Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

2024 Sylb D1_PM_20% Commercial & Tax > VII. DATA PRIVACY ACT OF 2000 (R.A. No. 10173) > Flashcards

VII. DATA PRIVACY ACT OF 2000 (R.A. No. 10173) Flashcards

1
Q

VII. DATA PRIVACY ACT OF 2000 (R.A. No. 10173)

A. Personal vs. Sensitive Personal Information (Section 3)

A

Comparing Personal vs. Sensitive Personal Information: 3 Key Differences and Similarities

A)
Similarities:

  1. Both are data about individuals:
    Both personal and sensitive personal information pertain to identifiable individuals. This could be through direct identifiers like names or ID numbers, or through indirect identifiers that, when combined, can point to a specific person.

B)
Differences:

  1. Sensitivity of the data:
    Here’s the key distinction. Personal information is GENERAL data about a Person, while sensitive personal information delves into PRIVATE aspects of someone’s LIFE.
  • Examples of Personal Information:** Name, address, phone number, email address, job title, company name.
  • Examples of Sensitive Personal Information:** Race, ethnicity, religion, political affiliation, health records, sexual orientation, genetic information, criminal history, social security number, passport number.
  1. Level of protection:
    Due to its sensitive nature, STRICTER regulations and protections typically surround SENSITIVE personal information. Organizations collecting or processing such data have higher legal requirements to ensure its security and privacy.
  2. Consent requirements:
    Consent for processing personal information might be required depending on the context.
    However, obtaining explicit consent is often essential when dealing with sensitive personal information.
  • Example: A company collecting customer names and email addresses for a newsletter falls under personal information.
    But if the company also asks for health information to personalize wellness recommendations, that ventures into sensitive personal information territory.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

VII. DATA PRIVACY ACT OF 2000 (R.A. No. 10173)

B. Scope (Section 4)

A

Scope of the Philippine Data Privacy Act: A Summary

This section clarifies who and what the Data Privacy Act applies to:

1) Applicability:
* The Act applies to the processing of all types of personal information.
* Any individual or organization involved in processing personal information falls under the Act.
* This includes even foreign entities using equipment in the Philippines or having a local branch/office, provided they comply with specific requirements.

2) Exemptions:**
* The Act doesn’t apply to certain types of information, including:
* Government employee data related to their job functions (e.g., names, titles, salaries).
* Information about government contractors relevant to their contracted services.
* Data used for journalism, arts, literature, or research purposes.
* Personal information needed for government functions like law enforcement or granting licenses.
* Information required by banks and financial institutions to comply with anti-money laundering laws and credit information regulations.
* Personal information collected abroad and processed in the Philippines, if compliant with the originating country’s data privacy laws.

3) Examples:**
* A company collecting customer names and email addresses for marketing purposes is subject to the Act.
* A hospital processing patient medical records needs to comply with the Act’s regulations on handling sensitive personal information.
* A news organization interviewing people for a story wouldn’t be covered by the Act for that specific data collection, but would still need to consider journalistic ethics regarding privacy.
* Government agencies processing employee salaries or license applications are exempt for that specific data related to their official functions.

Key Point:
The Act aims to protect personal information while acknowledging exemptions for specific situations where privacy interests might be balanced with other legitimate purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

VII. DATA PRIVACY ACT OF 2000 (R.A. No. 10173)

C. Processing of Personal and Sensitive Personal Information; Lawful Basis
(Sections 12-13)

A

Processing Personal and Sensitive Information under the Data Privacy Act: Key Points

These sections outline the legal grounds for processing personal information in the Philippines, with stricter requirements for sensitive data.

A)
Processing Personal Information (Sec. 12):**

  • Lawful Basis Required:**
    Processing personal information is only allowed if there’s a legal justification:
    * Consent (a): The data subject explicitly agrees to the processing (e.g., signing a consent form).
    * Contractual Necessity (b): Processing is necessary to fulfil a contract with the individual (e.g., processing customer data for an online purchase).
    * Legal Obligation (c): Processing complies with a legal requirement (e.g., reporting income to tax authorities).
    * Vital Interests (d): Processing protects essential interests like someone’s life or health (e.g., processing medical records in an emergency).
    * Public Interest (e): Processing serves a legitimate public purpose (e.g., processing census data).
    * Legitimate Interests (f): Processing benefits the data controller or a third party, as long as it doesn’t violate the data subject’s fundamental rights.

