THE DATA PRIVACY

ACT OF 2012 ISSION

M M
C O
L e a n dA Y
r oCA n g e l o A g u i r r e
D eR V
p uI t y P r i v a c y C o m m i s s i o n e r
P
AL

DPA I O N
N AT
H E
F T
Y O
R T
PE
PRO

National Privacy Commission

 What is private then – I ON
MI SS
what is found within the O M
C
A CY
R I V
four corners of your L P home and
N A
T I O
NA confidentiality of
withinE the
T H
O F
RTY
communication.
PE
PR O
 What is private now - N
I O
MI SS
what a person knowingly exposes O M
C
A CY
R I V
to the public, even inL hisP own house
N A
T I O
A what is private, but
or office,HEisNnot
F T
Y O
E R T what he seeks to preserve as
P
PRO
private, even in a public area...
 DATA PRIVACY IS ABOUT N
I O
M ISS
O M
Y C
C
A PERSONAL CHOICE
PEOPLE, NOT PLACES I V
L PR
A
1 F T H E N ATIO N
2
Y O
P ERT
O CONTROL, NOT SECRECY THE RIGHT TO BE LEFT ALONE
P R

3 4
The 4th Industrial Revolution:
Data as the new oil of the digital economy?

I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
P E
PR O
DATA PROTECTION N
CONFIDENTIALITY
I O
AVAILABILITY
MI SS
INTEGRITY O M
Y C
COMPLIANCE
AC
I V
L PR
N A
AT IO
DATA PRIVACY
F T H
ACCOUNTABILITY O
E N

R
ASSURANCE T Y
O PE COMPLIANCE
OPERATIONAL
PR
DEMONSTRABLE COMPLIANCE
 loss of trust
loss of self-determinationI ON
I SS
loss of M
autonomy M
PROCESSING PERSONAL C O
loss ofC Y
liberty
INFORMATION CAN V A
P RI
CREATE PROBLEMS FOR N AL exclusion
T I O physical harm
INDIVIDUALS N A
H E discrimination
F T
Y O
R T stigmatization
O PE
PR power imbalance
 W
WHAT DOES THE LAW
SAY? SS
O
I
M
ON
MI
The law upholds the rightYtoCprivacy
A C
by
protecting individual
R I V personal information.
A LP
I O N
TheA T
National Privacy Commission protects
E N
T H individual personal information by regulating
OF
RT Y the processing of personal information.
PE
PR O
 SEC. 4
Applies to IOtheN
I SS
processingM M of all
C Oof personal
THE SCOPE OF A CY
types
R I Vinformation, in the
DPA 2012 IONAL P country and even
N AT abroad, subject to
H E
F T certain qualifications.
Y O
R T
O PE
PR
PERSONAL INFORMATION

Any information whether recorded in a material

I ON
form or not, from which the identity of an
MI SS
individual is apparent or can be reasonably and O M
directly ascertained by the entity holding the CY
C
I V A
information, or when put together withPotherR
N AL identify
information would directly and certainly
T I O
an individual.
N A
H E
F T
Y O
R T
O PE
P R
Section 12
Conditions under which processing Personal
Information is allowed…
 SENSITIVE
PERSONAL INFORMATION
(1) race, ethnic origin, marital status, age,I O N
SS
or Ipolitical
color, and religious, philosophical M
O M
affiliations;
Y C
A
(2) health, education, Cgenetic or sexual life
of a person, PRIV
(3) N AL criminal or administrative
civil,
T I O
NA(4) Unique identifiers issued by government
proceedings
H E
F T
Y O agencies peculiar to an individual

