Learn About the Data Privacy Act of 2012 and Safeguard Employee Information

Photo of author
Written by eezi Admin

Get familiar the Data Privacy Act of 2012 and learn how it protects your employee and company data.

What is data privacy?

Data Privacy Act of 2012: Safeguarding Employee and Employer Information
Data Privacy Act of 2012: Safeguarding Employee and Employer Information

Billions of data get shared and processed every day. However, certain data must not be shared with the general public. Sensitive information needs the utmost protection from possible identity fraud or theft, or hacking. The same applies to illegal access of emails, social media, banks, and other accounts. In short, it protects any forms of attack that may cause considerable damage to the owners of such information.

Furthermore, data privacy requires the proper handling, access, and storage of data so that there is no violation to the privacy of the data owners. Data privacy allows data owners to limit and determine who can access their personal information and to what extent.

All websites and other internet platforms collect information from users to varying extents. Some may require the collection of data that is more than what the user is comfortable giving. Furthermore, some do not provide adequate safeguards for the information collected. Data privacy is a combination of rules, practices, and tools to ensure data privacy compliance and monitoring functions.

What is the Data Privacy Act of 2012 and its purpose?

What is the Data Privacy Act of 2012 and its purpose?
What is the Data Privacy Act of 2012 and its purpose?

The Data Privacy Act (DPA) of 2012 or the Republic Act No. 10173 is an act protecting individual personal information in information and communications systems in the government and the private sector. It is an act that secures the fundamental human right to privacy of communication is protected while ensuring free flow of information that promotes growth and innovation.

Republic Act No. 10173

The DPA of 2012 elevates the level of the Philippines’ data privacy protection policies to that of international standards. In return, the implementation of the DPA is meant to boost the competitiveness of the Philippines. This is true especially when it comes to information technology-based business industries like IT-BPO. Furthermore, it maintains an efficient information and communications technology industry.

The DPA also fills the gap in the legal system covering personal data privacy and data protection. Before the implementation of the DPA, there were no laws in the Philippines protecting personal data privacy and breach.

What are the major provisions of the Data Privacy Act?

The DPA of 2012 consists of nine (9) chapters in total. Furthermore, each of these have different provisions aimed at strengthening the goal of data privacy and data protection.

General Provisions

Chapter One of the DPA is the General Provisions:

The declaration of the policy states the purpose that the DPA would serve and the circumstances of its creation. The definition of terms meticulously provided definitions of words or phrases used in the act based on their intended usage.

The scope thoroughly discusses the range and the limitations of the application of the DPA. Under General Provisions, it is also clarified that journalists’ rights to keep their resources confidential are not affected by this act. This chapter also identified the scenarios where the DPA may be applied outside the area of the Philippines.

Defition of data privacy terms

  • Data subject – the individual who owns the personal information undergoing processing
  • Personal information – any information that leads to identifying a person, whether directly or indirectly.
  • Personal information controller – an organization or person controlling the collection, storage, usage, or processing of personal information.
  • Personal information processor – any natural or juridical person qualified to process personal data to whom a personal information controller may outsource the processing of personal data.
  • Privileged information – any and all data constituting privileged communication based on Rules of Court and other laws.
  • Sensitive personal information – any personal information about an individual’s marital status, ethnic origin, race, affiliations, health, education, and genetic or sexual life. In addition, it includes court proceedings and the results thereof, social security number, medical records, licenses, and any actions relating to them, tax returns, and any other information ordered by executive order or act of Congress as classified.

The National Privacy Commission

The National Privacy Commission

The National Privacy Commission or NPC is a commission created in accordance with Republic Act No. 10173. The main function of the NPC is to implement the provisions of the DPA. In addition, they also ensure that they are compliant with the international standards for data protection and privacy.

What are the roles of the National Privacy Commission?

  • Ensuring and monitoring compliance of various government agencies and personal information controllers;
  • Receiving, processing, investigating, and resolving complaints;
  • Issuing cease and desist orders and temporary or permanent bans on processing personal data;
  • Coordinating, compelling, and petitioning other agencies of the government to implement and improve data protection and privacy.
  • Publishing guides to data protection laws and compilation of agency notices and system of records;
  • Recommending the penalties and prosecution for personal data breaches to the Department of Justice (DOJ).
  • Reviewing, rejecting, approving, or requiring the necessary changes in policies in personal data controllers. Such is to maintain compliance with data protection and privacy standards;
  • Assisting with matters concerning data protection and privacy at request. Such requests can come from national or local agencies, private entities, or persons and Philippine companies conducting business overseas;
  • Studying existing laws and statutes’ implications on data privacy and data protection. They also issue advisories, interpret DPA provisions, and propose legislation or amendments to existing Philippine data privacy and protection laws.
  • Coordination and negotiation with data privacy authorities of other countries for cross-border implementation of applicable data privacy laws.
  • Performing any other necessary activities to enable the implementation of privacy laws in other countries.

In addition, the NPC must ensure the confidentiality of all personal information that enters its jurisdiction. Chapter Two of the DPA also underlines the structure of the NPC’s organization and the formation of the NPC’s own secretariat.

Processing of Personal Data

Chapter Three discusses the processing of personal information, the general principles of data privacy. Along with it are the conditions the personal data to be collected and processed must meet and the guidelines on the collection and processing of personal data. This chapter also specifies the exemptions to the prohibition of processing sensitive personal information and privileged information.

Rights of the Data Subject

Chapter Four enumerates the rights of the data subject, including being allowed to request and receive electronic copies of their data being processed. It also gives authority to the data subject’s heir or assignee to invoke the rights of the data subject should the data subject be incapable of exercising their rights due to illness or death. This chapter also declares the circumstances where the rights of the data subject may not be applicable.

Security of Personal Data

Under the Security of Personal Data, the DPA enumerates the non-technical and technical security measures that must be taken by personal information controllers for personal data protection in order to prevent any accidental or unlawful destruction, access, alteration, disclosure, loss, misuse, contamination, and any unlawful or unauthorized processing. The level of security afforded to personal information is also determined by the conditions mentioned in this chapter.

Accountability for Transfer of Personal Data

Chapter Six of the DPA holds the personal information controllers responsible for all personal information that comes into their custody, including those that have been transferred to third parties for processing. Under Section 21-b of this chapter, the personal information controller must assign a person who will be accountable for the organization’s compliance with the DPA, who is also known as the data protection officer. The identity of this assigned individual must be disclosed to data subjects requesting it.

Security of Sensitive Personal Information in Government

Instrumentalities and agencies of the government handle sensitive personal information all the time, therefore, this chapter compels them to secure the information on ICT- andNPC-approved standards. Heads of agencies are held responsible for compliance with security requirements established by NPC.

Under this chapter, no sensitive personal data may be accessed, processed, or transported through any means by government employees without security clearance duly approved by the head of the source agency. Contractors requiring access to sensitive personal data of more than 1000 individuals must register their personal data processing systems with NPC and comply with the provisions of the DPA.


The penalties imposed on personal data breach and sensitive personal data breach are slightly different in that penalties for sensitive personal data breaches are higher and heavier. The penalty for breaching personal data privacy ranges from an imprisonment period of six (6) months to five (5) years and a fine of 100,000 to 2,000,000 Php. While breaching sensitive personal data privacy deserves a penalty of imprisonment from one to seven years and a fine of 100,000 to 4,000,000 Php. The penalty depends on the type and severity of the breach, and a breach with at least 100 affected data subjects is awarded the maximum penalty.

Miscellaneous Provisions

Other matters concerning the Data Privacy Act are discussed under Miscellaneous Provisions, such as Implementing Rules and Regulations, starting funds from the government, and adjustment period for implementation.

Protect your data privacy with eezi

Looking for a way to manage your employees’ personal information while staying in the law’s good books? Give eezi’s HRIS a try!

Let’s walk you through our HR and payroll system

Book a demo with us or start your free trial.
No commitments and no credit card required.


Makati City, PH

6D Cypress Gardens, 112 VA Rufino St., Legaspi Village, Makati City, Philippines

(6328) 519-3536