What is the Data Privacy Act?

Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to protect all forms of information, be it
private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal
information.

What is the scope of the Data Privacy Act?

As mentioned earlier, the Data Privacy Act applies to any natural or juridical persons involved in the processing of personal
information. It also covers those who, although not found or established in the Philippines, use equipment located in the
Philippines, or those who maintain an office, branch, or agency in the Philippines.

What is processing of personal information?

Under Sec. 3(j) of the Data Privacy Act, “[p]rocessing refers to any operation or any set of operations performed upon personal
information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of data.”

In other words, processing of personal information is any operation where personal information is involved. Whenever your
information is, among other things, collected, modified, or used for some purpose, processing already takes place.

What is personal information?

nder Sec. 3(g) of the Data Privacy Act, “[p]ersonal information refers to any information whether recorded in a material form or
not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify an individual.”

In other words, personal information is any information which can be linked to your identity, thus making you readily
identifiable.
What is privileged information?

Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all forms of data which under the Rules of
Court and other pertinent laws constitute privileged communication.” One such example would be any information given by a
client to his lawyer. Such information would fall under attorney-client privilege and would, therefore, be considered privileged
information.

Does the difference between personal information and sensitive personal information matter?

Yes. The law treats both kinds of personal information differently. Personal information may be processed, provided that the
requirements of the Data Privacy Act are complied with. On the other hand, the processing of sensitive personal information is,
in general, prohibited. The Data Privacy Act provides the specific cases where processing of sensitive personal information is
allowed.

Is there a difference between personal information and sensitive personal information?

Yes. While personal information refers to information that makes you readily identifiable, sensitive personal information, as

defined in Sec. 3(l) of the Data Privacy Act, refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or

alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such

proceedings;

(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous

or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and

(4) Specifically established by an executive order or an act of Congress to be kept classified.

Therefore, any information that can be categorized under any of the enumerated items are considered sensitive personal

information.

Are there any exceptions to the application of the Data Privacy Act?

The Data Privacy Act explicitly states that its provisions are not applicable in the following cases:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the

position or functions of the individual, including:

(1) The fact that the individual is or was an officer or employee of the government institution;

(2) The title, business address and office telephone number of the individual;

(3) The classification, salary range and responsibilities of the position held by the individual; and

(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to

the services performed, including the terms of the contract, and the name of the individual given in the course of the

performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the

government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data

for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their

constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed

Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the

Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary

authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended,

otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign

jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Are companies required to appoint someone who should be responsible for ensuring compliance with the Data Privacy Act?

Yes. Under the Implementing Rules and Regulations of the Data Privacy Act, all organizations are required to appoint a Data
Protection Officer (“DPO”). The Data Protection Officer shall be accountable for ensuring compliance with the appropriate data
protection laws and regulations.

Can there be more than one person who shall perform the functions of a Data Protection Officer in a organization?

Yes. The Implementing Rules and Regulations of the Data Privacy Act speaks of an individual or individuals who shall perform
the functions of a Data Protection Officer or a Compliance Officer.
How is privileged information treated by the Data Privacy Act?

Much like sensitive personal information, the processing of privileged information is prohibited by the law.

What are the cases where the processing of sensitive personal information and privileged information is allowed?

Section 13 of the Data Privacy Act enumerates the cases where sensitive personal information and privileged information may

be processed. These are the following:

(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged

information, all parties to the exchange have given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments

guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the

consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal

information or the privileged information;

(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not

legally or physically able to express his or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their

associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or

their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided,

finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical

treatment institution, and an adequate level of protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural

or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to

government or public authority.

2ND LINK

NPC PHE Bulletin No. 15: Guidelines for Establishments on the

Proper Handling of Customer and Visitor Information for Contact
Tracing

Pursuant to DTI Memorandum Circular 20-28, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons) and
DTI Memorandum Circular 20-37, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Dine-in Restaurants and Fastfood
Establishments), establishments are required to implement contact tracing measures as one of the mandatory minimum requirements for
operation. The National Privacy Commission (NPC) issues this Bulletin to guide establishments on the proper handling and protection of
personal data collected from their customers and visitors.

Collect only what is necessary

Establishments should ensure that the processing of personal data is proportional to the purpose of contact tracing. Collect only such
information as required under existing government issuances. Establishments may adopt sample health checklist forms issued by government
agencies but should not collect beyond what is required and necessary.

Be transparent
Establishments should inform their customers and visitors of the collection of their personal data and the reasons for such collection. This can
be done by posting a privacy notice which is readily visible within the establishment’s premises, such as points of entry, and other
conspicuous areas. If the establishment opts to use electronic means, the notice must be posted in the platform prior to collection.

For further information on the processing activity, establishments may direct their customers and visitors to their official websites or social
media pages, as well as official websites of pertinent government agencies to provide them with information on the possible uses of their
personal data for contact-tracing purposes.

Establishments must ensure that the privacy notice is easy to access, understandable, and uses clear and plain language.
Use information only for the declared purpose
All establishments should use only the personal data collected through health checklists or other similar forms for the purpose of contact-
tracing measures. Repurposing the use of data other than contact tracing and storing data for speculative use is not allowed.

