersonal infor$ation relating to hi$ or her be collected and #rocessed !t is also clear thatsuch consent $ust be "s#ecific % 3hile it is not clear what the ter$ "s#ecific% $eans, i e ,whether s#ecific as to the infor$ation or s#ecific as to the #ur#ose of collection and or #rocessing, it is sub$itted that the better view 10 is that it $ust be s#ecific to both + as toinfor$ation and as to #ur#ose @ence, if the consent is general in nature, #rocessing of #ersonal infor$ation is #rohibited unless there are other conditions #resent Btherwise, the#ersonal data controller and the #ersonal data #rocessor will have unfettered discretion over the#rocessing of the #ersonal infor$ation, which is frowned u#on by the law

ection *(b) also adds, " onsent shall be evidenced by written, electronic or recorded $eans !t$ay also be given on behalf of the data sub8ect by an agent s#ecifically authori9ed by the datasub8ect to do so % @ence, consent need not be #ersonal as it can be given by an agentauthori9ed by a s#ecial #ower of attorney

b# Legitimate Interest Pursued by the Controller or by Third Party

ection 12(f) #rovides,

he #rocessing is necessary for the #ur#oses of the legiti$ate interests #ursued by the #ersonalinfor$ation controller or by a third #arty or #arties to who$ the data is disclosed, e ce#t where

10 he other view is that if the infor$ation to be #rocessed is only #ersonal infor$ation, general consent is sufficientbecause of the loose language of ection 12(a) and because under ection 1*(a), the consent necessary for the#rocessing of sensitive #ersonal infor$ation $ust be "s#ecific to the #ur#ose % @ence, the DPA treats the two -inds of infor$ation differently ( ut ! do not advocate this #osition because it is not safe to s#lit hairs es#ecially when the#rivacy of a #erson is involved)


12/26

such interests are overridden by funda$ental rights and freedo$s of the data sub8ect whichre/uire #rotection under the Phili##ine onstitution

3hile it is true that the ter$ "legiti$ate interests% is not clearly defined in the DPA, it issub$itted that it #ertains to lawful #ursuits of the #ersonal infor$ation controller or third #arties

ection 12(f) is i$#ortant because it allows third #ersons to use #ersonal infor$ation relating toa data sub8ect without the latter s consent, #rovided that such data necessary for the #ur#ose of the legiti$ate interests of these third #ersons

he i$#ort of this #rovision is that third #ersons can use #ersonal infor$ation of any#erson #rovided it does not violate any right or freedo$ of the latter as #rovided for in the

onstitution !t shifts the language of ection 12 in that instead of "#rocessing is not allowedunless the data sub8ect consents or there is a legiti$ate #ublic interest involved% to "#rocessingis allowed unless there is a violation of the funda$ental rights and freedo$ of the data sub8ect %!t establishes a regi$e si$ilar to the APG Privacy ;ra$ewor- contrary to the G PrivacyDirective a##roach ada#ted by the DPA in general

c# Conversion in Section '(l)(')

As #rovided in the #receding ection, ection *(l)(*) 11 #rovides for a conversion + fro$#ersonal infor$ation to sensitive #ersonal infor$ation his is an issue that needs to beaddressed because of the difference in the re/uire$ents for lawful #rocessing of #ersonalinfor$ation vis:K:vis sensitive #ersonal infor$ation

!f ection *(l)(*) is read with ections 12 and 1*, it see$s that the initial act of issuingthe infor$ation by the govern$ent agency, which has custody over the infor$ation, onlyre/uires co$#liance with ection 12 unless the infor$ation is already considered as sensitive#ersonal infor$ation as defined in ection *(l)

ut because of the conversion involved in ection *(l)(*), the #ersonal infor$ationissued by the govern$ent agency beco$es sensitive #ersonal infor$ation in the hands of thereci#ient herefore, in order for the reci#ient to lawfully #rocess that infor$ation, he $ustco$#ly, not with the re/uire$ents of ection 12, but with the re/uire$ents of ection 1* Andfailure of the reci#ient to co$#ly with ection 1*, gives rise to a breach of the individual #erson s#rivacy, which gives rise to an action for da$ages under ection 1E(f) 12 or a cri$inal actionunder ection 25 1* with restitution under ection *I 17

