Data Privacy Act

Question 1

An act protecting individual personal information in information and communication systems in the government and the private sector, creating for this purpose a national privacy commission and for other purposes.

Answer 1

Republic Act No. 10173 known as the Data Privacy Act of 2012

Question 2

Protects the right to privacy of an individual with regard to his personal data. It imposes upon any person processing personal data the obligation to implement security measures aimed at ensuring the confidentiality, integrity, and availability of an individual’s personal data.

Answer 2

The Data Privacy Act (Act)

Question 3

DPA applies to:

Answer 3

Natural/juridical persons in government or private sectors processing personal data.

Processing of data about Philippine citizens or residents.

Entities with links to the Philippines.

Question 4

Except:

Answer 4

Information related to government officials, contractors, public benefits, journalistic, artistic, literary, research purposes, etc.

Question 5

Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information

Answer 5

Personal Information

Question 6

When put together with other information would directly and certainly identify an individual.

Answer 6

Personal Information

Question 7

About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

Answer 7

Sensitive Information

Question 8

About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings

Answer 8

Sensitive Information

Question 9

Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns

Answer 9

Sensitive Information

Question 10

The data subject must be aware of the structure, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of the PIC, his or her rights as a data subject, and how these can be exercised.

Answer 10

Principle of Transparency

Question 11

It mandates that the processing of information be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.

Answer 11

Principle of Legitimate Purpose

Question 12

It requires that the processing of information shall be adequate, relevant, suitable, necessary, and only to the minimum extent necessary to achieve declared, specified and legitimate purpose.

Answer 12

Principle of Proportionality

Question 13

Refers to “an individual whose personal information is processed.”

Answer 13

Data Subjects

Question 14

This may only be an individual or human being. The term does not extend to artificial persons such as partnerships, corporations, and other entities.

Answer 14

Data Subjects

Question 15

The DPA grants various rights to individuals whose personal information is being processed

These rights empower you with control over your data and ensure transparency in how it’s handle.

Answer 15

Rights of Data Subjects

Question 16

As a data subject, you have the right to be informed whether your personal data shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

Answer 16

RIGHT TO BE INFORMED

Question 17

The privacy notice to data subjects should include the following information;

Question 18

The privacy notice to data subjects should include the following information;

Question 19

2.Information regarding data transfers to other countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available;

Question 20

3. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

Question 21

4.The existence of data subjects’ rights, such as the right to access, rectification, erasure, data portability, and the like;

Question 22

5. The right to lodge a complaint with a supervisory authority;

Question 23

6.If applicable, information regarding automated decision making, including profiling.

Question 24

The Data Subject Has A Right
(next slide)

Question 25

Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.

Question 26

To be informed whether personal data pertaining to him/her shall be, are being, or have been processed, including the existence of automated decision-making, and profiling

Question 27

To object and to withhold consent

Question 28

The limitations of these Rights (next slide)

Question 29

When necessary for compliance with a legal obligation to which the personal information controller is subject.

Question 30

When the data subject provides his/her consent

Question 31

The processing of personal information is permitted if not prohibited by law and meets at least one of the following conditions: (see next slides)

Question 32

The data subject has provided consent to the processing for the identified purposes.

Question 33

The personal data is necessary to perform a contract with the data subject.

Question 34

The personal data is necessary to comply with a legal obligation.

Question 35

The personal data is necessary to protect the vital interests of a natural person.

Question 36

The personal data is necessary for a public interest.

Question 37

The personal data is necessary to fulfill a legitimate interest of the controller or third party, provided it does not override the data subject's privacy interests.

Question 38

When the processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to the entering of the contract.

Question 39

LEGAL BASES FOR PROCESSING sensitive personal Data (next slide)

Question 40

Explicit consent from the data subject.

Question 41

Protection of vital interests when the data subject cannot consent.

Question 42

Legitimate activities by not-for-profit bodies with appropriate safeguards.

Question 43

Processing necessary for the establishment, exercise, or defense of legal claims.

Question 44

Processing necessary for medical purposes, assessment of working capacity, health or social care, or management of health or social care systems and services.

Question 45

Must be freely given, specific, informed, and recorded.

Answer 45

Consent

Question 46

Required for processing sensitive personal information.

Answer 46

Time-bound and purpose-specific consent

Question 47

Are vulnerable data subjects with heightened protection needs.