B)
Processing Sensitive Personal Information (Sec. 13):**
* Stricter Requirements: Processing sensitive information generally requires a higher bar for justification:
* Specific Consent (a): Explicit CONSENT SPECIFIC to the purpose of processing is needed from the data subject.
* Existing Law (b): Processing is authorized by specific laws or regulations that ensure data protection.
* Protecting Life/Health (c): Processing is necessary to safeguard the data subject or another person’s life or health when consent can’t be obtained.
* Limited Public Purposes (d): Processing serves specific public goals for qualified organizations (e.g., medical associations processing data for research), with limitations on sharing and requiring prior consent.
* Medical Treatment (e): Processing is necessary for medical care by a qualified professional, ensuring adequate data protection.
* Legal Proceedings (f): Processing is necessary for legal disputes or defending legal rights in court.

Examples:
* A company collecting customer names and email addresses for marketing needs consent (a) or legitimate interests (f) depending on the context.
* A hospital processing patient medical records requires consent (a) for specific purposes beyond general treatment, but might not need consent for sharing data anonymously for medical research (b) with proper anonymization techniques.
* A social media platform processing user browsing history for targeted advertising would likely rely on consent (a) or legitimate interests (f), but would need to balance this with user privacy rights.

Key Takeaway:
The Data Privacy Act promotes responsible data processing. Understanding the legal basis for processing personal and sensitive information is crucial for organizations to comply with the law and protect individual privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

VII. DATA PRIVACY ACT OF 2000 (R.A. No. 10173)

D. General Data Privacy Principles (Section 11)

A

Key Points of the General Data Privacy Principles in the Philippines:

This rule outlines the core principles for handling personal information:

1) Transparency:**
* Organizations must be clear about why they collect personal data (e.g., privacy policy explaining data collection practices).

2) Legitimate Purpose:**
* Data collection must have a justified purpose relevant to the organization’s activities (e.g., collecting customer email addresses for order confirmations).

3) Proportionality:**
* The amount of data collected should be reasonable and not excessive for the intended purpose (e.g., not collecting a customer’s social security number for a simple online purchase).

4) Specific Requirements for Data:**
* (a) Purpose: Data collection must have a clear and predetermined purpose communicated to the data subject.
* (b) Fairness and Lawfulness: Processing must be conducted in a fair and legal manner according to the Act’s regulations.
* (c) Accuracy: Data should be accurate and updated when necessary. Inaccurate data needs to be corrected or deleted.
* (d) Data Minimization: The amount of data collected should be limited to what’s necessary for the specific purpose.
* (e) Retention Limits: Data shouldn’t be kept longer than necessary for the intended purpose, legal requirements, or legitimate business needs.
* (f) Secure Storage: Data should be stored securely and only identifiable for as long as necessary. Anonymized data for historical, statistical, or scientific research might be allowed under specific conditions.

Examples:

  • A social media platform should clearly state in its privacy policy why it collects user data (e.g., for personalized experiences and targeted advertising) and how it ensures responsible data handling.
  • An online store collecting customer names and addresses for order fulfillment adheres to the principle of legitimate purpose and data minimization.
  • A hospital keeping patient medical records for a specific treatment period follows the retention limits principle. After that period, the records should be securely archived or anonymized for research purposes, complying with relevant regulations.

Overall, these principles promote responsible data collection, processing, and storage, protecting individual privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

VII. DATA PRIVACY ACT OF 2000 (R.A. No. 10173)

E. Rights of Data Subject (Section 16)

A

Key Points on Rights of Data Subjects under the Data Privacy Act:

1)
Transparency and Information:
* Individuals (data subjects) have the right to be informed about the collection and processing of their personal information (a).
* Before or upon entering data into the system, the data subject should be provided with details such as:
* The type of personal information collected (b)(1).
* The purpose for processing the data (b)(2).
* How the data will be processed (b)(3).
* Who the data might be shared with (b)(4).
* How long the data will be stored (b)(7).
* Their rights to access, correction, and complaints (b)(8).

2)
Right of Access:
* Data subjects have the right to access their personal information held by the data controller (c).
* This includes details like:
* The specific content of their data (c)(1).
* The source of the data (c)(2).
* Any recipients the data has been shared with (c)(3).
* How the data was processed (c)(4).
* Justification for sharing the data (c)(5).
* Any automated decision-making using their data (c)(6).
* Last access and modification dates of their data (c)(7).

