THE DATA

ATTY. KARL JOHN

A. BAQUIRAN
PRIVACY ACT OF
2012 (R.A. 10173)
Privacy, in its broadest sense, is
about the right of an individual
to be let alone.

Two main forms:

1. Physical privacy
2. Informational privacy

WHAT IS PRIVACY?
▪ The ability of a person to maintain their
own physical space or solitude.
▪ Forms of Intrusion:
▪ unwelcome searches of a person’s home
or personal possessions;
▪ bodily searches or other interference;
▪ acts of surveillance, and;
▪ the taking of biometric information

PHYSICAL PRIVACY
▪ The ability of a person to:
o control
o edit
o manage
o delete information
o decide how and to what extent such
information is communicated to others.

INFORMATIONAL
PRIVACY
▪ An act protecting individual personal
information in information and
communications systems (ICS) in the
government and the private sector

DATA PRIVACY ACT OF

2012
SEC. 2. DECLARATION OF POLICY

It is the policy of the State to protect the

fundamental human right of privacy, of
communication while ensuring free flow
of information to promote innovation
and growth.
 ▪ Applies to the processing of all
types of personal information
and to any natural and juridical
person involved in personal
information processing subject
to certain qualifications.

▪ Also applies to privileged

communication

WHAT IS THE SCOPE OF THE LAW?

To administer and implement the
provisions of the Act, and to monitor and
ensure compliance of the country with
international standards set for data
protection

NATIONAL PRIVACY
COMMISSION
KEY DEFINITIONS
▪ Any information from which the identity of an
individual is apparent or;

▪ Can be reasonably and directly ascertained

by the entity holding the information or;

▪ Any information that can be put together

with other information to reasonably and
directly identify an individual.

PERSONAL INFORMATION
 ▪ About an individual’s race, ethnic origin,
marital status, age, color, and religious,
philosophical or political affiliations;

▪ About an individual’s health, education,

genetic or sexual life of a person, or to any
proceeding for any offense committed or
alleged to have been committed by such
person, the disposal of such proceedings, or
the sentence of any court in such
proceedings;

SENSITIVE PERSONAL INFORMATION

 ▪ Issued by government agencies peculiar to
an individual which includes, but not limited
to, social security numbers, previous or
current health records, licenses or its denials,
suspension or revocation, and tax returns;
and

▪ Specifically established by an executive

order or an act of Congress to be kept
classified.

SENSITIVE PERSONAL INFORMATION

 ▪ Any and all forms of data
which under the Rules of
Court and other pertinent
laws constitute privileged
communication.

PRIVILEGED INFORMATION
▪ any operation or any set of
operations performed upon
personal information

PROCESSING
▪ A person or organization who controls
the collection, holding, processing or
use of personal information.
▪ Also includes a person or organization
who instructs another person or
organization to collect, hold, process,
use, transfer or disclose personal
information on his or her behalf.

PERSONAL INFORMATION
CONTROLLER (PIC)
 ▪ Any natural or juridical
person to whom a PIC
may outsource the
processing of personal
data

PERSONAL INFORMATION
PROCESSOR (PIP)
▪ An individual whose personal
information is processed.

DATA SUBJECT
 RIGHT TO:
▪ Information ▪ Erase
▪ Object ▪ Damages
▪ Access ▪ Data Portability
▪ Correct ▪ File A Complaint

RIGHTS OF THE DATA SUBJECT

DATA
PRIVACY
PRINCIPLES
▪ A data subject must be aware of the
nature, purpose, and extent of the
processing of his or her personal data

▪ Including the risks and safeguards

involved, the identity of personal
information controller, his or her rights
as a data subject, and how these can
be exercised.

TRANSPARENCY
▪ The processing of information shall be
compatible with a declared and
specified purpose

LEGITIMATE PURPOSE
▪ The processing of information shall be
adequate, relevant, suitable,
necessary, and not excessive in
relation to a declared and specified
purpose.