Answer 47

Minors

Question 48

PROCESSING DATA OF MINORS Consent must be given by a parent or guardian.

Question 49

Data breaches involving minors require notification through?

Answer 49

legal representatives

Question 50

DATA SHARING AGREEMENTS Data sharing must be covered by an agreement with safeguards.

Question 51

No need for permission if data sharing is for:

Answer 51

A. Fulfillment of contract. B. Compliance with legal obligation. C. Protection of life and health. D. National emergency or public authority functions. E. Legitimate interests, subject to override.

Question 52

THE RIGHT TO OBJECT (see next slides)

Question 53

Data subjects can object to the processing of their data.

Question 54

Consent is necessary before data collection and processing

Question 55

Consent can be withdrawn if the privacy notice is amended

Question 56

Legitimate grounds for override include:

Answer 56

A. Subpoena requirements. B. Collection for obvious purposes. C. Legal obligations of the PIC.

Question 57

THE RIGHT TO Access upon Demand (next slide)

Question 58

Data subjects can find out if an organization holds their personal data.

Question 59

They can obtain a copy of their data from the organization's database or manual system.

Question 60

Access can include:

Answer 60

Contents of personal data. Sources of data. Recipients of data. Processing methods. Reasons for disclosure. Info on automated systems. Last accessed and modified date. Identity and address of the PIC.

Question 61

Exceptions include:

Answer 61

Criminal suspects. Privileged lawyer-client communications. Personal medical data with potential negative impact

Question 62

As a data subject, you have the right to dispute the inaccuracy or error in your personal data and have the PIC correct the same within a reasonable period of time.

Answer 62

THE RIGHT TO RECTIFY

Question 63

Does my right to rectify under the Data Privacy Act 2012 include instances where correction requires a court order?

Answer 63

No. The right to rectification excludes instances where rectification or correction requires an order from a competent court, other pertinent government agencies, or otherwise covered by an official process under other applicable laws and regulations.

Question 64

Can a PIC deny my request for rectification?

Answer 64

Yes. The request for rectification may be denied if the same is manifestly unfounded, vexatious, or otherwise unreasonable. A request may be considered as such when it is made with no real purpose other than to harass, cause annoyance, or hamper the delivery and performance of service.

Question 65

As the data subject, you have the right to request for the suspension, withdrawal, blocking, removal, or destruction of your personal data from the PIC's filing system, in both live and backup systems.

Answer 65

THE RIGHT TO ERASURE OR BLOCKING

Question 66

When should I exercise my right to erasure or blocking?

Answer 66

You may exercise your right to erasure or block upon discovery and substantial proof of any of the following: The personal data is: incomplete, outdated, false, or unlawfully obtained; used for an unauthorized purpose; no longer necessary for the purpose/s for which they were collected; or concerns private information that is prejudicial to the data subject, unless justified by freedom of speech, of expression, or of the press, or otherwise authorized; The data subject objects to the processing, and there are no other applicable lawful criteria for processing; The processing is unlawful; or The PIC or PIP violated the rights of the data subject.

Question 67

Can a PIC deny my request for erasure or blocking?

Answer 67

Yes. A PIC may deny your request for erasure or blocking, wholly or partly, when personal data is still necessary in any of the following instances: (next slides)

Question 68

Fulfillment of the purpose/s for which the data was obtained;

Question 69

Compliance with a legal obligation which requires personal data processing;

Question 70

Establishment, exercise, or defense of any legal claim;

Question 71

Legitimate business purposes of the PIC, consistent with the applicable industry standard for personal data retention;

Question 72

To apprise the public on matters that have an overriding public interest or concern, king into consideration the following factors:

Question 73

constitutionally guaranteed rights and freedoms of speech, of expression, or of the press;

Question 74

whether or not the personal data pertains to a data subject who is a public figure; and

Question 75

other analogous considerations where personal data are processed in circumstances where data subjects can reasonably expect further processing.

Question 76

As may be provided by any existing law, rules, and regulations

Question 77

THE RIGHT TO DAMAGES Data subjects have the right to be compensated for any damages they suffer due to various types of improper handling of their personal data. (next slides)

Question 78

Available to the data subject for injuries from unlawful or unauthorized processing.

Question 79

Available to the data subject for injuries from unlawful or unauthorized processing.

Question 80

Applicable for violations of the data subject's rights.