3)
Right to Rectification:
* Data subjects can challenge the accuracy of their personal information and request corrections from the data controller (d).
* The controller must promptly rectify any errors, ensuring both the original and corrected versions are accessible (d).
* The controller should also inform third parties who received the inaccurate data about the corrections (d).

4)
Right to Erasure (Right to be Forgotten):
* Data subjects can request the deletion or blocking of their personal information if it’s:
* Incomplete (e).
* Outdated (e).
* Incorrect (e).
* Unlawfully obtained (e).
* Used for unauthorized purposes (e).
* No longer necessary for the original collection purpose (e).

5)
Right to Indemnity:
* Data subjects can seek compensation for damages caused by inaccurate, incomplete, outdated, unlawfully obtained, or unauthorized use of their personal information (f).

  • Examples:
  • A customer has the right to know why a company collects their email address (transparency) and request access to see what marketing emails they’ve received (right of access).
  • If an individual discovers their credit report contains an error about their credit score, they can request the credit bureau to correct it (right to rectification).
  • Someone applying for a loan can request their bank to delete their loan application data after the loan decision is made (right to erasure), assuming it’s no longer needed.
  • If a data breach exposes personal information due to insufficient security measures, the affected individuals might be entitled to compensation for damages (right to indemnity).
  • Overall, the Data Privacy Act empowers individuals with control over their personal information, promoting responsible data handling practices.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Challenging Multiple Choice Questions on Personal vs. Sensitive Personal Information:

Question 1:

A social media platform collects user names, locations, and friend connections. This data is used to personalize user experiences and display targeted advertising. Does this scenario involve:

(a) Only personal information
(b) Only sensitive personal information
(c) Both personal and sensitive information
(d) None of the above

A

Answer: (a) Only personal information

Reasoning: While location data can be somewhat revealing, in this context, it’s not considered highly sensitive. User names, locations, and friend connections are generally classified as personal information used for commercial purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question 3:

A company conducts employee surveys to gauge job satisfaction. The survey asks for feedback on work environment, management style, and optional demographic information (race, gender, age). Does this scenario involve:

(a) Only personal information
(b) Only sensitive personal information
(c) Both personal and sensitive information, depending on whether demographic information is provided.
(d) None of the above

A

Answer: (c) Both personal and sensitive information, depending on whether demographic information is provided.

Reasoning: Feedback on work environment and management style is personal information related to the employment context. However, demographic information like race, gender, and age can be sensitive depending on how it’s used. If the survey makes demographic information optional, it suggests a potential distinction between the two categories of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question 4:

A research institute is conducting a study on the relationship between blood pressure and dietary habits. Participants provide their names, contact information, blood pressure readings, and detailed dietary logs for the past month. Does this scenario involve:

(a) Only personal information
(b) Only sensitive personal information
(c) Both personal and sensitive information
(d) None of the above

A

Answer: (c) Both personal and sensitive information

Reasoning: Names and contact information are personal. However, blood pressure readings are health data and dietary habits can reveal personal choices related to health. This combination falls under both personal and sensitive information categories.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question 2:

A website requires users to register by providing their name, email address, and date of birth. To access premium features, users must also submit their religious beliefs and past criminal history (if any). Does this scenario involve:

(a) Only personal information
(b) Only sensitive personal information
(c) Both personal and sensitive information
(d) None of the above

A

Answer: (c) Both personal and sensitive information

Reasoning: Name, email, and date of birth are personal information. However, religious beliefs and criminal history fall under the category of sensitive personal information as they delve into private aspects of a user’s life.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Challenging Multiple Choice Questions on Scope of Data Privacy Act:

Question 1:

A university is conducting a survey among its students to understand their preferred learning methods. The survey collects student ID numbers, preferred class times, and learning styles (visual, auditory, kinesthetic). Does this scenario fall under the scope of the Data Privacy Act?

(a) Yes, because the survey collects student ID numbers, which is personal information.
(b) No, because the survey is conducted internally within the university for educational purposes.
(c) Maybe, it depends on whether students are required to participate in the survey.
(d) None of the above.

A

Answer: (a) Yes, because the survey collects student ID numbers, which is personal information.