PROPORTIONALITY
DATA SHARING
 ▪ The disclosure or transfer to a third party
of personal data under the custody of a
personal information controller or
personal information processor

▪ The term excludes outsourcing, or the

disclosure or transfer of personal data by
a personal information controller to a
personal information processor;

DATA SHARING
▪ CONTRACT, JOINT ISSUANCE or any
similar document that contains the
terms and conditions of a data sharing
arrangement between two or more
parties.

▪ Only PERSONAL INFORMATION

CONTROLLERS (PIC) shall be made
parties to a data sharing agreement.

DATA SHARING
AGREEMENT (DSA)
▪ Purpose/s of data sharing
▪ Identity of Personal Information Controllers
(PICs)
▪ Term or duration (not exceed five (5)years)
▪ Overview of the Operational Details of the
sharing or transfer of personal data
▪ General description of security measures

CONTENTS OF A DSA
▪ How data subject may access the
DSA
▪ Specify the PIC responsible for
addressing information request
▪ Identify the method to secure RETURN,
DESTRUCTION or DISPOSAL of the
shared data and timeline
▪ Other terms and conditions

CONTENTS OF A DSA
OBLIGATIONS OF
PICS & PIPS
ADVISORIES CIRCULARS
ADVISORY 2017-01 Designation of Data CIRCULAR 17-01 Registration of Data
Protection Officers Processing Systems &
ADVISORY 2017-02 Access to Personal Notifications Regarding
Data Sheets of Automated Decision-
Government Making
Personnel CIRCULAR 16-01 Security of Personal
ADVISORY 2017-03 Privacy Impact Data in Government
Assessment Agencies
CIRCULAR 16-02 Data Sharing
Agreements Involving
Government Agencies
CIRCULAR 16-03 Personal Data Breach
OBLIGATIONS WHICH CIRCULAR 16-04
Management
Rules of Procedure of
MUST BE COMPLIED the Commission
FINES & PENALTIES
 Temporary or
Compliance and Cease and Desist Permanent Ban on Payment of Fines
Enforcement Order Order the Processing of and/or Damages
Personal Data

Perpetual or
Deportation for Temporary Absolute
Imprisonment
Aliens Disqualification for
Public Officials

CIVIL, ADMINISTRATIVE & CRIMINAL LIABILITIES

THE FIVE PILLARS
OF COMPLIANCE
COMMIT TO COMPLY:

Appoint a
Data Protection Officer
(DPO)
▪ refers to an individual designated by
the head of agency or organization to
be accountable for its compliance
with the Act, its IRR, and other
issuances of the Commission

DATA PROTECTION
OFFICER (DPO)
KNOW YOUR RISK:
Conduct a
Privacy Impact Assessment
(PIA)
▪ is a process undertaken to
evaluate and manage the
impact of a program,
process and/or measure on
data privacy.

PRIVACY IMPACT
ASSESSMENT
BE ACCOUNTABLE:

Create your
Privacy Management
Program and Privacy
Manual
 ▪ refers to a process
intended to embed
privacy and data
protection in the strategic
framework and daily
operations of a PIC or PIP

PRIVACY MANAGEMENT PROGRAM

DEMONSTRATE YOUR
COMPLIANCE:

Implement your
Privacy & Data Protection
(PDP) measures.
PDP MEASURES
1. Physical
2. Organizational
3. Technical Measures
BE PREPARED FOR BREACH:

Regularly exercise your

Breach Reporting Procedures
(BRP)
▪ Incident Management Policy
▪ Breach Response Team
▪ Mandatory Notification
▪ Breach Drills

BREACH MANAGEMENT
▪ Privacy is one of the higher valued rights of citizens
▪ Compliance with data privacy and data protection
regulations is considered as a competitive
advantage in business operations today.
▪ Compliance to the DPA is not a one-shot initiative but
a process.

IN CONCLUSION
ANY QUESTIONS?