iii Lawful Processing of ensitive Personal !nfor$ation

11 (l) Sensitive personal information refers to #ersonal infor$ation.(*) !ssued by govern$ent agencies#eculiar to an individual which includes, but not li$ited to, social security nu$bers, #revious or c$:renthealth records, licenses or its denials, sus#ension or revocation, and ta returns= and

12 G 1E *ights of the !ata Sub ect# + he data sub8ect is entitled to.(f) e inde$nified for any da$agessustained due to such inaccurate, inco$#lete, outdated, false, unlawfully obtained or unauthori9ed use of #ersonal infor$ation


13/26

he #rocessing of sensitive #ersonal infor$ation is governed by ection 1* 15 , whichcovers not only sensitive #ersonal infor$ation defined under ection *(l), but also #rivilegedinfor$ation, which is not defined in the DPA but in so$e other statute or rule he rule is that#rocessing of these -inds of infor$ation shall be #rohibited, e ce#t in certain cases enu$eratedtherein ;or the #ur#oses of this article, which is focused on the govern$ent as#ect of the DPA,

ection 1*(b) and 1*(f) will be elaborated

a# Processing Allo&ed by La&s and *egulations

ection 1*(b) #rovides,

(b) he #rocessing of the sa$e is #rovided for by e isting laws and regulations. Provided, hatsuch regulatory enact$ents guarantee the #rotection of the sensitive #ersonal infor$ation andthe #rivileged infor$ation. Provided, further, hat the consent of the data sub8ects are notre/uired by law or regulation #er$itting the #rocessing of the sensitive #ersonal infor$ation or the#rivileged infor$ation=

Bne of the cases by which sensitive #ersonal infor$ation $ay be lawfully #rocessed iswhen laws and regulations so #rovide !n other words, when ongress or any govern$entalagency, through statute or regulations, allows the #rocessing of sensitive #ersonal infor$ation, it$ay be lawfully #rocessed

13 G 25 +nauthori ed Processing of Personal Information and Sensitive Personal Information# $ (a) heunauthori9ed #rocessing of #ersonal infor$ation shall be #enali9ed by i$#rison$ent ranging fro$ one (1) year tothree (*) years and a fine of not less than ;ive hundred thousand #esos (Ph#500,000 00) but not $ore than wo$illion #esos (Ph#2,000,000 00) shall be i$#osed on #ersons who #rocess #ersonal infor$ation without the consentof the data sub8ect, or without being authori9ed under this Act or any e isting law

14 G *I *estitution# $ Cestitution for any aggrieved #arty shall be governed by the #rovisions of the 4ew ivilode

15 G 1* Sensitive Personal Information and Privileged Information# + he #rocessing of sensitive #ersonalinfor$ation and #rivileged infor$ation shall be #rohibited, e ce#t in the following cases. (a) he data sub8ect hasgiven his or her consent, s#ecific to the #ur#ose #rior to the #rocessing, or in the case of #rivileged infor$ation, all#arties to the e change have given their consent #rior to #rocessing=(b) he #rocessing of the sa$e is #rovided for by e isting laws and regulations. Provided, hat such regulatoryenact$ents guarantee the #rotection of the sensitive #ersonal infor$ation and the #rivileged infor$ation. Provided,further, hat the consent of the data sub8ects are not re/uired by law or regulation #er$itting the #rocessing of thesensitive #ersonal infor$ation or the #rivileged infor$ation=(c) he #rocessing is necessary to #rotect the life and health of the data sub8ect or another #erson, and the datasub8ect is not legally or #hysically able to e #ress his or her consent #rior to the #rocessing=

