UNIT 10 Flashcards by lady henituse

On the year 2000 a Filipino named Onel De Guzman created a worm that sent messages
through email with an attachment: “LOVE-LETTER-FORYOU.txt.vbs”
When the attachment is opened, the file activates a code that sends an instruction to
forward the same email to all the contacts of the user
● The worm spread to e-mail accounts across the globe – including US and Europe –
overwhelming the email systems of private and government organizations causing them
to shut down resulting to estimated damages worth millions of USD
● This prompted the FBI to identify the source of the worm, which was then traced back to
the Philippines

The I LOVE YOU Worm

How well did you know this?

Not at all

Perfectly

Onel De Guzman was eventually arrested by the Philippine government at the request of
the FBI but was released shortly afterwards because there was NO pre-existing Philippine
laws that he violated

The I LOVE YOU Worm

How well did you know this?

Not at all

Perfectly

AN ACT PROVIDING FOR THE
RECOGNITION AND USE OF ELECTRONIC TRANSACTIONS AND DOCUMENTS,
PENALTIES FOR UNLAWFUL USE THEREOF AND OTHER PURPOSES.
NOTE: was used to define certain illegal activities concerning the use of various
devices in an effort to provide a legal provision to deter future actions similar to what
Onel De Guzman did

Republic Act 8792: Philippine E-Commerce Act Of 2000

How well did you know this?

Not at all

Perfectly

Section 6. LEGAL RECOGNITION OF DATA MESSAGES

Republic Act 8792: Philippine E-Commerce Act Of 2000

text messages, e-mails, or any other similar modes of
communication done through electronic means [including unaltered screenshots] has the
same legal validity as physical messages

ELECTRONIC DATA MESSAGES

How well did you know this?

Not at all

Perfectly

Section 7. LEGAL RECOGNITION OF ELECTRONIC DOCUMENTS

Republic Act 8792: Philippine E-Commerce Act Of 2000

shall have the legal effect, validity or enforceability as any other
document or legal writing.
NOTE: This provision gives softcopy of authentic documents the same legal validity as physical
documents

ELECTRONIC DOCUMENTS

How well did you know this?

Not at all

Perfectly

Section 8. LEGAL RECOGNITION OF ELECTRONIC SIGNATURES

Republic Act 8792: Philippine E-Commerce Act Of 2000

An _____ on the electronic document shall be equivalent to the signature
of a person on a written document

ELECTRONIC SIGNATURE

How well did you know this?

Not at all

Perfectly

Section 33. PENALTIES
The following acts shall be penalized by fine and/or imprisonment:

Republic Act 8792: Philippine E-Commerce Act Of 2000

● Unauthorized access into a computer system/server or information and communication
system
● Any access with the intent to corrupt, alter, steal, or destroy using a computer or computer
system without the knowledge and consent of the owner of the system

HACKING/CRACKING

How well did you know this?

Not at all

Perfectly

Section 33. PENALTIES

Republic Act 8792: Philippine E-Commerce Act Of 2000

● Unauthorized copying, reproduction, storage, uploading, downloading, communication, or
broadcasting of protected material [..] through the use of telecommunication networks,
e.g. the Internet, in a manner that infringes intellectual property

PIRACY

How well did you know this?

Not at all

Perfectly

Section 33. PENALTIES

Violations against R.A. 7394: The Consumer Act Of The Philippines
● R.A. 7394 was enacted primarily to protect the consumers …
… against hazards to health and safety, and
… against deceptive, unfair and unconscionable sales acts and practices.

Republic Act 8792: Philippine E-Commerce Act Of 2000

How well did you know this?

Not at all

Perfectly

NOTE:
● Penalty for HACKING/CRACKING and PIRACY:
▪ Pay a fine amounting to a minimum of one hundred thousand pesos (PhP 100,000) and a
maximum that is commensurate to the damage incurred and …
▪ Mandatory imprisonment of 6 months to 3 years.
● Penalty for violations against R.A. 7394 will be the same penalties as provided by same law which
is to pay a fine of PhP 20,000 to PhP 2000,000 and/or imprisonment of 3 to 6 years

Republic Act 8792: Philippine E-Commerce Act Of 2000

How well did you know this?

