Get familiar with the Data Privacy Act of 2012 and learn how it protects your employee and company data.
Key Points
- The Data Privacy Law elevates Philippine policies in line with international data privacy standards and keeps it competitive in the technology-driven industries.
- The law also added more data protection for individuals in cases of unauthorized use and breach of personal data.
- Overseeing the implementation of this law is the National Privacy Commission, which was established with the Republic Act No. 10173.
What is data privacy?
Billions of data get shared and processed every day. However, there are types of information that must not be shared with the general public. This is where the Data Privacy Act of 2012 comes in.
Data privacy requires the proper handling, access, and storage of data so that there is no violation of the privacy of the data owners. Moreover, it allows data owners to limit and determine who can access their personal information and to what extent.
Data privacy, therefore, is a combination of rules, practices, and tools to ensure data privacy compliance and monitoring functions.
RA 10173 Data Privacy Act of 2012 Summary
The Data Privacy Act of 2012, officially known as Republic Act No. 10173, is a safeguard for your personal information. It’s a law that ensures your data, whether it’s in the hands of the government or a private company, is kept safe and treated with confidentiality. In simple terms, it’s all about striking a balance between your right to keep things private and the need for information to flow freely, which is essential for progress and creativity.
What is the purpose of the Data Privacy Act (DPA)?
The Data Privacy Act of 2012 serves multiple purposes. Primarily, it brings the Philippines in line with international data privacy standards, which is crucial for industries like IT-BPO. By doing this, it helps the country remain competitive in the technology-driven global market.
Additionally, it addresses a significant gap in the legal framework related to personal data protection. Before this law, there were no specific regulations to protect personal data against unauthorized use and breach. Essentially, the DPA safeguards personal information and ensures the Philippines stays relevant in the digital age.
What are the major provisions of the Data Privacy Act?
The DPA of 2012 consists of nine (9) chapters in total. Furthermore, each of these has different provisions aimed at strengthening the goal of data privacy and data protection.
Definition of terms in the Data Privacy Act
- Data subject: Data subject refers to the individual who possesses the personal information undergoing processing.
- Information and Communications System (ICT): A system for transferring, storing, and processing electronic data messages or electronic documents.
- Personal information: Personal information encompasses any data that can be used to directly or indirectly identify a person.
- Personal information controller: Denotes an entity or individual responsible for managing the collection, storage, usage, or processing of personal information.
- Personal information processor: Describes natural or legal persons authorized to process personal data, often engaged by a personal information controller for data processing.
- Personal data breach: The accidental or unlawful destruction, loss, alteration, access, or unauthorized disclosure of sensitive personal information transmitted, whether processed or not.
- Privileged information: Encompasses all data deemed privileged communication according to the Rules of Court and other legal statutes.
- Sensitive personal information: Comprises personal details such as marital status, ethnic origin, race, affiliations, health, education, genetic or sexual life, as well as court proceedings and outcomes. Additionally, it includes information like social security numbers, medical records, licenses, actions tied to them, tax returns, and other data classified as such by executive order or act of Congress.
The National Privacy Commission
The National Privacy Commission (NPC) plays a pivotal role in enforcing and overseeing the implementation of the Data Privacy Act (DPA). Established in accordance with Republic Act No. 10173, the NPC’s primary function is to ensure the compliance of individuals and organizations with the provisions of the DPA.
In addition, they act as the authority responsible for safeguarding data privacy and protection in the Philippines. Furthermore, the NPC strives to align Philippine data privacy standards with international best practices to maintain data security and privacy at the global level.
What are the roles of the National Privacy Commission?
The National Privacy Commission (NPC) plays a multifaceted role in ensuring data protection and privacy within the Philippines. These responsibilities encompass:
Compliance Oversight
The NPC monitors and enforces compliance among government agencies and personal information controllers, ensuring adherence to data protection regulations.
Complaint Handling
The commission receives, assesses, investigates, and resolves complaints related to data privacy breaches or concerns.
Regulatory Orders
The NPC possesses the authority to issue cease and desist orders. Moreover, it issues temporary or permanent bans on the processing of personal data when necessary.
Interagency Coordination
The commission collaborates with other government entities, compelling them to implement and enhance data protection measures.
Guidance and Publication
The NPC publishes guidelines to clarify data protection laws and compiles agency notices and records systems.
Penalty Recommendations
It recommends penalties and prosecution measures for a personal data breach to the Department of Justice.
Policy Oversight
The NPC reviews, approves, and if needed, mandates adjustments in personal data controllers’ policies to maintain compliance with privacy standards.
Assistance and Consultation
The commission aids in addressing data protection and privacy queries from various entities, whether national or local agencies, private organizations, individuals, or Philippine businesses engaged in global activities.
Legal Implications Study
The NPC examines how existing laws affect data privacy, interprets Data Privacy Act (DPA) provisions, offers advisories, and suggests amendments or new legislation.
International Collaboration
The commission coordinates and negotiates with foreign data privacy authorities for the cross-border implementation of relevant data privacy regulations.
Global Implementation
The NPC undertakes any necessary activities to facilitate the application of privacy laws in international contexts, ensuring harmonized data protection practices.