(d) he #rocessing is necessary to achieve the lawful and nonco$$ercial ob8ectives of #ublic organi9ations and their associations. Provided, hat such #rocessing is only confined and related to the bona fide $e$bers of theseorgani9ations or their associations. Provided, further, hat the sensitive #ersonal infor$ation are not transferred tothird #arties. Provided, finally, hat consent of the data sub8ect was obtained #rior to #rocessing=(e) he #rocessing is necessary for #ur#oses of $edical treat$ent, is carried out by a $edical #ractitioner or a$edical treat$ent institution, and an ade/uate level of #rotection of #ersonal infor$ation is ensured= or(f) he #rocessing concerns such #ersonal infor$ation as is necessary for the #rotection of lawful rights and interestsof natural or legal #ersons in court #roceedings, or the establish$ent, e ercise or defense of legal clai$s, or when#rovided to govern$ent or #ublic authority


14/26

ut such #rocessing is sub8ect to two #rovisos.

1 he law or regulation guarantees the #rotection of the infor$ation= and

2 he law or regulation does not re/uire the consent of the data sub8ect

he reason for the second #roviso is that, if the law or regulation re/uires the consent of the data sub8ect, such consent $ust now be read with ection 1*(a) which re/uires that theconsent be. (1) s#ecific to the #ur#ose and (2) $ade #rior to the #rocessing

b# Processing -ecessary for the Protection of La&ful *ights and Interests inCourt Proceedings

ection 1*(f) #rovides,

(f) The processing concerns such personal information as is necessary for theprotection of lawful rights and interests of natural or legal persons in courtproceedings or the esta!lishment e"ercise or defense of legal claims or whenpro#ided to go#ernment or pu!lic authority$

his section deals with three cases Processing is allowed, under this section, when the#ersonal infor$ation is necessary for the.

1 Protect of lawful rights and legal interest of natural or legal #ersons in court #roceedings=

2 Gstablish$ent, e ercise or defense of legal clai$s= or

* 3hen #rovided to govern$ent or #ublic authority

An e a$#le of this -ind of #er$itted #rocessing of sensitive #ersonal data is found the


15/26

ection 15 allows the Personal infor$ation controllers to invo-e the #rivilegedco$$unication rule over #rivileged infor$ation that they lawfully control or #rocess And theti$ely invocation of such rule will rendered any evidence gathered on #rivileged infor$ationinad$issible in evidence, sub8ect to the e isting laws and regulations

iv ubcontracting of Personal !nfor$ation

ection 17 allows the #ersonal infor$ation controller to subcontract the #rocessing of #ersonal infor$ation ut such subcontracting feature #er$itted by the DPA is sub8ect to thefollowing conditions.

1 he #ersonal infor$ation controller shall be res#onsible in ensuring that #ro#er standards arein #lace to ensure confidentiality, #revent unauthori9ed use, and co$#ly with the re/uire$entsof the Act and other laws

2 he #ersonal infor$ation #rocessor, i e , the subcontractor, shall co$#ly with all there/uire$ents of the Act and other a##licable laws

%. Ri-)ts o( a Data Su !ect

he data sub8ect is granted certain enforceable rights under the DPA hese rights canbe invo-ed against any #erson who #rocesses his #ersonal infor$ation including #ersonalinfor$ation controllers, #ersonal infor$ation #rocessors, and third #ersons that have an interestover his #ersonal infor$ation hese rights are outlined below

i Cights of the Data ub8ect under ection 1E

nder ection 1E 1E, the data sub8ect has the following rights.

1E G 1E *ights of the !ata Sub ect# + he data sub8ect is entitled to. (a) e infor$ed whether #ersonalinfor$ation #ertaining to hi$ or her shall be, are being or have been #rocessed=(b) e furnished the infor$ation indicated hereunder before the entry of his or her #ersonal infor$ation into the#rocessing syste$ of the #ersonal infor$ation controller, or at the ne t #ractical o##ortunity.