Establishments are responsible for reminding their employees and third-party service providers, such as security personnel, that using the
collected personal data of customers or visitors for any other purpose is punishable under the Data Privacy Act of 2012 (DPA).

Implement security measures

All establishments that collect personal information, whether through physical or electronic means, have the obligation to implement
reasonable and appropriate safeguards (organizational, physical, and/or technical security measures) to protect the personal data of their
customers and visitors against any accidental or unlawful processing, alteration, disclosure, and destruction.

Keep the data only for a limited period

All personal data collected for the purpose of contact tracing shall be retained only for a period allowed by existing government issuances.
After which, all personal data should be disposed of in a secure manner that would prevent further processing and/or unauthorized access or
disclosure.

For further information, we may be reached at info@privacy.gov.ph.

3RD LINK

DATA PRIVACY ACT is not a hindrance in contact tracing

 Hospitals have the duty to disclose the necessary COVID patient details to LGU contact tracers following the DOH guidelines.
 COVID patients should be truthful in providing accurate personal details.
 In this pandemic, public health and data privacy are on the same side.

The National Privacy Commission (NPC) reiterates that the Data Privacy Act (DPA) is not a hindrance to contact tracing initiatives, saying
that it seeks to protect individuals from discrimination, harassment, and acts of social vigilantism amid the COVID-19 pandemic.

“We want to clarify that the DPA does not prevent hospitals from sharing a COVID-19 patient’s data to proper authorities. The law
recognizes the guidelines set by DOH on contact tracing procedures that hospitals, LGUs, and contact tracers must follow. In this pandemic,
public health and data privacy are on the same side,” Privacy Commissioner Raymund E. Liboro said.

“The DPA should not be used as an excuse for not providing COVID patient data necessary for LGU contact tracing that we need to combat
the pandemic,” Liboro noted that hospitals were mandated to collect information from patients and provide it to the authorities under the
guidelines set by the Department of Health (DOH). “Likewise, we call on the individuals affected by COVID to be truthful when providing
accurate health information,” he added.

Department Memorandum 2020 – 0189 of the DOH, or the Updated Guidelines on Contact Tracing of Close Contacts of Confirmed
Coronavirus Disease Cases, says that “health facilities, public and private, shall cooperate fully with the DOH – Epidemiology Bureau and its
regional and local counterparts by ensuring that Local Contact Tracing Teams (LCTTs) are provided access to medical records, facilitating
case interviews, and conducting other case investigation and contact tracing activities.” When providing training to LCTTS, local government
units must include the secure handling of personal data that was collected.

Liboro emphasized that public and private health institutions, companies, and individuals involved in the COVID response must “collect and
process what is necessary and disclose data only to the proper authorities.”

“The NPC has provided public health emergency bulletins, advisory opinions as guidance for personal information controllers, especially
healthcare providers. Our Commission has been coordinating closely with the Department of Health to ensure that the DPA will not be an
obstruction in the proper conduct of contact tracing,” the NPC chief said.
In Advisory Opinion 2020 – 022, a response to the request of the Private Hospitals Association of the Philippines, Inc. for clarification of
contact tracing protocols, the Commission cited as bases DOH’s Updated Guidelines on Contact Tracing, which limits the disclosure of
COVID-19 personal data, and the DOH-NPC Joint Memorandum Circular (JMC) on the Privacy Guidelines on the Processing and Disclosure
of COVID-19 Related Data for Disease Surveillance and Response.

The guidelines provide that disclosure of patient identifiers or data is allowed but limited only to authorized entities, officers, and personnel.

Any disclosure must serve “a public purpose or function” that would allow relevant authorities to reach those who may have come into close
contact with a COVID-19 positive individual so they may be promptly alerted and provided preventive counseling or care.

The guidelines prohibit disclosure of names and other personal identifiers that can single out a patient to the public, the media, or any other
public-facing platforms without the patient’s written consent or his/her authorized representative or next of kin.

Risks of publicly naming infected individuals

The DOH and NPC advise against publicly naming data subjects suspected of having contracted COVID-19 or confirmed positive for the
disease connected with contact tracing efforts.

“Publicly naming an infected individual is equivalent to putting a person’s life at risk, given the physical assaults and discrimination which
suspected or confirmed individuals had experienced. Fearing possible harassment and stigma, people may hide their true conditions, leading
to lost opportunities in tracking the disease and contact tracing. The policy is counterproductive, will not result to better contact tracing, and
will put more lives of front liners at risk,” Liboro said.

The latest NPC advisory opinion on contact tracing reiterated that collection and processing of data must be fully aware of the principles laid
out by the DPA and that secure disposal of personal data from records, whether manually or digitally obtained, must be done once the purpose
of their collection had been achieved.

Liboro also reasserted the points in NPC Bulletin No. 3 issued in March.