In sum, the National Privacy Commission is dedicated to upholding and advancing data protection and privacy principles through its diverse array of roles and functions.
In addition, the NPC must ensure the confidentiality of all personal information that enters its jurisdiction. Chapter Two of the DPA also underlines the structure of the NPC’s organization and the formation of the NPC’s own secretariat.
Other Sections of the Data Privacy Act
Processing of Personal Data
The data privacy law regulates the processing of personal data, encompassing a wide array of operations. It governs the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of personal data, providing a comprehensive framework for handling data while upholding individual privacy rights.
Moreover, the law extends its reach beyond Philippine borders, applying not only to businesses with offices in the Philippines but also when equipment based in the Philippines is used for processing. This extraterritorial application ensures that the personal information of Philippine citizens is protected, regardless of where they reside.
Rights of the Data Subject
The law gives data subjects the ability to request and acquire electronic copies of their processed data. Furthermore, it allows the data subject’s heir or assignee to invoke these rights in cases where the data subject is incapacitated due to illness or demise.
Security of Personal Data
Under the data privacy law, the data subjects have the right to request and obtain electronic copies of their processed data. It also extends these rights to a data subject’s heir or assignee in cases where the data subject is incapacitated due to illness or death. However, the chapter also delineates specific situations in which data subject rights might not be applicable, providing a comprehensive framework for the protection of individual privacy rights.
Accountability for Transfer of Personal Data
The law also establishes the accountability of personal information controllers for all personal data under their stewardship, even when transferred to third parties for processing. Notably, Section 21-b of this chapter mandates the appointment of a designated individual, often termed the data protection officer, responsible for overseeing the organization’s adherence to the DPA. Transparency is paramount, with the identity of this appointed figure required to be divulged to data subjects upon request.
Security of Sensitive Personal Information in Government
Sensitive personal information refers to an individual’s data like their race, civil status, age, among other things. Sections of the law addresses the handling of sensitive personal information within government institutions. In this context, instrumentalities and agencies are obligated to uphold stringent data security measures aligned with ICT- and NPC-approved standards. The accountability for adhering to these security requisites falls on agency heads, as established by the NPC.
Furthermore, this chapter prohibits government employees from accessing, processing, or transmitting sensitive personal data unless they possess a security clearance approved by the source agency’s head. Contractors with access requirements to sensitive personal data pertaining to over 1000 individuals must also register their personal data processing systems with the NPC. Compliance with Data Privacy Act provisions is mandatory for such contractors.
Penalties for breaching the Data Privacy Act
Penalties for breaches of the Data Privacy Act differ depending on whether personal data or sensitive personal data is involved.
Violations of personal data privacy can lead to imprisonment for six (6) months to five (5) years, along with fines ranging from 100,000 to 2,000,000 Php.
In contrast, breaches of sensitive personal data privacy carry a more severe penalty of imprisonment from one to seven years and fines ranging from 100,000 to 4,000,000 Php.
The specific penalty imposed depends on the type and severity of the breach, with maximum penalties applied to cases involving a minimum of 100 data subjects.
Miscellaneous Provisions
Other matters concerning the Data Privacy Act are discussed under Miscellaneous Provisions, such as Implementing Rules and Regulations, starting funds from the government, and adjustment period for implementation.
Practical Guidelines for Implementing Data Privacy Measures in Businesses
Understand Data Privacy Laws
- Know Legal Requirements: Familiarize yourself with local and international data privacy laws relevant to your business.
- Appoint a Data Protection Officer (DPO): Designate a DPO to oversee compliance and manage data protection strategies.
Data Collection and Processing
- Minimize Data Collection: Collect only necessary data to reduce risks and improve compliance.
- Obtain Consent: Ensure informed consent for data collection, clearly explaining purposes and scope.
- Purpose Limitation: Use personal data only for the specified purposes unless additional consent is obtained.
Data Security Measures
- Encrypt Data: Protect data in transit and at rest using strong encryption methods.
- Access Control: Implement role-based access controls to limit data access to authorized personnel.
- Regular Security Audits: Conduct regular audits to identify and address vulnerabilities.
Employee Training and Awareness
- Provide Training: Regularly train employees on data privacy principles and their roles in compliance.
- Create a Privacy Culture: Encourage reporting of breaches and emphasize the importance of data protection.
Personal Data Breach Response Plan
- Develop a Plan: Create a plan outlining steps for containment, investigation, and notification in case of a personal data breach.
- Notify Affected Parties: Promptly inform affected individuals and authorities about breaches and mitigation steps.
Regular Reviews and Updates
- Continuous Improvement: Regularly update data privacy policies to stay compliant with changing laws and technologies.
- Documentation: Keep detailed records of data processing activities and compliance efforts.
Third-Party Management
- Authorized Third Parties: Assess data privacy practices of vendors and partners before engagement.
- Data Processing Agreements: Use agreements to outline responsibilities and obligations for data protection.
Protect your data privacy with eezi
Looking for a way to manage your employees’ personal information while following applicable Data Privacy Laws? Give eezi’s HRIS a try!
