RFBT - DATA PRIVACY ACT OF 2012

Question 1

What is the scope of the Data Privacy Act?

Answer 1

It applies to the PROCESSING OF ALL TYPES OF PERSONAL INFORMATION BE IT NATURAL OR JURIDICAL PERSONS. It also applies to THOSE INVOLVED IN PERSONAL INFORMATION PROCESSING including those information controllers and processors, who, although not located in the Philippines or those who maintain an office/branch/agency in the Philippines

Question 2

RA 10173 is known as?

Answer 2

Data Privacy Act of 2012

Question 3

What Commission is being referred to in the Data Privacy Act?

Answer 3

It refers to the National Privacy Commission, which was created by the Act.

Question 4

What is meant by Direct marketing?

Answer 4

It refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.

Question 5

What is not covered by the Data Privacy Act?

Answer 5

1. ) Information about a government officer/employee that relates to his details such as his address/telephone number/title/salary range/service performed/benefits received/ and information necessary to carry out the functions of public authority.
2. ) Personal information processed for journalistic/artistic/literary/research purposes
3. ) Information necessary for banks and other institutions to comply with AMLA and other applicable laws
4. ) Personal information originally collected from residents of foreign jurisdictions in accordance with laws.

Question 6

Explain the Extraterritorial application of the Data Privacy Act.

Answer 6

GR: Penal law applies only within PH territory

Exceptions:

-it relates to personal info about a PH citizen
- entity has a link with the PH and the entity is processing personal info of a PH citizen/resident such as when
a.) A contract is entered in the PH
b.) Juridical entity has branch in PH
c.) The entity does business in PH
d.) Personal information was collected/held by an
entity in the PH

Question 7

What is the Organizational Structure of the National Privacy Commission?

Answer 7

National Privacy Commission shall be attached to the Department of Information and Technology.

It shall be HEADED BY A PRIVACY COMMISSIONER (same rank as a Secretary) who shall act as CHAIRMAN OF THE COMMISSION and he must be:

• at least 35 years old
• Good moral character
• unquestionable integrity and known probity
• recognized expert in IT and data privacy

It shall also have 2 DEPUTY PRIVACY COMMISSIONERS
1 is for DATA PROCESSING SYSTEMS
1 is for POLICIES AND PLANNING
both of whom should be RECOGNIZED EXPERTS IN IT AND DATA PRIVACY.

Question 8

What is the term of office of the Commissioner and Deputy Commissioners?

Answer 8

The commissioner and deputy commissioner shall be APPOINTED BY THE PRESIDENT OF THE PHILIPPINES for a TERM OF 3 YEARS and may be REAPPOINTED AGAIN for 3 YEARS.

Question 9

What is the composition of the NPC’s Secretariat?

Answer 9

The NPC is authorized to establish a Secretariat, where a MAJORITY OF THE MEMBERS MUST HAVE SERVED FOR AT LEAST 5 YEARS in ANY AGENCY OF THE GOVERNMENT HEAVILY INVOLVED IN PROCESSING OF PERSONAL INFORMATION.

Question 10

Distinguish Sensitive Personal Information from Privileged Information.

Answer 10

Sensitive Personal Information - refers to race/ethnic origin/marital status/age/religion/political affiliations/health/education/government issued records such as SSS and TIN

Privileged Information - refers to any and all forms of data which under Rules of Court and other pertinent laws constitute privileged information.

Question 11

What are the personas involved in DPA?

Answer 11

1. ) Data Subject
2. ) Personal Information Controller
3. ) Personal Information Processor

Question 12

What are our rights under the DPA?

Answer 12

Under the DPA, we have the

1. Right to informed consent - be informed whether personal info are processed
2. Right to Access - upon demand, access his info
3. Right to Object - right to object to the processing of his personal data
4. Right to Erasure or Blocking - right to block/remove/destroy his data
5. Right to Damages - right to be indemnified
6. Right to File a Complaint
7. Right to Rectify/correction - right to dispute the inaccuracy/error on his data
8. Right to Data portability - right to obtain copy of his data

Question 13

What are the criteria for lawful processing of personal information?