“Again, the DPA is not a hindrance to contact tracing efforts and the guidance it provides is necessary, especially in these unfamiliar times, to
preserve the basic right of people to data privacy and protection, and build trust,” he said.
4TH LINK

Managing Mobile App Permissions

Whenever Valentine’s Day comes around, there is a surge in usage of dating apps 1. In 2017, a dating app recorded a 20%2 usage increase at this time of year and it
is expectd to rise again in 20203.

To create an account, most apps require a user to fill out an online form or to connect through an existing social media account (e.g. Facebook or Twitter) to verify
one’s identity. This way, dating apps gain access to and control of the user’s personal data.

In recent years, vulnerabilities that would put users’ personal data at risk have been uncovered. Though subscribing to a dating app may seem harmless, it is
important to remember that it may adversely affect the users’ reputation and privacy.

According to the Open Web Application Security Project (OWASP) 4, mobile applications are more susceptible to attacks than regular web applications. By
downloading these applications, users unknowingly expose themselves to privacy risks.

In most cases, users are forced to accept permissions through an all-or-nothing approach (i.e. they cannot authorize just a subset of the requested permissions or
cancel the installation of the selected application). Likewise, mobile app permissions are not well-defined to users (e.g. the permission SEND SMS allows an app
to send SMS messages both to normal and premium numbers – not giving any options to users), making authorization decisions more difficult.

It should be noted that the inclusion of application permissions in privacy notices does not equate to transparency. In some cases, an application’s declared
permissions are not consistent with those required.

1
 https://www.gmanetwork.com/news/video/ijuander/421595/ijuander-may-forever-sa-tinder/video/
2
 https://www.abc.net.au/news/2018-02-13/valentines-day-heats-up-online-dating-activity/9424450
3
 https://technology.inquirer.net/46586/loveless-filipinos-turn-to-dating-apps-for-action
4
 https://owasp.org/www-project-vulnerable-web-application/

Security Measures/Risk Mitigation:

Mobile applications bring convenience to users, improve how organizations provide services to customers and maximize smartphone technology. But these
benefits must not come at the expense of users’ data privacy rights.
The following are things to consider when using apps:

 Read privacy notices. A privacy notice will give you insights into how your data will be processed, the nature and extent of processing, your rights as
data subjects and how you may exercise these rights.
 Be mindful of the data you provide: Blank fields are enticing to accomplish but not all fields are meant to be filled out. Provide data that are only
necessary to the application’s function.
 Always check your privacy settings: Immediately after installation, take advantage of the applications’ privacy settings. This allows you to control who
sees any information about you. Tweak the settings to improve your privacy and security.
 Check the permissions: The majority of these applications collect excessive permissions – permissions that are not necessary for the applications to
perform their functions. Excessive permissions may result in potential risks. You must disable all unnecessary and suspicious permissions before using an
application.
 Be careful of the people you meet: These days, it is easy to meet people online. You must be vigilant when using these applications and avoid sharing
too much personal information.

There is a lack of transparency when explaining purpose of processing and final disposal of personal data collected by mobile apps. Privacy notices are not easy to
read. Some are legal in nature and too long. Others refer to the blanket privacy notice of the entire organization, making it difficult for data subjects to read
through it. In addition, certain mobile applications seek permissions that are not relevant to their functions.

Moreover, a majority of the applications do not provide a privacy notice before users sign up or create an account. Also, there are no standards for mobile
application development which result in a developer’s tendency to seek excessive permissions.

In summary, the convenience that comes with using a mobile application may be the most unrecognized threat to privacy. Users often enjoy the convenience at
the expense of their data privacy. People easily grant permissions to an Android app without carefully reading the terms and conditions.

Share this:
5th LINK

UPDATED: PRESS STATEMENT OF PRIVACY

COMMISSIONER RAYMUND ENRIQUEZ LIBORO ON
FACEBOOK’S LATEST BREACH
1. At around 12:49 AM of September 28, we received informal notice from Facebook representatives that they had found a vulnerability in
their app that was exploited by malicious attackers.

2. Facebook claims that the vulnerability affected around fifty million users, exposing personal data stored in their Facebook profiles.

3. The vulnerability was attributed to a combination of several programming errors in updates made in July 2017. As a result, malicious
intruders were able to generate access tokens.

4. These access tokens allowed the intruders to log into affected FB profiles as if they were the actual profile holders. This means they had the
ability to access data reserved for account holders even without having to enter the user’s password.

5. As a remediation measure, FB terminated the sessions of persons it identified as having been affected and had them enter their login
credentials again. This morning, the company has notified affected users of the incident. We have informed Facebook, however, that the
notification it sent to individuals leaves much to be desired.
6. According to the company’s representatives, the investigation is still in its early stages. They have not determined yet how many Filipinos
are affected and whether misuse of personal information had resulted from this breach.

7. The NPC has prescribed breach management procedures in place and we expect Facebook to abide by these rules.

8. The NPC shall notify the public about developments and its actions on this matter. To protect themselves, all Facebook users must enable
multi-factor authentication on all platforms, employ strong passwords, and practice good digital hygiene. For more information on how to
love yourself online, see https://www.privacy.gov.ph/30-ways/

Privacy Commissioner Raymund Enriquez Liboro