Question 81

Compensation can be claimed for damages caused by

Answer 81

> Inaccurate, incomplete, outdated, or false data. > Unlawfully obtained or unauthorized use of personal data.

Question 82

THE RIGHT TO FILE COMPLAINTS (next slides)

Question 83

Data subject can file a complaint with the NPC (National Privacy Commission).

Question 84

Grounds for complaint include:

Answer 84

> Misuse, malicious disclosure, or improper disposal of personal information.

Question 85

The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.

Answer 85

SECTION 17: TRANSMISSIBILITY OF DATA SUBJECT RIGHTS.

Question 86

The rights of the data subject are not applicable if processed personal data are used only for scientific and statistical research needs and for investigations relative to any criminal, administrative, or tax liabilities of the data subject, and only to the minimum extent necessary to achieve the purpose.

Answer 86

LIMITATION ON RIGHTS OF DATA SUBJECT.

Question 87

WHEN AND TO WHOM SHOULD NOTIFICATION BE DONE? (next slide)

Question 88

To the National Privacy Commission

Answer 88

The National Privacy Commission should be notified within seventy-two (72) hours from the time the personal information controller or processor gains knowledge or arrives at a reasonable belief that a personal data breach has occurred

Question 89

Violation of data privacy rights.

Question 90

To the data subjects

Answer 90

The data subjects should be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.

Question 91

To the National Privacy Commission The notification, which should be in the form of a written or electronic report, should include, at the very least, the following information:

Answer 91

1. Nature of the breach 2. Personal data possibly involved 3. Measures taken to address the breach

Question 92

SANCTIONS (next slides)

Question 93

(2) Access due to negligence (provided access to without being authorized by law)

Answer 93

Imprisonment *Personal Information (PI) 1 year to 3 years *Sensitive Personal Information (SPI) 3 years to 6 years Fine *PI 500k - 2M *SPI 500k - 4M

Question 94

To the data subjects The notification, which should be done individually through secure means of written or electronic communication, should include, at the very least, the followingh information:

Answer 94

1. Nature of the breach 2. Personal data possibly involved; 3. Measures taken to address the breach; 4. Measures taken to reduce the harm or negative consequences of the breach; 5. Representative of the personal information controller, including his or her contact details, from whom the data subject can obtain additional information regarding the breach; and 6. Any assistance to be provided to the affected data subjects.

Question 95

(3) Improper disposal (knowingly or negligently dispose, discard, or abandon the personal informantion in an area accessible to the punlic or otherwise placed the personal information for the trash collection)

Answer 95

Imprisonment *Personal Information (PI) 6 mos to 2 years *Sensitive Personal Information (SPI) 3 years to 6 years Fine *PI 100k - 500k *SPI 100k - 1M

Question 96

(1) Unauthorized processing (without consent of the data subject or without being authorized by law)

Answer 96

Imprisonment *Personal Information (PI) 1 year to 3 years *Sensitive Personal Information (SPI) 3 years to 6 years Fine *PI 500k - 2M *SPI 500k - 4M

Question 97

(4) Unathorized purposes

Answer 97

Imprisonment *Personal Information (PI) 18 mos to 5 years *Sensitive Personal Information (SPI) 2 years to 7 years Fine *PI 500k - 1M *SPI 500k - 2M

Question 98

(5) Intentional breach (knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive information are stored

Answer 98

Imprisonment *PI and SPI 1 year - 3 years Fine *PI and SPI 500k - 2M

Question 99

(6) Concealing breach (intentionally or by omission conceals the fact of breach)

Answer 99

Imprisonment *PI and SPI 18 mos - 5 years Fine *PI and SPI 500k - 1M

Question 100

(7) Malicious disclosure (with malice/in bad faith, discloses unwarranted or false information)

Answer 100

Imprisonment *PI and SPI 18 mos - 5 years Fine *PI and SPI 500k - 1M

Question 101

(8) Unauthorized disclosure (discloses to a third party personal information not covered by the immediately preceding section without consent

Answer 101

Imprisonment *Personal Information (PI) 1 year to 3 years *Sensitive Personal Information (SPI) 3 years to 5 years Fine *PI 500k - 1M *SPI 500k - 2M

Question 102

(9) Combination of Acts

Answer 102

Imprisonment *PI and SPI 3 years - 6 years Fine *PI and SPI 1M - 5M