Get familiar with the Data Privacy Act of 2012 and learn how it protects your employee and company data.
What is data privacy?
Billions of data get shared and processed every day. However, there are types of information that must not be shared with the general public. This is where the Data Privacy Act of 2012 comes in.
Data privacy requires the proper handling, access, and storage of data so that there is no violation of the privacy of the data owners. Moreover, it allows data owners to limit and determine who can access their personal information and to what extent.
Data privacy, therefore, is a combination of rules, practices, and tools to ensure data privacy compliance and monitoring functions.
RA 10173 Data Privacy Act of 2012 Summary
The Data Privacy Act of 2012, officially known as Republic Act No. 10173, is a safeguard for your personal information. It’s a law that ensures your data, whether it’s in the hands of the government or a private company, is kept safe and treated with confidentiality. In simple terms, it’s all about striking a balance between your right to keep things private and the need for information to flow freely, which is essential for progress and creativity.
What is the purpose of the Data Privacy Act (DPA)?
The Data Privacy Act of 2012 serves multiple purposes. Primarily, it brings the Philippines in line with international data privacy standards, which is crucial for industries like IT-BPO. By doing this, it helps the country remain competitive in the technology-driven global market.
Additionally, it addresses a significant gap in the legal framework related to personal data protection. Before this law, there were no specific regulations to protect against the unauthorized use and breach of personal data. Essentially, the DPA safeguards personal information and ensures the Philippines stays relevant in the digital age.
What are the major provisions of the Data Privacy Act?
The DPA of 2012 consists of nine (9) chapters in total. Furthermore, each of these has different provisions aimed at strengthening the goal of data privacy and data protection.
Chapter One of the DPA or the General Provisions:
The General Provisions section of the Data Privacy Act covers key aspects of the law. It begins with a declaration of policy, outlining the purpose and background of the DPA. Definitions are provided to clarify the specific meanings of terms used in the act.
The scope is discussed to specify where and to what extent the DPA applies, ensuring its appropriate usage. Notably, the act reaffirms the rights of journalists to protect their sources and information confidentiality. It also outlines situations in which the DPA may be enforced outside the Philippines. These provisions create a comprehensive framework for data privacy protection and enforcement.
Definition of terms in the Data Privacy Act
- Data subject: Refers to the individual who possesses the personal information undergoing processing.
- Personal information: Encompasses any data that can be used to directly or indirectly identify a person.
- Personal information controller: Denotes an entity or individual responsible for managing the collection, storage, usage, or processing of personal information.
- Personal information processor: Describes a natural or legal person authorized to process personal data, often engaged by a personal information controller for data processing.
- Privileged information: Encompasses all data deemed privileged communication according to the Rules of Court and other legal statutes.
- Sensitive personal information: Comprises personal details such as marital status, ethnic origin, race, affiliations, health, education, genetic or sexual life, as well as court proceedings and outcomes. Additionally, it includes information like social security numbers, medical records, licenses, actions tied to them, tax returns, and other data classified as such by executive order or act of Congress.
The National Privacy Commission
The National Privacy Commission (NPC) plays a pivotal role in enforcing and overseeing the implementation of the Data Privacy Act (DPA). Established in accordance with Republic Act No. 10173, the NPC’s primary function is to ensure the compliance of individuals and organizations with the provisions of the DPA.
In addition, they act as the authority responsible for safeguarding data privacy and protection in the Philippines. Furthermore, the NPC strives to align Philippine data privacy standards with international best practices to maintain data security and privacy at the global level.
What are the roles of the National Privacy Commission?
The National Privacy Commission (NPC) plays a multifaceted role in ensuring data protection and privacy within the Philippines. These responsibilities encompass:
The NPC monitors and enforces compliance among government agencies and personal information controllers, ensuring adherence to data protection regulations.
The commission receives, assesses, investigates, and resolves complaints related to data privacy breaches or concerns.
The NPC possesses the authority to issue cease and desist orders. Moreover, it issues temporary or permanent bans on the processing of personal data when necessary.
The commission collaborates with other government entities, compelling them to implement and enhance data protection measures.
Guidance and Publication
The NPC publishes guidelines to clarify data protection laws and compiles agency notices and records systems.
It recommends penalties and prosecution measures for personal data breaches to the Department of Justice.