Not at all

Perfectly

Does connecting to an open WIFI network (e.g. WIFI with no password), without the consent
of the network owner, constitute a violation of RA 8792?

NO! By merely accessing it, there is no clear intent to “corrupt, alter, steal or destroy”

How well did you know this?

Not at all

Perfectly

is an act that adopts sufficient powers to effectively prevent and combat cybercrime
offenses by facilitating their detection, investigation, and prosecution at both the domestic and
international levels

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

How well did you know this?

Not at all

Perfectly

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

defines ____ as a crime committed with or through the use of information and
communication technologies such as radio, television, cellular phone, computer and network, and
other communication device or application

CYBERCRIME

How well did you know this?

Not at all

Perfectly

Section 4. CYBERCRIME OFFENSES
The following acts constitute the offense of cybercrime punishable under this Act
(a) OFFENSES against the CONFIDENTIALITY, INTEGRITY and AVAILABILITY (CIA) of
COMPUTER DATA and COMPUTER SYSTEMS;
(b) COMPUTER-RELATED OFFENSES; and
(c) CONTENT-RELATED OFFENSES

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

How well did you know this?

Not at all

Perfectly

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of
COMPUTER DATA and COMPUTER SYSTEMS

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

The access to the whole or any part of a computer system without right.
NOTE:
● “access” is the instruction, communication with, storing/retrieving data from or use of
any resources of a computer system of network
● “without right” means having no consent from the owner of the computer system

ILLEGAL ACCESS

How well did you know this?

Not at all

Perfectly

Does connecting to an open WIFI network (e.g. WIFI with no password), without the
consent of the network owner, constitute a violation of RA 8792?

NO! By merely accessing it, there is no clear intent to “corrupt, alter, steal or
destroy”

How well did you know this?

Not at all

Perfectly

Does connecting to an open WIFI network (e.g. WIFI with no password), without the
consent of the network owner, constitute a violation of RA 10175?

YES! Illegal access is to “make use of any resources” without right (consent)

How well did you know this?

Not at all

Perfectly

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of
COMPUTER DATA and COMPUTER SYSTEMS

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

The interception […] of computer data to, from, or within a computer system.
NOTE:
● Interception is listening to, recording, monitoring or surveillance of the content of
communications through the use of electronic eavesdropping or tapping devices at the same
time that the communication is occurring

ILLEGAL INTERCEPTION

How well did you know this?

Not at all

Perfectly

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of
COMPUTER DATA and COMPUTER SYSTEMS

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

The intentional or reckless alteration, damaging, deletion or deterioration of computer
data, electronic document or electronic data message without right – including the
introduction or transmission of viruses

DATA INTERFERENCE

How well did you know this?

Not at all

Perfectly

Consider the following situation:
 A friend sent you a file on a flash drive infected with a virus
 Both of you is not aware that the flash drive is infected
 After you insert the flash drive in your computer, your computer get infected
and you lost your documents
Is your friend liable for any violation on RA 10175?

YES! Data interference includes “the intentional or reckless alteration, damaging,
deletion
or deterioration of computer data” – even if your friend has no malicious intent it is
still considered as “recklessness” in his/her part causing you to lose your file

How well did you know this?

Not at all

Perfectly

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of
COMPUTER DATA and COMPUTER SYSTEMS

REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012

The intentional alteration or reckless hindering or interference with the functioning of a
computer or computer network by inputting, transmitting, damaging, deleting,
deteriorating, altering or suppressing computer data or program, electronic document,
or electronic data message, without right or authority, including the introduction or
transmission of viruses

SYSTEM INTERFERENCE

How well did you know this?

Not at all

Perfectly

Consider the same situation in the previous example:
 A friend sent you a file on a flash drive infected with a virus
 Both of you is not aware that the flash drive is infected
 After you insert the flash drive in your computer, your computer get infected
and you lost all your files and the whole computer system went into error
Is your friend liable for any violation on RA 10175?

YES! Although it may be unintentional, data interference and system interference
was committed

How well did you know this?

Not at all

Perfectly

SYSTEM INTERFERENCE EXAMPLE:

Refers to software programs and malware components developed to take over a
computer’s resources and use them for cryptocurrency mining without the user’s explicit
permission

CRYPTOJACKING or CRYPTOMINING MALWARE

How well did you know this?

Not at all

Perfectly

SYSTEM INTERFERENCE EXAMPLE:

When you download through torrent sites like “thepiratebay”, you basically give them the
authority to use your computer’s CPU to “mine” cryptocurrencies – the reason why
downloading a lot of torrent file can cause your computer to heat up

CRYPTOJACKING or CRYPTOMINING MALWARE

How well did you know this?

Not at all

Perfectly

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of COMPUTER DATA and COMPUTER SYSTEMS REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 The unauthorized use, production, sale, procurement, distribution or otherwise making available of: i. A device designed for committing any offenses under this Act ii. A computer password, access code, or similar data by which […] a computer system is […] accessed with the intent of committing any offenses under this act

MISUSE OF DEVICE (SKIMMING DEVICES and KEYLOGGERS)

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of COMPUTER DATA and COMPUTER SYSTEMS REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 The acquisition of a domain name on the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same

CYBER-SQUATTING

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of COMPUTER DATA and COMPUTER SYSTEMS REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 the domain name that was acquired is: i. Similar, identical or confusingly similar to an existing government-registered trademark; ii. In case of a personal name, identical or in any way similar with the name of a person other than the registrant; and iii. Acquired without right or with intellectual property interests in it

CYBER-SQUATTING

SECTION 4 (a) OFFENSES against the CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (CIA) of COMPUTER DATA and COMPUTER SYSTEMS REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012  In January 2004, Mike Rowe was a grade 12 student who operated a profitable web design business as a part time job.  He registered the website with the domain name MikeRoweSoft.com  Lawyers from Microsoft asked him to stop using the website and Mike Rowe complied after an undisclosed settlement with the company

CYBER-SQUATTING

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 The input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic

Computer-related FORGERY

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 The act of knowingly using computer data which is the product of computer-related forgery for the purpose of perpetuating a fraudulent or dishonest design

Computer-related FORGERY

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 Hacking into the SLU Student Portal to change your grade from 65 to 95 Since NO MONETARY VALUE is involved, this is considered as "---” and not “fraud”

COMPUTER-RELATED FORGERY

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 The unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system, causing damage thereby with fraudulent intent

Computer-related FRAUD

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 The ONLY difference between forgery and fraud is if the damage incurred has a ____

monetary value

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 Hacking into a bank’s database and changing your account balance from PhP 500 to PhP 5,000  Asking people to send you a “prepaid load” by pretending to be a “relative from abroad”

Computer-related FRAUD

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another [person] without right

Computer-related IDENTITY THEFT

SECTION 4 (b) COMPUTER-RELATED OFFENSES REPUBLIC ACT 10175: CYBERCRIME PREVENTION ACT OF 2012 Those fake social media accounts that has a user profile that contains “identifying information” – like picture or name – belonging to another person with the intention of using it for malicious purposes, such as pretending to be the actual person even if it is not

Computer-related IDENTITY THEFT

Assume that two individuals, who happen to be real-life partners, gave their consent to each other to record their sexual act. Is this a case of cybersex?

NO! Since both parties consented and even if these acts are publicly denounced, they do NOT constitute to cybersex since the act is NOT done for “any favour or consideration” and without the element of “engagement in business”

SECTION 4 (c) CONTENT-RELATED OFFENSES ● The unlawful or prohibited acts defined and punishable by R.A. 9775: The Anti-Child Pornography Act of 2009 committed through a computer system ● This includes any representation – whether visual or audio – by electronic or any other means of a child engaged or involved in real or simulated explicit sexual activities

CHILD PORNOGRAPHY

SECTION 4 (c) CONTENT-RELATED OFFENSES Are “hentai” clips – sexually explicit Japanese comics or anime – considered as a violation of this law?

NO … unless the hentai clip itself contains a character which is explicit identified as a minor. If so, the said material is prohibited and the creator/distributor of the said material are liable for violation of this law.

SECTION 4 (c) CONTENT-RELATED OFFENSES is the public and malicious imputation of a crime – real or imaginary – or any act, omission, condition, status or circumstance tending to cause the dishonor, discredit, or contempt of a […] person, or to blacken the memory of the dead

(ONLINE) LIBEL

SECTION 4 (c) CONTENT-RELATED OFFENSES FOUR ELEMENTS OF LIBEL a discreditable act or condition concerning another;

Allegations

SECTION 4 (c) CONTENT-RELATED OFFENSES FOUR ELEMENTS OF LIBEL ___ of the charge

Publication

SECTION 4 (c) CONTENT-RELATED OFFENSES FOUR ELEMENTS OF LIBEL The person being ___ is clearly identified; and

defamed

SECTION 4 (c) CONTENT-RELATED OFFENSES FOUR ELEMENTS OF LIBEL Existence of

Malice

Assume that someone posted this unfounded claim on social media: “HOY! MARIA DAVID! MAGNANAKAW KA! KAYONG DALAWANG “NANAY MO! MGA MAGNANAKAW! IBALIK NIYO YUNG MILYUN- “MILYONG PERA NA NINAKAW NIYO!” Did the person who posted commit online libel?

YES! All the FOUR ELEMENTS OF LIBEL is present! a. FALSE ALLEGATION: MAGNANAKAW KA! KAYONG DALAWA NG NANAY MO! b. PUBLICATION: Allegation was posted on social media c. PERSON DEFAMED is IDENTIFIED: Maria David and her mother d. EXISTENCE OF MALICE: Even though unfounded, the post was published nonetheless

“HOY! MARIA DAVID! MAGNANAKAW KA! KAYONG DALAWANG “NANAY MO! MGA MAGNANAKAW! IBALIK NIYO YUNG MILYUN- “MILYONG PERA NA NINAKAW NIYO!” If you LIKED/REACTED to the post above, are you liable?

NO! LIKING or REACTING may be a sign of approval to the said post but NO STATEMENT was mentioned – none of the FOUR ELEMENTS OF LIBEL is present!

“HOY! MARIA DAVID! MAGNANAKAW KA! KAYONG DALAWANG “NANAY MO! MGA MAGNANAKAW! IBALIK NIYO YUNG MILYUN- “MILYONG PERA NA NINAKAW NIYO!” If you SHARED the said post, are you liable?

NO! The libelous statement was NOT made by the person who SHARED it!

“HOY! MARIA DAVID! MAGNANAKAW KA! KAYONG DALAWANG “NANAY MO! MGA MAGNANAKAW! IBALIK NIYO YUNG MILYUN- “MILYONG PERA NA NINAKAW NIYO!” If you COMMENTED on the said post with “OO NGA!”, are you liable?

NO! Similar to LIKING or REACTING, commenting “OO NGA!” does not discredit or allege Maria David – none of the FOUR ELEMENTS OF LIBEL is present

YES! This statement is not merely an approval but also states an allegation towards Maria David and her mother. This makes the person liable for libel since the comment can be seen publicly as well.

This is the right of an individual “to be free from unwarranted publicity, or to live without unwarranted interference by the public in matters in which the public is not necessarily concerned.”

THE RIGHT TO PRIVACY

Does the state (i.e. the government) have the right to disturb private individuals in their homes?

NO! The State recognizes the right of the people to be secure in their houses. No one, not even the State, except "in case of overriding […] and only under the stringent procedural safeguards," can disturb them in the privacy of their homes.

THE RIGHT TO PRIVACY Article 26: Every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons.

REPUBLIC ACT 386: CIVIL CODE OF THE PHILIPPINES (1950)

The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief: __ into the privacy of another's residence

Prying

The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief: --- with or disturbing the private life or family relations of another;

Meddling

The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief: --- to cause another to be alienated from his friends;

Intriguing

The following and similar acts, though they may not constitute a criminal offense, shall produce a cause of action for damages, prevention and other relief: __ or humiliating another on account of his religious beliefs, lowly station in life, place of birth, physical defect, or other personal condition.

Vexing

May an individual installs surveillance cameras on his own property facing the property of another? (Hing vs. Choachuy 2013)

NO! A man’s house is his castle, where his right to privacy cannot be denied or even restricted by others. It includes any act of intrusion into, peeping or peering inquisitively into the residence of another without the consent of the latter.

The installation of surveillance cameras, should NOT cover places where there is reasonable expectation of privacy, unless the consent of the individual – whose right to privacy would be affected – was obtained.

