Republic Act 10173 Data Privacy Act of 2012 (DPA)
“An act protecting individual personal information in information and communications systems in the government and the private sector, creating for this purpose a National Privacy Commission, and for other purposes”
1. DATA PRIVACY IN THE PHILIPPINES
SLA Asian Chapter Meeting & Panel Discussion
@ SLA Annual Conference & Info-Expo
12 June 2018
Baltimore Convention Center
Maryland, USA
Shirley Ingles-
Cruz
singlescruz@gmail.com
4. REPUBLIC ACT 10173
DATA PRIVACY ACT OF 2012 (DPA)
“An act protecting individual personal information
in information and communications systems in
the government and the private sector, creating
for this purpose a National Privacy
Commission, and for other purposes”
6. BACKGROUND
The Philippines has a growing and important business process
management and health information technology industry.
Total IT spending reached $4.4 billion in 2016, and expected to
more than double by 2020.
The country is also in the process of enabling free public Wi-Fi.
rapid growth of the digital economy and increasing international trade
of data
Filipinos are heavy social media users
67M internet users – world’s #1 in terms of social media usage (Digital
2018 by Hootsuite, and We Are Social Ltd.)
Facebook users – 30M in 2013 to 67M in 2017
Source: https://iapp.org/news/a/summary-philippines-data-protection-act-and-implementing-regulations/
12. THE JOURNEY OF THE DPA
European Union’s 1995 Data Protection Directive
Electronic Commerce Act of 2000 (R.A. No. 8792) – recognition and use of
electronic commercial and non-commercial transactions and documents
membership in the Asia-Pacific Economic Cooperation (APEC) -- Privacy
Framework in 2005
DTI Administrative Order No. 8 in 2006 -- which prescribed guidelines for a
local data protection certification system
The DPA was signed into law in 2012, with the local BPO sector as its most
visible endorser
Creation of the Dept. of Information and Communications Technology (DITC)
in 2015 (R.A. No. 10844)
The activation of the National Privacy Commission (NPC) in 2016
DPA’s Implementing Rules and Regulations was put in effect on September 9,
2016
Source: http://www.gmanetwork.com/news/opinion/content/640737/introducing-data-privacy/story/
13. PROVISION OF THE DPA
Chapter I – General Provisions
Chapter II – The National Privacy Commission
Chapter III – Processing of Personal Information
Chapter IV – Rights of the Data Subject
Chapter V – Security of Personal Information
Chapter VI – Accountability for Transfer of Personal
Information
Chapter VII – Security of Sensitive Personal Information in
Government
Chapter VIII – Penalties
Chapter IX – Miscellaneous Provisions
Source: https://privacy.gov.ph/data-privacy-act/
14. SCOPE
SEC. 4. Scope. – This Act applies to the processing
of all types of personal information and to any
natural and juridical person involved in personal
information processing including those personal
information controllers and processors who,
although not found or established in the Philippines,
use equipment that are located in the Philippines,
or those who maintain an office, branch or agency
in the Philippines …
15. SCOPE
This Act does not apply to the following:
(a) Information about any individual who is or was an officer or
employee of a government institution that relates to the position or
functions of the individual, including:
(1) The fact that the individual is or was an officer or employee
of the government institution;
(2) The title, business address and office telephone number of
the individual;
(3) The classification, salary range and responsibilities of the
position held by the individual; and
(4) The name of the individual on a document prepared by the
individual in the course of employment with the government;
16. SCOPE
(b) Information about an individual who is or was performing service
under contract for a government institution that relates to the
services performed, including the terms of the contract, and the
name of the individual given in the course of the performance of
those services;
(c) Information relating to any discretionary benefit of a financial
nature such as the granting of a license or permit given by the
government to an individual, including the name of the individual and
the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or
research purposes;
17. SCOPE
(e) Information necessary in order to carry out the functions of
public authority which includes the processing of personal data for
the performance by the independent, central monetary authority and
law enforcement and regulatory agencies of their constitutionally
and statutorily mandated functions.
(f) Information necessary for banks and other financial institutions
under the jurisdiction of the independent, central monetary authority
or Bangko Sentral ng Pilipinas to comply with Republic Act No.