Reasoning: The Data Privacy Act applies to the processing of all types of personal information. In this case, student ID numbers are considered personal information as they can be used to identify individual students. Even though the survey is conducted for educational purposes, the Act still applies because it involves processing personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question 2:

A company is developing a new fitness app and is recruiting beta testers. Participants will download the app, which tracks their exercise routines and stores their workout data on the company’s servers. Does this scenario fall under the scope of the Data Privacy Act?

(a) Yes, because the app collects and stores user exercise data, which is personal information.
(b) No, because users are consenting to participate in the beta testing program.
(c) Maybe, it depends on the specific security measures implemented by the company to protect user data.
(d) None of the above.

A

Answer: (a) Yes, because the app collects and stores user exercise data, which is personal information.

Reasoning: The Data Privacy Act applies to any organization processing personal information. In this case, the app collects user exercise data, which can be considered personal information as it reveals details about users’ health and fitness habits. Even though consent is obtained for beta testing, the Act still applies because it governs how personal information is collected, stored, and processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

PERSONAL INFO VS SENSITIVE PERSONAL INFO

A

The top factor to consider when distinguishing between personal information and sensitive personal information is the sensitivity of the data itself.

Here’s the breakdown:

  • Personal Information: This is general data about an individual that can be used to identify them directly or indirectly. Examples include name, address, phone number, email address, job title, company name.
  • Sensitive Personal Information: This is a special category of personal information that delves into private aspects of a person’s life and deserves a higher level of protection. It typically refers to data that could lead to discrimination or cause significant harm if disclosed without proper consent. Examples include race, ethnicity, religion, political affiliation, health records, sexual orientation, genetic information, criminal history, social security number, passport number.

Why Sensitivity Matters:

The sensitivity of the data determines the level of protection and regulations surrounding its collection, storage, and processing. Sensitive personal information requires stricter safeguards due to the potential consequences of misuse. Organizations handling such data have higher legal obligations to ensure its security and privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Challenging Multiple Choice Questions on General Data Privacy Principles:

Question 1:

A social media platform collects user names, locations, and browsing history to personalize user experiences and display targeted advertising. This data collection practice most likely violates which principle:

(a) Transparency
(b) Legitimate Purpose
(c) Proportionality
(d) All of the Above

A

Answer: (c) Proportionality

Legal Reasoning: While transparency and legitimate purpose might be debatable depending on the platform’s privacy policy, the key issue here is proportionality. Collecting browsing history in addition to usernames and locations goes beyond what’s strictly necessary for personalization and targeted advertising. This raises concerns about collecting excessive data that could be used for broader profiling, potentially violating the principle of proportionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question 2:

A research institute conducts a study on consumer preferences. Participants provide their names, email addresses, and detailed information about their shopping habits (including preferred brands, typical spending amounts, and purchasing frequency). The research institute plans to store the data for 10 years for future studies on consumer trends. Does this scenario comply with the General Data Privacy Principles?

(a) Yes, as long as the participants have consented to the data collection.
(b) No, because the data retention period of 10 years is excessive.
(c) Maybe, it depends on the security measures implemented by the research institute.
(d) None of the Above.

A

Answer: (b) No, because the data retention period of 10 years is excessive.

Legal Reasoning: While consent might be obtained, the principle of retention limits comes into play. The research institute should justify why they need to store detailed shopping habit data for 10 years. It’s likely excessive for the stated purpose of studying consumer preferences. A shorter retention period with the option for anonymization for future research could be a more compliant approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Challenging Multiple Choice Questions on Processing Personal and Sensitive Information:

Question 1:

A fitness app requires users to create profiles with their names, contact information, and health goals (e.g., weight loss, muscle building). The app also tracks users’ exercise routines and stores their workout data on the company’s servers. Does this scenario require consent from users under the Data Privacy Act?

(a) No, because the app collects data for health and wellness purposes.
(b) Yes, for the user profile information (name, contact) but not necessarily for the workout data.
(c) Yes, for all the information collected by the app.
(d) None of the Above.

A

Answer: (c) Yes, for all the information collected by the app.