NOTE on the INSTALLATION of CAMERAS

Sample Case: (Zulueta vs C.A., 1996) Situation: • Cecilia entered the clinic of Dr. Martin – her husband – and in the presence of witnesses, forcibly opened the drawers and cabinet and took 157 documents and papers consisting of greetings cards, cancelled checks, diaries, and photographs between Dr. Martin and his alleged paramours. • The said documents were used as evidence in legal separation case. Was the right to privacy of Dr. Martin violated?

YES! In the decision of the court: “A person, by contracting marriage, does not shed his/her integrity or his right to privacy as an individual and the constitutional protection is ever available to him or to her.” The documents and papers are inadmissible as evidence since the way they were gathered violated the right to privacy of Dr. Martin

Also known as the “right to be left alone”, refers to the right of a person to “expect privacy” in places and/or situations that the community generally accepts as “quite reasonable” For instance, there are certain instances that a person assumes that there is _____ such that at that particular moment nobody can see or hear him/her.

reasonable expectation of privacy

Does an employee have a reasonable expectation of privacy in the workplace?

According to a court decision, an employee have LESS or NO expectations of privacy in the workplace. For instance, CCTV cameras may be watching an employee’s every move while inside the company grounds. The only place where there is reasonable expectation of privacy is inside the toilet facilities of the company

REPUBLIC ACT 9995: ANTI-PHOTO AND VIDEO VOYEURISM ACT OF 2009 Included under the ___ is that any person believes that: ● He/she could disrobe in privacy, without being concerned that an image or a private area of the person was being captured; ● The private area of the person would not be visible to the public, regardless of whether that person is in a public or private place.

REASONABLE EXPECTATION OF PRIVACY

What does “PRIVATE AREA OF A PERSON” include?

The “private area of a person” includes naked or undergarment-clad genitals, pubic area, buttocks, or the female breast of an individual

Section 4: PROHIBITED ACTS. To __ photo or video coverage of a person or group of persons performing sexual act or any similar activity or to capture an image of the private area of a person without the consent of the person involved and under circumstances in which the person/s has/have a reasonable expectation of privacy;

TAKE

Section 4: PROHIBITED ACTS. To ___ or REPRODUCE […] such photo or video or recording of (a);

COPY

Section 4: PROHIBITED ACTS. To ___ or DISTRIBUTE […] such photo or video or recording of (a); or

SELL

Section 4: PROHIBITED ACTS. To ___ or BROADCAST […] of (a) through VCD/DVD, Internet, cellular phones and other similar means or device.

PUBLISH

Will one be liable for the non-commercial copying or reproduction of said photo or video – e.g. copy or reproduce for free without asking for money?

YES! The mere copying or reproduction of said material will make one liable under the law regardless of the reason or whether one profits or not from such act.

If the persons in the photo knew and consented to the video recording or taking of the photo, can anyone reproduce, distribute, or broadcast it

NO! The person merely consented to the taking of the photo or the video recording and did not give written consent for its reproduction, distribution, and broadcasting.

Section 4: PENALTIES. The penalty for the commission of any of the prohibited acts above are as follows: ● Imprisonment of 3 years to 7 years imprisonment; and ● Fine of Php 100,000.00 to Php 500,000.00

Section 4: PENALTIES.

PURPOSE 1. PROTECTS THE PRIVACY OF INDIVIDUALS while ensuring free flow of information to promote innovation and growth. 2. REGULATES the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of PERSONAL DATA. 3. Ensures that the Philippines COMPLIES WITH INTERNATIONAL STANDARDS set for data protection.

REPUBLIC ACT 10173: DATA PRIVACY ACT OF 2012

DEFINITION OF TERMS The individual, corporation, or body who decides what to do with data.

PERSONAL INFORMATION CONTROLLER (PIC)

DEFINITION OF TERMS One who processes data for a PIC. The PIP does not process information for the PIP’s own purpose.

PERSONAL INFORMATION PROCESSOR (PIP)

DEFINITION OF TERMS Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.

CONSENT OF DATA SUBJECT

DEFINITION OF TERMS A security incident that: a. Leads to unlawful or unauthorized processing of personal, sensitive, or privileged information; b. Compromises the availability, integrity, or confidentiality of personal data.

BREACH

Any personal information about a particular individual that can be used in identifying a person. This includes, but not limited to: ▪ Name ▪ Address ▪ Phone number ▪ E-mail address

PERSONAL INFORMATION

Any information or opinion about a particular individual that may be used to harm or discriminate a person. This includes, but not limited to: ▪ Race or ethnic origin ▪ Religious affiliations ▪ Criminal record ▪ Medical record

SENSITIVE PERSONAL INFORMATION

PROCESSING OF PERSONAL INFORMATION ● The data subject must know: a. What personal data will be collected b. How the personal data will be collected c. Why personal data will be collected ● The data processing policies of the PIC must be known to the data subject. ● The information to be provided to the data subject must be in clear and plain language.

PRINCIPLES OF TRANSPARENCY

DEFINITION OF TERMS ● Data collected must be always be collected only for the specific, explicit, and legitimate purposes of the PIC. ● Data that is not compatible with the purpose [of the data collection] shall not be processed.

LEGITIMATE PURPOSE PRINCIPLE

DEFINITION OF TERMS ● The amount of data collected for processing should be adequate, relevant, and not excessive in proportion to the purpose of the data processing. ● Efforts should be made to limit the processed data to the minimum necessary.

PRINCIPLE OF PROPORTIONALITY

1. The consent of data subject has to be given; 2. The processing is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract; 3. The processing is necessary for compliance with a legal obligation to which the PIC is subject; 4. The processing is necessary to protect vitally important interests of the data subject, including life and health; 5. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority […]; or 6. The processing is necessary for the purposes of the legitimate interests pursued by the PIC […], except where such interests are overridden by fundamental rights and freedoms of the data subject […]

PROCESSING OF SENSITIVE PERSONAL INFORMATION

RIGHTS OF THE DATA SUBJECT ● This is the right to be informed that your personal data shall be, are being, or have been processed. ● The disclosure must be made before the entry of the data into the processing system or at the next practical opportunity

Right to be INFORMED

DEFINITION OF TERMS ● The right to refuse to the processing of personal data. ● This includes the right to be given an opportunity to withhold consent to the processing in case of any changes or any amendment to the information supplied or declared.

Right to OBJECT

RIGHTS OF THE DATA SUBJECT The right to find out whether a PIC holds any personal data about you.

Right to ACCESS

RIGHTS OF THE DATA SUBJECT ● This involves the right to dispute the inaccuracy or error in the personal data and have the PIC correct it immediately. ● It also includes access to new and retracted information, and simultaneous receipt thereof. ● Recipients previously given erroneous data must be informed of inaccuracy and rectification upon reasonable request of the data subject.

Right to RECTIFICATION

RIGHTS OF THE DATA SUBJECT ● This is the right to suspend, withdraw, or order the blocking, removal, or destruction of his/her personal information from the PIC’s filing system ● The right to erase or block can be invoked in the following circumstances: ◼ There are data which are incomplete, outdated, false, or unlawfully obtained. ◼ The data was used for unauthorized purposes. ◼ The data is no longer necessary for purposes of collection. ◼ The processing of data was found to be unlawful. ◼ The PIC or PIP violated the rights of the data subject.

Right to ERASURE or BLOCKING

RIGHTS OF THE DATA SUBJECT ● This is the right to be receive compensation for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data. ● If there are circumstances where you discovered that your personal data was mishandled, you have the right to ask for compensation for the damage it has caused you.

Right to DAMAGES

RIGHTS OF THE DATA SUBJECT ● The right to obtain a copy of data undergoing processing in [a commonly used] electronic or structured format that allows for further use by the data subject. ● Takes into account the right to have control over personal data being processed based on consent, contract, for commercial purposes, or through automated means.

Right to DATA PORTABILITY

RIGHTS OF THE DATA SUBJECT The right to file a complaint in circumstances wherein the PIC or the PIP has breached the privacy of the data subject

Right to FILE A COMPLAINT

May a teacher/professor search the contents of a student’s cellular phone?

NO! Any search through a student’s cellular phone without justification under a law or regulation is UNLAWFUL, and may be considered as “unauthorized processing of data” However, there are exceptions: • If it was done with student’s consent [except if the student is a minor] • If it is required by the student’s life and health, or by national emergency.

Is an implied (indirect) form of consent valid? Example: “By continuing to avail of xxx products and services:, you explicitly “authorize xxx, its employees, duly authorized representatives, “related companies and third-party service providers, to use, process “and share personal data needed in the administration of your xxx”

NO! Consent under the Data Privacy Act has three requirements, none of which are seen in an implied consent: • Consent must be freely given; • Details about what consent is being asked must be specific; and • There must be an informed indication of will.

Are handwritten signatures considered sensitive personal information?

NO! It is possible that one may share a similar signature as another person. Moreover, some signatures do not, in any way, show signs of identity of a person. However, these may be considered personal information when used to identify an individual such as a signature affixed on the name of a person.

Are usernames, password, IP and MAC address, location cookies and birthday (month and day only) are considered personal information?

YES!* * Only when they are combined with other pieces of information that may allow an individual to be distinguished from others.

PROHIBITED ACTS OF R.A. 10173 Process (sensitive) personal information without the consent of the data subject or without being authorized under the Data Privacy Act or any other law.

Unauthorized processing of personal information and sensitive personal information

PROHIBITED ACTS OF R.A. 10173 Provided access to (sensitive) personal information due to negligence or was unauthorized under the Data Privacy Act or any existing law.

Accessing personal information and sensitive personal information due to negligence

PROHIBITED ACTS OF R.A. 10173 Negligently dispose, discard or abandon the (sensitive) personal information of an individual in an area accessible to the public or placed the (sensitive) personal information of an individual in a container for trash collection.

Improper disposal of (sensitive) personal information

PROHIBITED ACTS OF R.A. 10173 Process personal information for purposes not authorized by the data subject or not otherwise authorized by the Data Privacy Act or under existing laws.

Processing of personal information and sensitive personal information for unauthorized purposes

PROHIBITED ACTS OF R.A. 10173 Knowingly and unlawfully violate data confidentiality and security data systems where personal and sensitive personal information is stored.

Unauthorized access or intentional breach

PROHIBITED ACTS OF R.A. 10173 Discloses to a third party unwarranted or false information with malice or in bad faith relative to any (sensitive) personal information obtained by such PIC or PIP.

Malicious Disclosure

set of procedures and technological measures to ensure secure and efficient operation of information within an organization, both general and application controls for safeguarding information. These control activities are applied throughout an organization. The most important general controls are the measures that control access to computer systems and the information stored or transmitted over telecommunication networks. General controls include administrative measures that restrict employee access to only those processes directly relevant to their duties, thereby limiting the damage an employee can do.

Security controls

is about protecting things that are of value to an organization. Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.

IT security

Control Types Describes anything tangible that’s used to prevent or detect unauthorized access to physical areas, systems, or assets. This includes gates, access cards, CCTVs, and motion sensors

Physical controls

Control Types (also known as logical controls) Includes hardware or software mechanisms used to protect assets. Common examples are authentication solutions, firewalls, and antivirus software.

Technical controls

Control Types Refers to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization's security goals. These can apply to the hiring and termination of employees, equipment and Internet usage, separation of duties, and auditing.

Administrative controls

Control Functions These is any security measure that is designed to prevent or stop any malicious activity from happening. These can be fences, alarms, and antivirus software.

Preventive Controls

Control Functions These is any security measure taken or implemented to detect and alert to unwanted or unauthorized activity in progress or after it has occurred. It can be alerting guards or notifications from a motion sensor.

Detective controls

Control Functions Any measures taken to repair damage or restore resources and capabilities following an unauthorized or unwanted activity. This may include rebooting the system, or terminating a process, or quarantining a virus.

Corrective controls

Fences, gates, locks

Physical and Preventive

CCTV and surveillance camera logs

Physical and Detective

Repair physical damage, re-issue access cards

Physical and Corrective

Firewall, IPC, MFA solution, antivirus software

Technical and Preventive

Intrusion detection systems, honeypots

Technical and Detective

Patch a system, terminate a process, reboot a system, quarantine a virus

Technical and Corrective

Hiring and termination policies, separation of duties, data classification

Administrative and Preventive

Review access rights, audit logs, and unauthorized changes

Administrative and Detective

Implement a business continuity place or incident response plan

Administrative and Corrective

UNIT 10 Flashcards

(116 cards)