(1) Descri#tion of the #ersonal infor$ation to be entered into the syste$=(2) Pur#oses for which they are being or are to be #rocessed=(*) co#e and $ethod of the #ersonal infor$ation #rocessing=(7) he reci#ients or classes of reci#ients to who$ they are or $ay be disclosed=(5)


16/26

1 Cight to be infor$ed when his #ersonal infor$ation shall be, are being, or have been#rocessed

2 Cight to be notified or furnished certain infor$ation before the entry of his #ersonalinfor$ation to the #rocessing syste$ of the controller

* Cight to reasonable access u#on de$and

7 Cight to dis#ute the inaccuracy or error in the #ersonal infor$ation and the Cight to havecorrected it i$$ediately

5 Cight to sus#end, withdraw or order the bloc-ing, re$oval or destruction of his or her #ersonal infor$ation fro$ the #ersonal infor$ation controller s filing syste$ for authori9edcauses #rovided in ection 1E (e)

E Cight to be inde$nified for any da$ages sustained due to such inaccurate, inco$#lete,outdated, false, unlawfully obtained or unauthori9ed use of #ersonal infor$ation

ii Cight of the Data ub8ect to Jnow the !dentity of Accountable !ndividuals

#on re/uest, the Data sub8ect has the right to -now the identity of the individual or individuals accountable for the #ersonal infor$ation controller s co$#liance with the DPA ( ec21)

iii Cight to Data Portability

(1) ontents of his or her #ersonal infor$ation that were #rocessed=(2) ources fro$ which #ersonal infor$ation were obtained=(*) 4a$es and addresses of reci#ients of the #ersonal infor$ation=(7)


17/26

ection 16 #rovides "&t'he data sub8ect shall have the right, where #ersonal infor$ationis #rocessed by electronic $eans and in a structured and co$$only used for$at, to obtain fro$the #ersonal infor$ation controller a co#y of data undergoing #rocessing in an electronic or structured for$at, which is commonly used and allo&s for further use by the data sub8ect(e$#hasis su##lied) %

iv rans$issibility of Cights

ection 1I #rovides that the lawful heirs and assigns of the data sub8ect $ay invo-e thelatter s rights at any ti$e after the death of the data sub8ect or when he is inca#acitated or inca#able of e ercising the rights enu$erated in ection 1E

v 4on:A##licability of Cights

nder ection 1F, the rights granted to the data sub8ect under ha#ter !> are nota##licable if.

1 he #rocessed #ersonal infor$ation are used only for the needs of scientific and statisticalresearch

a Bn the basis of such research, no activities are carried out and no decisions are ta-enregarding the data sub8ect

b he #ersonal infor$ation shall be held under strict confidentiality and used only for thedeclared #ur#ose

2 he #rocessing of #ersonal infor$ation gathered for the #ur#ose of investigations in relationto any cri$inal, ad$inistrative, or ta liabilities of a data sub8ect

ection 1F is a co$#le$ent to e clusions to the a##licability of the DPA #rovided inections 7 #ar 2 (d) and (e) Paragra#h 2 (d) e cludes fro$ the a$bit of the DPA #ersonal

infor$ation #rocessed for 8ournalistic, artistic, literary, or research #ur#oses= therebyco$#le$enting nu$ber 1 above 3hile #aragra#h 2 (e) e cludes infor$ation necessary to carryout the functions of #ublic authority which includes the #rocessing of #ersonal data for the#erfor$ance of la& enforcement and regulatory agencies of their constitutionally andstatutorily $andated functions, which co$#le$ents nu$ber 2 above

III. I"PLE"ENTATION ASPECT

he !$#le$entation As#ect, i e , acts by which govern$ent $ust #erfor$ in order to fullyi$#le$ent the #rovisions of the DPA, involves * areas of concern. (1) reation of the 4ationalPrivacy o$$ission= (2) ecurity of Personal !nfor$ation= and (*) ecurity of ensitivePersonal !nfor$ation in ?overn$ent