Legal Reasoning: User names, contact information, and health goals are all considered personal information. Workout data, revealing exercise routines and fitness progress, can also be considered personal information. Since the Data Privacy Act requires a legal basis for processing personal information, the app would need to obtain consent from users for all the data it collects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Question 2:

A university conducts research on the effectiveness of online learning modules. Students who participate in the study complete a survey with demographic information (age, gender, ethnicity) and answer questions about their experiences with the online modules. The university assures students that their responses will be kept anonymous. Does this scenario comply with the Data Privacy Act?

A

Answer: (b) Maybe, it depends on how the anonymity of the data is ensured.

Legal Reasoning: While the university claims anonymity, demographic information like age, gender, and ethnicity can still be considered sensitive personal information depending on the context. If the university can genuinely anonymize the data by removing any identifiers that could link the responses to individual students, then consent might not be strictly required under Section 13(f) for processing for research purposes. However, robust anonymization techniques are necessary to ensure compliance with the Act.

17
Q

Question 3:

A company is developing a new financial product and wants to conduct a focus group with potential customers. The focus group will discuss their financial habits, income levels, and risk tolerance. Does this scenario require specific consent from participants under the Data Privacy Act?

A

Answer: (a) Yes, because the focus group discussion will reveal sensitive personal information about financial habits and income levels.

Legal Reasoning: The discussion topics in the focus group, including financial habits, income levels, and risk tolerance, delve into sensitive personal information. Section 13(a) of the Data Privacy Act requires specific consent from participants before processing such information. The company should obtain clear and informed consent from participants, outlining how their data will be used and protected.

18
Q

Challenging Multiple Choice Questions on Rights of Data Subjects:

Question 1:

A social media platform collects user data like names, locations, and browsing history. A user requests access to their information under the Data Privacy Act. The platform provides the user with a list of their names and locations but excludes browsing history data. Is this scenario compliant with the Act?

(a) Yes, the platform has provided some of the requested information.
(b) No, the user has a right to access all their personal information held by the platform.
(c) Maybe, it depends on whether the user consented to the collection of browsing history.
(d) None of the Above.

*

A

Answer: (b) No, the user has a right to access all their personal information held by the platform.

Legal Reasoning: Section (c) of the Act grants data subjects the right to access their personal information. This includes all data collected and processed by the organization, not just specific elements. Browsing history, if collected, would be considered personal information. The user has the right to see all the data the platform holds about them, even if they consented to its collection initially.

19
Q

*Question 2:**

A customer discovers a mistake in their credit card billing statement. They believe the error might be due to outdated personal information stored by the bank. The customer contacts the bank and requests to rectify their personal information under the Data Privacy Act. The bank asks the customer to fill out a separate form for updating account information. Does the bank need to follow a specific procedure for rectification under the Act?

(a) Yes, the bank should immediately correct the information in the system without any additional forms.
(b) No, the bank can implement its own procedures for handling rectification requests.
(c) Maybe, it depends on the severity of the error in the customer’s information.
(d) None of the Above.

A

Answer: (b) No, the bank can implement its own procedures for handling rectification requests, but within reason.

Legal Reasoning: While Section (d) of the Act grants the right to rectification, it doesn’t mandate a specific procedure for the organization. However, the bank’s process shouldn’t be excessively burdensome or hinder the user’s right to have their information corrected promptly. The bank should have a clear and accessible process for handling rectification requests.

20
Q

Question 3:

A company collects customer email addresses for sending promotional newsletters. A customer unsubscribes from the newsletter mailing list but continues to receive marketing emails from the company. Can the customer request the deletion of their email address under the Right to Erasure of the Data Privacy Act?

(a) Yes, because the customer has unsubscribed and the data is no longer necessary for the original purpose.
(b) No, the company can keep the email address for future marketing campaigns.
(c) Maybe, it depends on whether the customer explicitly requested deletion in the unsubscribe process.
(d) None of the Above.

A

Answer: (a) Yes, because the customer has unsubscribed and the data is no longer necessary for the original purpose.

Legal Reasoning: The Right to Erasure (Section (e)) allows data subjects to request the deletion of their information if it’s no longer necessary for the purpose it was collected for. Since the customer unsubscribed from the mailing list, the company no longer has a legitimate reason to keep their email address for sending promotional newsletters. The customer’s request falls under the Right to Erasure, and the company should delete the email address upon request.

21
Q
A
22
Q
A
23
Q
A
24
Q
A
25
Q
A

2024 Sylb D1_PM_20% Commercial & Tax (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions