RFBT - DATA PRIVACY ACT OF 2012 Flashcards Preview

REGULATORY FRAMEWORK FOR BUSINESS TRANSACTIONS > RFBT - DATA PRIVACY ACT OF 2012 > Flashcards

Flashcards in RFBT - DATA PRIVACY ACT OF 2012 Deck (47)
Loading flashcards...
1
Q

What is the scope of the Data Privacy Act?

A

It applies to the PROCESSING OF ALL TYPES OF PERSONAL INFORMATION BE IT NATURAL OR JURIDICAL PERSONS. It also applies to THOSE INVOLVED IN PERSONAL INFORMATION PROCESSING including those information controllers and processors, who, although not located in the Philippines or those who maintain an office/branch/agency in the Philippines

2
Q

RA 10173 is known as?

A

Data Privacy Act of 2012

3
Q

What Commission is being referred to in the Data Privacy Act?

A

It refers to the National Privacy Commission, which was created by the Act.

4
Q

What is meant by Direct marketing?

A

It refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.

5
Q

What is not covered by the Data Privacy Act?

A
  1. ) Information about a government officer/employee that relates to his details such as his address/telephone number/title/salary range/service performed/benefits received/ and information necessary to carry out the functions of public authority.
  2. ) Personal information processed for journalistic/artistic/literary/research purposes
  3. ) Information necessary for banks and other institutions to comply with AMLA and other applicable laws
  4. ) Personal information originally collected from residents of foreign jurisdictions in accordance with laws.
6
Q

Explain the Extraterritorial application of the Data Privacy Act.

A

GR: Penal law applies only within PH territory

Exceptions:

-it relates to personal info about a PH citizen
- entity has a link with the PH and the entity is processing personal info of a PH citizen/resident such as when
a.) A contract is entered in the PH
b.) Juridical entity has branch in PH
c.) The entity does business in PH
d.) Personal information was collected/held by an
entity in the PH

7
Q

What is the Organizational Structure of the National Privacy Commission?

A

National Privacy Commission shall be attached to the Department of Information and Technology.

It shall be HEADED BY A PRIVACY COMMISSIONER (same rank as a Secretary) who shall act as CHAIRMAN OF THE COMMISSION and he must be:

  • at least 35 years old
  • Good moral character
  • unquestionable integrity and known probity
  • recognized expert in IT and data privacy

It shall also have 2 DEPUTY PRIVACY COMMISSIONERS
1 is for DATA PROCESSING SYSTEMS
1 is for POLICIES AND PLANNING
both of whom should be RECOGNIZED EXPERTS IN IT AND DATA PRIVACY.

8
Q

What is the term of office of the Commissioner and Deputy Commissioners?

A

The commissioner and deputy commissioner shall be APPOINTED BY THE PRESIDENT OF THE PHILIPPINES for a TERM OF 3 YEARS and may be REAPPOINTED AGAIN for 3 YEARS.

9
Q

What is the composition of the NPC’s Secretariat?

A

The NPC is authorized to establish a Secretariat, where a MAJORITY OF THE MEMBERS MUST HAVE SERVED FOR AT LEAST 5 YEARS in ANY AGENCY OF THE GOVERNMENT HEAVILY INVOLVED IN PROCESSING OF PERSONAL INFORMATION.

10
Q

Distinguish Sensitive Personal Information from Privileged Information.

A

Sensitive Personal Information - refers to race/ethnic origin/marital status/age/religion/political affiliations/health/education/government issued records such as SSS and TIN

Privileged Information - refers to any and all forms of data which under Rules of Court and other pertinent laws constitute privileged information.

11
Q

What are the personas involved in DPA?

A
  1. ) Data Subject
  2. ) Personal Information Controller
  3. ) Personal Information Processor
12
Q

What are our rights under the DPA?

A

Under the DPA, we have the

  1. Right to informed consent - be informed whether personal info are processed
  2. Right to Access - upon demand, access his info
  3. Right to Object - right to object to the processing of his personal data
  4. Right to Erasure or Blocking - right to block/remove/destroy his data
  5. Right to Damages - right to be indemnified
  6. Right to File a Complaint
  7. Right to Rectify/correction - right to dispute the inaccuracy/error on his data
  8. Right to Data portability - right to obtain copy of his data
13
Q

What are the criteria for lawful processing of personal information?

A
  1. ) Processing of personal information is not prohibited by law and necessary for compliance with a legal obligation.
  2. ) Personal information must be processed fairly and lawfully, collected for specified and legitimate purposes, accurate, relevant, retained only for as long as necessary for the fulfillment of the purposes, and be guaranteed by adequate safeguards.
  3. ) Consent has been given by the data subject.
  4. Processing is necessary to protect vitally important interests
  5. Processing is necessary for the purpose of legitimate interests and to respont to national emergency to comply with requirements of public order and safety and to fulfill the functions of public authority
14
Q

When is processing of sensitive personal information and privileged information allowed?

A
  1. ) When the data subject has given CONSENT
  2. ) Regulatory enactments GUARANTEE THE PROTECTION OF SENSITIVE PERSONAL and PRIVILEGED INFORMATION
  3. ) Processing is necessary to protect the life and health of data subject or another person and the data subject is not legally/physically able to express his consent
  4. ) Processing is necessary to achieve lawful and noncommercial objectives
  5. ) Processing is necessary for purposes of medical treatment and the same is carried out by a medical practitioner
15
Q

Is the subcontracting of processing of personal information allowed?

A

Yes, provided that the PERSONAL INFORMATION CONTROLLER SHALL BE RESPONSIBLE FOR ENSURING THAT PROPER SAFEGUARDS ARE IN PLACE TO ENSURE THE CONFIDENTIALITY OF PERSONAL INFORMATION PROCESSED.

16
Q

What is a personal information controller?

A

It refers to a person who controls the collection,holding,processing or use of personal information.

17
Q

Are the rights of the data subject transmissible to his assigns/heirs?

A

Yes, they may invoke such rights any time AFTER the data subject’s death or incapacity.

18
Q

What are the responsibilities of a personal information controller?

A
  1. ) Implement technical measures intended for the protection of personal information
  2. ) Implement measures to protect personal information against natural dangers
  3. ) Determine the appropriate level of security by taking into account the nature of the personal information to be protected and the risks and complexity involved.
  4. ) Ensure that 3rd parties processing information on his behalf implement the security measures required by DPA.
  5. ) Ensure that his employees involved in processing understand the confidential relations
  6. ) To promptly notify the NPC and affected data subjects when SENSITIVE INFORMATION MAY HAVE BEEN USED OR ACQUIRED BY AN UNAUTHORIZED PERSON.
19
Q

What is the limit for requesting access to records in government agencies?

A

The head of an agency shall limit the access to not more than 1000 records at a time.

20
Q

Who is responsible for complying with security requirements in government agencies?

A

The head of the government agency is responsible.

21
Q

What is the penalty for unauthorized processing of PERSONAL INFORMATION?

A

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 2,000,000

22
Q

What is the penalty for unauthorized processing of SENSITIVE PERSONAL INFORMATION?

A

Imprisonment of 3-6 years and a fine of PHP 500,000 to PHP 4,000,000.

23
Q

What is the penalty for accessing personal information due to negligence?

A

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 2,000,000

24
Q

What is the penalty for accessing sensitive personal information due to negligence?

A

Imprisonment of 3-6 years and a fine of PHP 500,000 to PHP 4,000,000.

25
Q

What is the penalty for Improper disposal of personal information?

A

Imprisonment of 6 months to 2 years and a fine of PHP 100,000 to PHP 500,000

26
Q

What is the penalty for Improper disposal of sensitive personal information?

A

Imprisonment of 1-3 years and a fine of PHP 100,000 to PHP 1,000,000

27
Q

What is the penalty for processing of personal information for unauthorized purposes?

A

Imprisonment of 1 year and 6 months to 5 years and a fine of PHP 500,000 to PHP 1,000,000

28
Q

What is the penalty for processing of sensitive personal information for unauthorized purposes?

A

Imprisonment of 2-7 years and a fine of PHP 500,000 to PHP 2,000,000

29
Q

What is the penalty for unauthorized access or intentional breach?

A

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 2,000,000

30
Q

What is the penalty for Concealment of Security Breaches involving Sensitive Personal Information?

A

Imprisonment of 1 year and 6 months to 5 years and a fine of PHP 500,000 to PHP 1,000,000

31
Q

What is the penalty for Malicious Disclosure?

A

Imprisonment of 1 year and 6 months to 5 years and a fine of PHP 500,000 to PHP 1,000,000

32
Q

What is the penalty for Unauthorized Disclosure of personal information?