A. Creation o( t)e Nationa# Privacy Commission


18/26

ection I #rovides for the creation of an inde#endent body which shall be -nown as the4ational Privacy o$$ission (4P ) !ts #ur#ose is to ad$inister and i$#le$ent the #rovisionsof the DPA, and to $onitor and ensure co$#liance of the country with international standardsset for data #rotection

i Brgani9ational tructure, Mualifications of Bfficers, ecretariat

a# /rgani ational Structure

he 4P shall be an attached agency of the De#art$ent of !nfor$ation ando$$unications echnology !t shall be co$#osed of * $e$bers + a Privacy o$$issioner

and 2 De#uty Privacy o$$issioners + who shall be a##ointed by the President and shall en8oya ter$ of * years, which can be rea##ointed thereafter for another * years

b# 0ualifications of /fficers

he Privacy o$$issioner $ust be at least thirty:five (*5) years of age and of good

$oral character, un/uestionable integrity and -nown #robity, and a recogni9ed e #ert in the fieldof infor$ation technology and data #rivacy

he De#uty Privacy o$$issioners $ust be recogni9ed e #erts in the field of infor$ation and co$$unications technology and data #rivacy

c# Secretariat

ection 10 #rovides that "&t'he o$$ission is hereby authori9ed to establish aecretariat


19/26

infor$ation, other than those enu$erated, can also be $e$bers of the ecretariat #rovided that$a8ority of the $e$bers have served at least 5 years in such agency

Also, since only $a8ority of the $e$bers are re/uired to have served in govern$entagencies involved in the #rocessing of #ersonal infor$ation, there is roo$ for a##oint$ent of $e$bers outside govern$ent service, e g , acade$e, legal #rofession, etc

ii ;unctions of the 4P


20/26

he s#ecific functions of the 4P are #rovided in ection I 1I !n general, the 4P is aregulatory body that will ad$inister and i$#le$ent the #rovisions of the DPA !t shall ensure thatactors within the fra$ewor- of the DPA co$#ly with its #rovisions !t also #erfor$s /uasi:8udicialfunctions in dis#utes relating to #ersonal infor$ation !t also has an international di$ension inthat it is e$#owered to negotiate and contract with other data #rivacy authorities of other

countries fro$ cross:border a##lication and i$#le$entation of res#ective #rivacy laws

A#art fro$ the functions in ection I, ection 6 also re/uires the 4P to ensure at allti$es the confidentiality of any #ersonal infor$ation that co$es to its -nowledge and#ossession

1I G I Functions of the -ational Privacy Commission# $ o ad$inister and i$#le$ent the #rovisions of this Act,and to $onitor and ensure co$#liance of the country with international standards set for data #rotection, there ishereby created an inde#endent body to be -nown as the 4ational Privacy o$$ission, winch shall have the followingfunctions. (a) Gnsure co$#liance of #ersonal infor$ation controllers with the #rovisions of this Act=(b) Ceceive co$#laints, institute investigations, facilitate or enable settle$ent of co$#laints through the use of alternative dis#ute resolution #rocesses, ad8udicate, award inde$nity on $atters affecting any #ersonal infor$ation,#re#are re#orts on dis#osition of co$#laints and resolution of any investigation it initiates, and, in cases it dee$sa##ro#riate, #ublici9e any such re#ort. Provided, hat in resolving any co$#laint or investigation (e ce#t wherea$icable settle$ent is reached by the #arties), the o$$ission shall act as a collegial body ;or this #ur#ose, the

o$$ission $ay be given access to #ersonal infor$ation that is sub8ect of any co$#laint and to collect theinfor$ation necessary to #erfor$ its functions under this Act=(c) !ssue cease and desist orders, i$#ose a te$#orary or #er$anent ban on the #rocessing of #ersonal infor$ation,u#on finding that the #rocessing will be detri$ental to national security and #ublic interest=(d) o$#el or #etition any entity, govern$ent agency or instru$entality to abide by its orders or ta-e action on a$atter affecting data #rivacy=(e)


21/26

iii Pro$ulgation of the !$#le$enting Cules and Cegulations of the DPA

nder ection *F, the o$$ission shall #ro$ulgate the rules and regulations toeffectively i$#le$ent the #rovisions of this Act within F0 days fro$ the effectivity of the Act,which is 15 days after its #ublication in at least 2 national news#a#ers of general circulation( ection *F, 75)

iv Ce#ortorial Bbligation of the 4P

nder ection 70, the 4P is obliged to $a-e an annual re#ort to the President andongress and to $a-e necessary efforts to infor$ and educated the #ublic about data #rivacy !t

#rovides.

he o$$ission shall annually report to the President and ongress on its activities in carryingout the #rovisions of this Act he o$$ission shall underta-e whatever efforts it $ay deter$ineto be necessary or a##ro#riate to inform and educate the public of data #rivacy, data #rotectionand fair infor$ation rights and res#onsibilities

%. Security o( Persona# In(ormation

ha#ter >, which deals with the security of #ersonal infor$ation, is addressed to the#ersonal infor$ation controller !t #rovides for certain obligations that all #ersonal infor$ationcontrollers $ust co$#ly with as regards the security of #ersonal infor$ation

ection 20 #rovides for the following obligations.

1 o i$#le$ent reasonable and a##ro#riate organi9ational, #hysical and technical $easures

intended for the #rotection of #ersonal infor$ation against any accidental or unlawfuldestruction, alteration and disclosure=

2 o i$#le$ent reasonable and a##ro#riate $easures to #rotect #ersonal infor$ation againstnatural dangers=

* o include in the $easures i$#le$ented.

(1) afeguards to #rotect its co$#uter networ- against accidental, unlawful orunauthori9ed usage or interference with or hindering of their functioning or availability=

(2) A security #olicy with res#ect to the #rocessing of #ersonal infor$ation=

(*) A #rocess for identifying and accessing reasonably foreseeable vulnerabilities in itsco$#uter networ-s, and for ta-ing #reventive, corrective and $itigating action againstsecurity incidents that can lead to a security breach= and


22/26

(7) Cegular $onitoring for security breaches and a #rocess for ta-ing #reventive,corrective and $itigating action against security incidents that can lead to a securitybreach=

7 o ensure that third #arties #rocessing #ersonal infor$ation on its behalf shall i$#le$ent thesecurity $easures re/uired by this #rovision=

5 o o#erate and hold #ersonal infor$ation under strict confidentiality if the #ersonalinfor$ation are not intended for #ublic disclosure=

a G tends to all e$#loyees, agents, and re#resentatives of the #ersonal infor$ationcontroller

b G tends even after leaving #ublic service, u#on transferring to another #osition, andeven u#on ter$ination of the e$#loy$ent contract

E o notify the o$$ission and affected data sub8ects when infor$ation $ay be used to enable

identity fraud are reasonably believed to have been ac/uired by an unauthori9ed #erson, andthe #ersonal infor$ation controller or the o$$ission believes that such unauthori9edac/uisition is li-ely to give rise to a real ris- of serious har$ to any affected data sub8ect

C. Security o( Sensitive Persona# In(ormation in Government

ha#ter >!! deals with the res#onsibilities of the heads of agencies, re/uire$entsrelating to access, and its a##licability to govern$ent contractors !t #ertains only to the securityof sensitive personal information $aintained by govern$ent, its agencies and instru$entalities

i Ces#onsibilities of @eads of Agencies

ection 22 states that all sensitive #ersonal infor$ation $aintained by govern$ent shallbe secured, as far as #racticable, with the use of the $ost a##ro#riate standard recogni9ed bythe infor$ation and co$$unications technology industry, and as reco$$ended by the 4P

he head of each govern$ent agency or instru$entality shall be res#onsible for co$#lying with the security re/uire$ents= while the 4P shall $onitor the co$#liance and $ayreco$$end the necessary action in order to satisfy the $ini$u$ standards

ii Ce/uire$ents Celating to Access by Agency Personnel ( ec 2*)

1 Bn:site and Bnline access + e$#loyees of govern$ent are re/uired to have a security clearance fro$ the head of the source agency before they can access to sensitive #ersonalinfor$ation on govern$ent #ro#erty or through online facilities

2 Bff:site Access + ensitive #ersonal infor$ation $aintained by an agency $ay only betrans#orted or accessed fro$ a location off govern$ent #ro#erty if a re1uest for suchtransportation or access is sub$itted and approved by the head of the agency, sub8ect to thefollowing guidelines.


23/26

a he head of the agency shall a##rove or disa##rove the re/uest within 2 businessdays after sub$ission !n case no action was $ade by the head, the re/uest isconsidered disa##roved

b !f re/uest is a##roved, the head shall li$it access to not $ore than 1, 000 records at ati$e

c Any technology used to store, trans#ort or access sensitive #ersonal infor$ation for#ur#oses of off:site access a##roved under this subsection shall be secured by the useof the most secure encryption standard recogni9ed by the o$$ission

* he re/uire$ents of this subsection shall be i$#le$ented not later than si (E) $onths after the date of the enact$ent of this Act

iii A##licability to ?overn$ent ontractors

nder ection 27, when the govern$ent enters into a contract that $ay involve

accessing or re/uiring sensitive #ersonal infor$ation fro$ 1, 000 or $ore individuals, thecontracting agency shall re/uire the contractor and latter s e$#loyees.

1 o register their #ersonal infor$ation syste$ with the 4P

2 o co$#ly with the other #rovisions of the DPA including the re/uire$ents relating to accessby its #ersonnel to sensitive #ersonal infor$ation

I . ACCOUNTA%ILIT/ AND EN&ORCE"ENT ASPECT

he DPA #rovides for ha#ters on Accountability and Gnforce$ent ha#ter >! #rovidesfor the general #rinci#le of accountability, i e , the res#onsibility of the #ersonal infor$ationcontroller vis:K:vis the data sub8ect= while ha#ter >!!!, entitled Penalties, #rovides for unlawfulacts #roscribed by the Act and their corres#onding #enalties

A. Accounta i#ity As'ect

ha#ter >! deals with the Accountability as#ect of the DPA ection 21 #rovides for thegeneral #rinci#le of accountability !t #rovides that the #ersonal infor$ation controller isres#onsible for the #ersonal infor$ation under its control and custody !ts res#onsibility e tendsto infor$ation transferred to a third #arty for #rocessing (or #ersonal infor$ation #rocessor),whether do$estic or international

he res#onsibilities of a #ersonal infor$ation controller are to.

1 o$#ly with the re/uire$ents of the DPA=


24/26

2 se contractual or other reasonable $eans to #rovide a co$#arable level of #rotection whilethe infor$ation are being #rocessed by a third #arty= and

* Designate an individual or individuals who are accountable for the #ersonal infor$ationcontroller s co$#liance with the DPA

%. En(orcement As'ect

i Bffenses and Penalties

he following are the unlawful acts #roscribed by the DPA, s#ecifically ha#ter >!!!thereof, and their corres#onding #enalties.

1 nauthori9ed Processing of Personal !nfor$ation and ensitive Personal !nfor$ation( ec 25)

a Persons who #rocess #ersonal infor$ation without the consent of the data sub8ect, or withoutbeing authori9ed under this Act or any e isting law (!$#rison$ent. 1 year to * years= ;ine. P500,000 to P2, 000,000)

b !f infor$ation is sensitive #ersonal infor$ation (!$#rison$ent. * years to E years= ;ine. P500,000 to P7, 000, 000)

2 Accessing Personal !nfor$ation and ensitive Personal !nfor$ation Due to 4egligence ( ec2E)

a Persons who, due to negligence, #rovided access to #ersonal infor$ation without beingauthori9ed under this Act or any e isting law (!$#rison$ent. 1 year to * years= ;ine. P500, 000 to