9510, and Republic Act No. 9160, as amended, otherwise known as
the Anti-Money Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of
foreign jurisdictions in accordance with the laws of those foreign
jurisdictions, including any applicable data privacy laws, which is
being processed in the Philippines.
18. APPROACH OF THE GOVERNMENT
The processing of personal data shall be allowed
subject to adherence to the principles of:
transparency
legitimate purpose
proportionality
19. DATA PROCESSING AND CONSENT
Collection of personal data must be:
Declared
Specified
Legitimate purpose
20. DATA PROCESSING AND CONSENT
Consent is required prior to the collection
of all personal data.
the data subject must be informed about the extent and
purpose of processing
for the “automated processing of his or her personal data
for profiling, or processing for direct marketing, and data
sharing”
for sharing information with affiliates or even mother
companies
must be “freely given, specific, informed,” and must be
evidenced by recorded means
21. DATA PROCESSING AND CONSENT
Consent is not required for processing where the
data subject is party to a contractual agreement, for
purposes of fulfilling that contract.
for protection of the vital interests of the data subject
to response to a national emergency
for the legitimate interests of the data controller
22. AGREEMENT
“The law requires that when sharing data, the sharing
be covered by an agreement that provides
adequate safeguards for the rights of data subjects,
and that these agreements are subject to review by
the National Privacy Commission”
23. SENSITIVE PERSONAL INFORMATION
The law defines sensitive personal information as being:
About an individual’s race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations;
About an individual’s health, education, genetic or sexual
life of a person, or to any proceeding or any offense
committed or alleged to have committed;
Issued by government agencies “peculiar” (unique) to an
individual, such as social security number;
Marked as classified by executive order or act of Congress.
24. SENSITIVE PERSONAL INFORMATION
All processing of sensitive and personal information is
prohibited except in certain circumstances.
Consent of the data subject;
Pursuant to law that does not require consent;
Necessity to protect life and health of a person;
Necessity for medical treatment;
Necessity to protect the lawful rights of data subjects in
court proceedings, legal proceedings, or regulation.
25. PENALTIES
Ranging from P100,000 to P5,000,000
(approximately US$2,000 to US$100,000)
Imprisonment of 1 year up to 6 years
Unauthorized Processing of Personal Information and Sensitive
Personal Information
Accessing Personal Information and Sensitive Personal
Information Due to Negligence.
Improper Disposal of Personal Information and Sensitive
Personal Information
Processing of Personal Information and Sensitive Personal
Information for Unauthorized Purposes
Unauthorized Access or Intentional Breach.
Concealment of Security Breaches Involving Sensitive Personal
Information.
Malicious Disclosure.
Unauthorized Disclosure
26. WHO NEEDS TO REGISTER?
Companies with at least 250 employees or access to
the personal and identifiable information of at
least 1,000 people are required to register with the
National Privacy Commission and comply with the
Data Privacy Act of 2012
27. COMPLIANCE OF THE DATA PRIVACY ACT
The National Privacy Commission, which was created
to enforce RA 10173, will check whether companies
are compliant based on a company having 5
elements:
Appointing a Data Protection Officer
Conducting a privacy impact assessment
Creating a privacy knowledge management program
Implementing a privacy and data protection policy
Exercising a breach reporting procedure
29. EXECUTIVE ORDER NO. 2 SERIES OF 2016
FREEDOM OF INFORMATION ORDER
“Operationalizing in the Executive branch the
people’s constitutional right to information and
the state policies to full public disclosure and
transparency in the public service and
providing guidelines therefor”
The Freedom of Information Order provides for full
public disclosure of all government records involving
public interest and upholds the constitutional right of
people to information on matters of public concern
30. SECTION 1. DEFINITION. FOR THE PURPOSE OF THIS
EXECUTIVE ORDER, THE FOLLOWING TERMS SHALL
MEAN:
(a) “Information” shall mean any records, documents,
papers, reports, letters, contracts, minutes and
transcripts of official meetings, maps, books,
photographs, data, research materials, films, sound
and video recording, magnetic or other tapes,
electronic data, computer stored data, any other like or
similar data or materials recorded, stored or archived in
whatever format, whether offline or online, which are
made, received, or kept in or under the control and
custody of any government office pursuant to law,
executive order, and rules and regulations or in
connection with the performance or transaction of
official business by any government office.