The NPC reviews, approves, and if needed, mandates adjustments in personal data controllers’ policies to maintain compliance with privacy standards.
Assistance and Consultation
The commission aids in addressing data protection and privacy queries from various entities, whether national or local agencies, private organizations, individuals, or Philippine businesses engaged in global activities.
Legal Implications Study
The NPC examines how existing laws affect data privacy, interprets Data Privacy Act (DPA) provisions, offers advisories, and suggests amendments or new legislation.
The commission coordinates and negotiates with foreign data privacy authorities for the cross-border implementation of relevant data privacy regulations.
The NPC undertakes any necessary activities to facilitate the application of privacy laws in international contexts, ensuring harmonized data protection practices.
In sum, the National Privacy Commission is dedicated to upholding and advancing data protection and privacy principles through its diverse array of roles and functions.
In addition, the NPC must ensure the confidentiality of all personal information that enters its jurisdiction. Chapter Two of the DPA also underlines the structure of the NPC’s organization and the formation of the NPC’s own secretariat.
Other Sections of the Data Privacy Act
Processing of Personal Data
Chapter Three of the Data Privacy Act is dedicated to regulating the processing of personal data, encompassing a wide array of operations. It governs the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of personal data, providing a comprehensive framework for handling data while upholding individual privacy rights.
Moreover, the law extends its reach beyond Philippine borders, applying not only to businesses with offices in the Philippines but also when equipment based in the Philippines is used for processing. This extraterritorial application ensures that the personal information of Philippine citizens is protected, regardless of where they reside.
Rights of the Data Subject
Chapter Four of the Data Privacy Act comprehensively outlines the entitlements granted to data subjects. These rights encompass the ability to request and acquire electronic copies of their processed data. Furthermore, the chapter empowers a data subject’s heir or assignee to invoke these rights in cases where the data subject is incapacitated due to illness or demise. Additionally, this chapter highlights specific scenarios where data subject rights might not apply.
Security of Personal Data
Chapter Four of the Data Privacy Act covers the rights bestowed upon data subjects, which include the right to request and obtain electronic copies of their processed data. It also extends these rights to a data subject’s heir or assignee in cases where the data subject is incapacitated due to illness or death. However, the chapter also delineates specific situations in which data subject rights might not be applicable, providing a comprehensive framework for the protection of individual privacy rights.
Accountability for Transfer of Personal Data
Chapter Six of the Data Privacy Act establishes the accountability of personal information controllers for all personal data under their stewardship, even when transferred to third parties for processing. Notably, Section 21-b of this chapter mandates the appointment of a designated individual, often termed the data protection officer, responsible for overseeing the organization’s adherence to the DPA. Transparency is paramount, with the identity of this appointed figure required to be divulged to data subjects upon request.
Security of Sensitive Personal Information in Government
This chapter addresses the vital matter of sensitive personal information within government institutions. In this context, instrumentalities and agencies are obligated to uphold stringent data security measures aligned with ICT- and NPC-approved standards. The accountability for adhering to these security requisites falls on agency heads, as established by the NPC.
Furthermore, this chapter prohibits government employees from accessing, processing, or transmitting sensitive personal data unless they possess a security clearance approved by the source agency’s head. Contractors with access requirements to sensitive personal data pertaining to over 1000 individuals must also register their personal data processing systems with the NPC. Compliance with Data Privacy Act provisions is mandatory for such contractors.
Penalties for breaching the Data Privacy Act
Penalties for breaches of the Data Privacy Act differ depending on whether personal data or sensitive personal data is involved. Violations of personal data privacy can lead to imprisonment for six (6) months to five (5) years, along with fines ranging from 100,000 to 2,000,000 Php.
In contrast, breaches of sensitive personal data privacy carry a more severe penalty of imprisonment from one to seven years and fines ranging from 100,000 to 4,000,000 Php. The specific penalty imposed depends on the type and severity of the breach, with maximum penalties applying to cases involving a minimum of 100 data subjects.
Other matters concerning the Data Privacy Act are discussed under Miscellaneous Provisions, such as Implementing Rules and Regulations, starting funds from the government, and adjustment period for implementation.
Protect your data privacy with eezi
Looking for a way to manage your employees’ personal information while staying in the law’s good books? Give eezi’s HRIS a try!