P2, 000,000)

b !f infor$ation is sensitive #ersonal infor$ation (!$#rison$ent. * years to E years= ;ine. P500,000 to P7, 000, 000)

* !$#ro#er Dis#osal of Personal !nfor$ation and ensitive Personal !nfor$ation ( ec 2I)

a Persons who -nowingly or negligently dis#ose, discard or abandon the #ersonal infor$ation of an individual in an area accessible to the #ublic or has otherwise #laced the #ersonal infor$ationof an individual in its container for trash collection (!$#rison$ent. E $onths to 2 years= ;ine.P100, 000 to P500, 000)

b !f infor$ation is sensitive #ersonal infor$ation (!$#rison$ent. 1 year to * years= ;ine. P100,000 to P1, 000, 000)

7 Processing of Personal !nfor$ation and ensitive Personal !nfor$ation for nauthori9edPur#oses ( ec 26)

a Persons #rocessing #ersonal infor$ation for #ur#oses not authori9ed by the data sub8ect, or otherwise authori9ed under this Act or under e isting laws (!$#rison$ent. E $onths to 5 years=;ine. P500, 000 to P1, 000, 000)


25/26

b !f infor$ation is sensitive #ersonal infor$ation (!$#rison$ent. 2 years to I years= ;ine. P500,000 to P2, 000, 000)

5 nauthori9ed Access or !ntentional reach ( ec 2F)

Persons who -nowingly and unlawfully, or violating data confidentiality and security data syste$s,

brea-s in any way into any syste$ where #ersonal and sensitive #ersonal infor$ation is stored(!$#rison$ent. 1 year to * years= ;ine. P500, 000 to P2, 000,000)

E onceal$ent of ecurity reaches !nvolving ensitive Personal !nfor$ation ( ec *0)

Persons who, after having -nowledge of a security breach and of the obligation to notify theo$$ission #ursuant to ection 20(f), intentionally or by o$ission conceal the fact of such

security breach (!$#rison$ent. 1 year and E $onths to 5 years= ;ine. P500, 000 to P1, 000, 000)

I


26/26

a Partici#ated in, or

b y their gross negligence, allowed the co$$ission of the cri$e

!n addition, the court $ay sus#end or revo-e any of its rights under this Act

2 Alien , he or she shall, in addition to the #enalties herein #rescribed, be de#orted without further #roceedings after serving the #enalties #rescribed

* Public official or employee , he or she shall, in addition to the #enalties #rescribed herein, suffer #er#etual or te$#orary absolute dis/ualification fro$ office, as the case $ay be if he or she is found guiltyof acts #enali9ed under.

a ections 2I (!$#ro#er Dis#osal of Personal !nfor$ation and ensitive Personal !nfor$ation)=

b 26 (Processing of Personal !nfor$ation and ensitive Personal !nfor$ation for nauthori9edPur#oses)

7 Public officer as defined in the Administrative Code of the Philippines , in the e ercise of his or her

duties, an accessory #enalty consisting in the dis/ualification to occu#y #ublic office for a ter$ double theter$ of cri$inal #enalty i$#osed shall he a##lied ( ec *E)

5 Privacy Commissioner, !eputy Privacy Commissioner, or Agent , he shall not be civilly liable for actsdone in good faith in the #erfor$ance of their duties @owever, he or she shall be liable for willful or negligent acts done by hi$ or her which are contrary to law, $orals, #ublic #olicy and good custo$s evenif he or she acted under orders or instructions of su#eriors ( ec F #ar *)

iv Bther Ce$edies in the Act

1 Cestitution ( ec *I)

Cestitution for any aggrieved #arty shall be governed by the #rovisions of the 4ew ivil ode

2 Da$ages ( ec 1E(f))

he data sub8ect is entitled to be inde$nified for any da$ages sustained due to such inaccurate,inco$#lete, outdated, false, unlawfully obtained, or unauthori9ed use of #ersonal infor$ation

Privacy_Government and Privacy Law (RJEG)

Documents

Transcript of Privacy_Government and Privacy Law (RJEG)