A

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 1,000,000

33
Q

What is the penalty for Unauthorized Disclosure of sensitive personal information?

A

Imprisonment of 3-5 years and a fine of PHP 500,000 to PHP 2,000,000

34
Q

What is the penalty for a combination or series or acts?

A

Imprisonment of 3-6 years and a fine of PHP 1,000,000 to PHP 5,000,000

35
Q

What is the extent of liability if the offender is a Juridical entity?

A

Imposed upon responsible officers as the case may be, who by their gross negligence or involvement allowed the commission of the crime.

36
Q

What is the extent of liability if the offender is an Alien?

A

Corresponding penalty plus DEPORTATION without any further proceedings after serving the penalty

37
Q

What is the extent of liability if the offender is a Public official/employee?

A

Corresponding penalty plus perpetual OR absolute disqualification from office if convicted of:
1.) Improper disposal of personal information and sensitive personal information

2.) Processing of personal information OR sensitive personal information for unauthorized purposes.

38
Q

The HR department headed by the VP for HR is tasked to collect info from new hires and applicants by the BoD. Who is the personal information processor and controller in this case?

A

Controller - BoD

Processor - VP for HR

39
Q

What are the functions of the National Data Privacy Commission?

A

(a) Ensure compliance of personal information controllers with the provisions of this Act;
(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body. For this purpose, the Commission may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under this Act;
(c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest;
(d) Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;
(e) Monitor the compliance of other government agencies or instrumentalities on their security and technical measures and recommend the necessary action in order to meet minimum standards for protection of personal information pursuant to this Act;
(f) Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;
(g) Publish on a regular basis a guide to all laws relating to data protection;
(h) Publish a compilation of agency system of records and notices, including index and other finding aids;
(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in Sections 25 to 29 of this Act;
(j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers: Provided, That the privacy codes shall adhere to the underlying data privacy principles embodied in this Act: Provided, further, That such privacy codes may include private dispute resolution mechanisms for complaints against any participating personal information controller. For this purpose, the Commission shall consult with relevant regulatory agencies in the formulation and administration of privacy codes applying the standards set out in this Act, with respect to the persons, entities, business activities and business sectors that said regulatory bodies are authorized to principally regulate pursuant to the law: Provided, finally. That the Commission may review such privacy codes and require changes thereto for purposes of complying with this Act;
(k) Provide assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person;
(l) Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
(m) Propose legislation, amendments or modifications to Philippine laws on privacy or data protection as may be necessary;
(n) Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection;
(o) Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;
(p) Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations; and
(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.

40
Q

What principles must be adhered to when processing personal information?

A
  1. Principle of Proportionality - Processing shall be adequate, relevant, suitable, necessary and not excessive
  2. Principle of Legitimate Purpose - processing shall be compatible with a declared and specified purpose which must not be contrary to law/morals/order/policy
  3. Principle of Transparency - Data subject must be aware of the nature, purpose and extent of the Processing of his or her Personal Data
41
Q

Abdul wants to apply for an SM rewards card since he always goes shopping there. The application form to be filled out requires his blood type and political affiliation. Can SM collect such info?

A

No. It is excessive for a rewards card and violates the principle of proportionality.

42
Q

Under the Rules of Court, what are examples of privileged information?

A

Privileged information are all forms of data which constitute privileged communication under pertinent laws such as:

a. Attorney-client privilege
b. Doctor-patient privilege
c. Marital privilege
d. Priest-confessor privilege

43
Q

T or F
If there is a likelihood of risk to individuals because of breach, the data processor must report the data breach within 48 hours.

A

False, 72 hours.

44
Q

T or F
In entering into any contract that may involve accessing or requiring sensitive personal information from 1000 or more individuals, an agency shall require a contractor to register their PERSONAL INFORMATION PROCESSING SYSTEM with the Commission.

A

True.

45
Q

When is the maximum penalty meted out for crimes provided in the DPA?

A

Maximum penalty shall be imposed when the personal information of AT LEAST 100 PERSONS IS HARMED.

46
Q

T or F
A personal information controller outside of the Philippines is covered by the Data Privacy Act even if the personal information pertain to Philippine residents or citizens

A

true.

47
Q

A data subject has the right to data portability. What does data portability mean?

A

It means that the data subject has the right to obtain a copy of his personal information.