31. SECTION 1. DEFINITION. FOR THE PURPOSE OF THIS
EXECUTIVE ORDER, THE FOLLOWING TERMS SHALL
MEAN:
(b) “Official record/records” shall refer to information
produced or received by a public officer or
employee, or by a government office in an official
capacity or pursuant to a public function or duty.
(c) “Public record/records” shall include information
required by laws, executive orders, rules, or
regulations to be entered, kept and made publicly
available by a government office.
32. FREEDOM OF INFORMATION ORDER
Protects Data Privacy
......
WHEREAS, the Data Privacy Act of 2012
(R.A. 10173), including its implementing Rules and
Regulations, strengthens the fundamental human
right of privacy, and of communication while ensuring
the free flow of information to promote innovation and
growth
34. CA AS A CASE STUDY
Membership to CA is
“On the basis of proportional representation from the
political parties and parties or organization
registered under the party-list system represented
therein.”
Senate President – Ex-Officio
12 Members from the Senate
12 Members from the House of
Representatives
35. FUNCTION OF THE CA
To check on whether the President has exercised
the power to appoint wisely, by appointing
only those who are fit and qualified. It is not
intended to curtail the President’s appointing
authority, as the CA Rules’ Statement of Policy
so provides.
36. START
The President nominates
or appoints
END
The CA en banc
decides to accept
or reject the SC’s
recommendation
during the plenary
session
Certificate is issued and served
to nominee or appointee
A report on action taken by the CA
on all nominations/ appointments is
submitted to the President
whenever Congress adjourns
The President receives the
report
SC deliberates on
nomination / appointment
by conducting meetings and
hearings
CONSENT/
CONFIRMATION
CONSENT/
CONFIRMATION
Or REJECTION
CA Chairman refers
nomination or appointment to
Standing Committee (SC)
Standing
Members of the SC
recommend consent
confirmation or rejection
of the nomination/
appointment
CONFIRMATION FLOW PROCESS
37. DOCUMENTARY REQUIREMENTS
Family background
Curriculum Vitae
Disclosure under oath of kinship with any appointive or
elective official in the government
Income Tax Returns for 4 immediately preceding fiscal
years
Statement of Assets and Liabilities for 4 immediately
preceding fiscal years including those of the spouse and
unmarried children
Disclosure of business, financial, personal and
professional connections and interests
38. DOCUMENTARY REQUIREMENTS
Clearances
National Bureau of Investigation
Bureau of Internal Revenue
Commission on Human Rights
Ombudsman
Money and/or property accountabilities
Medical certificate
Statement under oath of any pending criminal or
administrative case if any
Statement whether in line for promotion
Statement of justification whether appointed or
nominated over others who are higher in ranks
39. SOURCES OF BACKGROUND
INVESTIGATION INFORMATION
Records Check
National Bureau of Investigation
Office of the Ombudsman
Commission on Human Rights
Office of Ethical Standards and Public Accountability
Board of Foreign Service Administration
Other Private Investigative Agencies
Neighborhood/Employment Check
Miscellaneous Information
Media reports
Books & other publications
Internet
40. Comparative analysis between Sworn Statements
of Assets and Liabilities and Income Tax Returns
Examination of appointee’s Private Business
Interest (Law on Divestment)
Verification of information from other submitted
documents
SPECIFIC AREAS FOR DOCUMENTS REVIEW
41. TREATMENT OF CONFIDENTIAL PROFILE &
INVESTIGATION REPORT
For discussion in executive session if they contain
matters affecting:
Privacy rights, e.g. those relating to moral fitness
National security
Not to be included in working folders, but contained in
a properly sealed envelope
Marked “confidential”
Labeled “For discussion in Executive Session”
42. TREATMENT OF CONFIDENTIAL PROFILE &
INVESTIGATION REPORT
Distributed to the Members only immediately prior to
the hearing
Classified as “confidential” are retrieved
immediately after the hearing
Not to be copied, shown or distributed until the “rule
of secrecy” has been lifted by a majority of the
Members of the Commission or Committee on
motion made and seconded