Answer 13

1. ) Processing of personal information is not prohibited by law and necessary for compliance with a legal obligation.
2. ) Personal information must be processed fairly and lawfully, collected for specified and legitimate purposes, accurate, relevant, retained only for as long as necessary for the fulfillment of the purposes, and be guaranteed by adequate safeguards.
3. ) Consent has been given by the data subject.
4. Processing is necessary to protect vitally important interests
5. Processing is necessary for the purpose of legitimate interests and to respont to national emergency to comply with requirements of public order and safety and to fulfill the functions of public authority

Question 14

When is processing of sensitive personal information and privileged information allowed?

Answer 14

1. ) When the data subject has given CONSENT
2. ) Regulatory enactments GUARANTEE THE PROTECTION OF SENSITIVE PERSONAL and PRIVILEGED INFORMATION
3. ) Processing is necessary to protect the life and health of data subject or another person and the data subject is not legally/physically able to express his consent
4. ) Processing is necessary to achieve lawful and noncommercial objectives
5. ) Processing is necessary for purposes of medical treatment and the same is carried out by a medical practitioner

Question 15

Is the subcontracting of processing of personal information allowed?

Answer 15

Yes, provided that the PERSONAL INFORMATION CONTROLLER SHALL BE RESPONSIBLE FOR ENSURING THAT PROPER SAFEGUARDS ARE IN PLACE TO ENSURE THE CONFIDENTIALITY OF PERSONAL INFORMATION PROCESSED.

Question 16

What is a personal information controller?

Answer 16

It refers to a person who controls the collection,holding,processing or use of personal information.

Question 17

Are the rights of the data subject transmissible to his assigns/heirs?

Answer 17

Yes, they may invoke such rights any time AFTER the data subject’s death or incapacity.

Question 18

What are the responsibilities of a personal information controller?

Answer 18

1. ) Implement technical measures intended for the protection of personal information
2. ) Implement measures to protect personal information against natural dangers
3. ) Determine the appropriate level of security by taking into account the nature of the personal information to be protected and the risks and complexity involved.
4. ) Ensure that 3rd parties processing information on his behalf implement the security measures required by DPA.
5. ) Ensure that his employees involved in processing understand the confidential relations
6. ) To promptly notify the NPC and affected data subjects when SENSITIVE INFORMATION MAY HAVE BEEN USED OR ACQUIRED BY AN UNAUTHORIZED PERSON.

Question 19

What is the limit for requesting access to records in government agencies?

Answer 19

The head of an agency shall limit the access to not more than 1000 records at a time.

Question 20

Who is responsible for complying with security requirements in government agencies?

Answer 20

The head of the government agency is responsible.

Question 21

What is the penalty for unauthorized processing of PERSONAL INFORMATION?

Answer 21

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 2,000,000

Question 22

What is the penalty for unauthorized processing of SENSITIVE PERSONAL INFORMATION?

Answer 22

Imprisonment of 3-6 years and a fine of PHP 500,000 to PHP 4,000,000.

Question 23

What is the penalty for accessing personal information due to negligence?

Answer 23

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 2,000,000

Question 24

What is the penalty for accessing sensitive personal information due to negligence?

Answer 24

Imprisonment of 3-6 years and a fine of PHP 500,000 to PHP 4,000,000.

Question 25

What is the penalty for Improper disposal of personal information?

Answer 25

Imprisonment of 6 months to 2 years and a fine of PHP 100,000 to PHP 500,000

Question 26

What is the penalty for Improper disposal of sensitive personal information?

Answer 26

Imprisonment of 1-3 years and a fine of PHP 100,000 to PHP 1,000,000

Question 27

What is the penalty for processing of personal information for unauthorized purposes?

Answer 27

Imprisonment of 1 year and 6 months to 5 years and a fine of PHP 500,000 to PHP 1,000,000

Question 28

What is the penalty for processing of sensitive personal information for unauthorized purposes?

Answer 28

Imprisonment of 2-7 years and a fine of PHP 500,000 to PHP 2,000,000

Question 29

What is the penalty for unauthorized access or intentional breach?

Answer 29

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 2,000,000

Question 30

What is the penalty for Concealment of Security Breaches involving Sensitive Personal Information?

Answer 30

Imprisonment of 1 year and 6 months to 5 years and a fine of PHP 500,000 to PHP 1,000,000

Question 31

What is the penalty for Malicious Disclosure?

Answer 31

Imprisonment of 1 year and 6 months to 5 years and a fine of PHP 500,000 to PHP 1,000,000

Question 32

What is the penalty for Unauthorized Disclosure of personal information?

Answer 32

Imprisonment of 1-3 years and a fine of PHP 500,000 to PHP 1,000,000

Question 33

What is the penalty for Unauthorized Disclosure of sensitive personal information?

Answer 33

Imprisonment of 3-5 years and a fine of PHP 500,000 to PHP 2,000,000

Question 34

What is the penalty for a combination or series or acts?

Answer 34

Imprisonment of 3-6 years and a fine of PHP 1,000,000 to PHP 5,000,000

Question 35

What is the extent of liability if the offender is a Juridical entity?

Answer 35

Imposed upon responsible officers as the case may be, who by their gross negligence or involvement allowed the commission of the crime.

Question 36

What is the extent of liability if the offender is an Alien?

Answer 36

Corresponding penalty plus DEPORTATION without any further proceedings after serving the penalty

Question 37

What is the extent of liability if the offender is a Public official/employee?

Answer 37

Corresponding penalty plus perpetual OR absolute disqualification from office if convicted of:
1.) Improper disposal of personal information and sensitive personal information

2.) Processing of personal information OR sensitive personal information for unauthorized purposes.

Question 38

The HR department headed by the VP for HR is tasked to collect info from new hires and applicants by the BoD. Who is the personal information processor and controller in this case?

Answer 38

Controller - BoD

Processor - VP for HR

Question 39

What are the functions of the National Data Privacy Commission?

Answer 39

(a) Ensure compliance of personal information controllers with the provisions of this Act;
(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body. For this purpose, the Commission may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under this Act;
(c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest;
(d) Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;
(e) Monitor the compliance of other government agencies or instrumentalities on their security and technical measures and recommend the necessary action in order to meet minimum standards for protection of personal information pursuant to this Act;
(f) Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;
(g) Publish on a regular basis a guide to all laws relating to data protection;
(h) Publish a compilation of agency system of records and notices, including index and other finding aids;
(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in Sections 25 to 29 of this Act;
(j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers: Provided, That the privacy codes shall adhere to the underlying data privacy principles embodied in this Act: Provided, further, That such privacy codes may include private dispute resolution mechanisms for complaints against any participating personal information controller. For this purpose, the Commission shall consult with relevant regulatory agencies in the formulation and administration of privacy codes applying the standards set out in this Act, with respect to the persons, entities, business activities and business sectors that said regulatory bodies are authorized to principally regulate pursuant to the law: Provided, finally. That the Commission may review such privacy codes and require changes thereto for purposes of complying with this Act;
(k) Provide assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person;
(l) Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
(m) Propose legislation, amendments or modifications to Philippine laws on privacy or data protection as may be necessary;
(n) Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection;
(o) Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;
(p) Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations; and
(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.

Question 40

What principles must be adhered to when processing personal information?

Answer 40

1. Principle of Proportionality - Processing shall be adequate, relevant, suitable, necessary and not excessive
2. Principle of Legitimate Purpose - processing shall be compatible with a declared and specified purpose which must not be contrary to law/morals/order/policy
3. Principle of Transparency - Data subject must be aware of the nature, purpose and extent of the Processing of his or her Personal Data

Question 41

Abdul wants to apply for an SM rewards card since he always goes shopping there. The application form to be filled out requires his blood type and political affiliation. Can SM collect such info?

Answer 41

No. It is excessive for a rewards card and violates the principle of proportionality.

Question 42

Under the Rules of Court, what are examples of privileged information?

Answer 42

Privileged information are all forms of data which constitute privileged communication under pertinent laws such as:

a. Attorney-client privilege
b. Doctor-patient privilege
c. Marital privilege
d. Priest-confessor privilege

Question 43

T or F
If there is a likelihood of risk to individuals because of breach, the data processor must report the data breach within 48 hours.

Answer 43

False, 72 hours.

Question 44

T or F
In entering into any contract that may involve accessing or requiring sensitive personal information from 1000 or more individuals, an agency shall require a contractor to register their PERSONAL INFORMATION PROCESSING SYSTEM with the Commission.

Answer 44

True.

Question 45

When is the maximum penalty meted out for crimes provided in the DPA?

Answer 45

Maximum penalty shall be imposed when the personal information of AT LEAST 100 PERSONS IS HARMED.

Question 46

T or F
A personal information controller outside of the Philippines is covered by the Data Privacy Act even if the personal information pertain to Philippine residents or citizens

Answer 46

true.

Question 47

A data subject has the right to data portability. What does data portability mean?

Answer 47

It means that the data subject has the right to obtain a copy of his personal information.