PE RT (5) Specifically established by law as

PR O classified

Section 13
Processing of Sensitive Personal
Information is prohibited except in the
following cases…
 PROCESSING
I ON
Any operation of any I SSset of
M M
C O
operations performed upon
personal A CY including, but not
data
R I V
A LP
limited to, the collection,
I N
O recording, organization, storage,
T
E NA
T H updating or modification,
OF retrieval, consultation, use,
RT Y
PE consolidation, blocking, erasure
PR O
or destruction of data.
 I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
 PERSONAL INFORMATION
CONTROLLER
I ON
I SS
Mperson, or
A natural or juridical
M
C O
Y
any other Cbody who controls
IV A
the PRprocessing of personal
A L
I O N data, or instructs another to
N AT process personal data on its
H E
T
Y OF behalf.
R T
PE
PRO
 PERSONAL INFORMATION
CONTROLLER
I ON
It excludes: MI SS
O M
Y C
A C
RI V
A Pnatural person who
N AL
I O processes personal data in
N AT connection with his or her
H E
F T personal, family, or household
Y O
R T
PE affairs
PRO
 PERSONAL INFORMATION
PROCESSOR
I ON
SS
MI
O M
C
Any natural A CYor juridical person
R I V
L P
or any other body to whom a
N A
T I O personal information controller
E NA may outsource or instruct the
T H
O F processing of personal data
R T Y
PE pertaining to a data subject.
PRO
 The PIC should collect personal

1
information for specified and legitimate
purposes determined and declared
before, or as soon as reasonably
practicable after collection
I ON
OBLIGATIONS M M ISS
O
of PICs A C Y C
Vshould collect and process
I
2 R
The PIC
A L P information adequately and not
personal
I O Nexcessively.
T
A
E N
TH
O F
R T Y
PE
PRO The PIC should process personal

3
information fairly and lawfully, and in
accordance with the rights of a data
subject.
 4
The PIC should process accurate,
relevant and up to date personal
information.

I ON
OBLIGATIONS The PIC should retain
M
SS
MI personal
asOlong as necessary
of PICs information only for C
A CY of the purposes for
IV data was obtained. The
5
for the fulfillment
whichPR
AL
the
I O Ninformation should be kept in a form
T
E NA which permits identification of data
T H subjects for no longer than is necessary.
OF
RT Y
PE
PR O
The PIC must implement reasonable
6 and appropriate organizational, physical
and technical measures intended for the
protection of personal information.
 DATA SUBJECT
I ON
An individual whose personal,ISSsensitive
personal or privileged OM M
information is
Y C
processed.
A C
RI V
P
N AL
T I O to be Informed
Right
E NA Right to Access
T H
F 
YO
Right to Object
E R T  Right to Rectification
P
PRO 

Right to Erasure or Blocking
Right to Damages
 Right to Data Portability
 Right to File A Complaint
 DATA PRIVACY PRINCIPLES
I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
F
YO
TRANSPARENCY LEGITIMATE PURPOSE PROPORTIONALITY
PERT
PR O
 TRANSPARENCY
I ON
A data subject must be aware of the M ISS
nature,
O M
purpose, and extent of the processing Y C of his or
A C
her personal data, including R I V the risks and
L P
A
safeguards involved,N the identity of personal
T I O
E NA
information controller, his or her rights as a data
TH how these can be exercised. Any
subject,Fand
Y O
E R T
information and communication relating to the
O P processing of personal data should be easy to
PR
access and understand, using clear and plain
language.
 LEGITIMATE PURPOSE
I ON
SS
MI
M
Oshall be
The processing of information C
A CY
compatible with a declared R I V and specified
purpose, which mustNAnot L P be contrary to law,
T I O
morals, or public
E NApolicy.
T H
O F
R T Y
PE
PRO
 Refers to any freely given,
specific, informed indication
of will, whereby the data
subject agrees to the collection
I ON
and processing ofMIS S
personal
O M
information about Y C and/or relating
CONSENT to him R
L P
AC Consent shall be
orIVher.
OF THE DATA SUBJECT ON A
evidenced by written,
AT I electronic or recorded means.
N
T HE It may also be given on behalf of
O F
R T Y the data subject by an agent
O PE
PR specifically authorized by the
data subject to do so.
 Consent
• The data subject agrees to the N
collection and processing S I O
M I S
 Freely given O M
C
 Specific
A CY
 Informed indication of will PRIV
L
A
IO N
AT
• Evidenced by written, N
E electronic or
T H
recorded means:
O F
T Y
 signature
R
E
Popt-in box/clicking an icon
PR O

 sending a confirmation email
 oral confirmation
 Consent
• Consent means giving data subjects N
S I O
genuine choice and control over
M I S
how a PIC uses their data. O M
C
A CY
R I V
• Consent should be unbundled
A LPfrom
other terms and conditions I O N
N AT consent
(including giving granular
H E
F T
options for different types of
O
Y wherever possible.
T
processing)
R
O PE
R
•PClear affirmative action means
someone must take deliberate action
to opt in.
Unbundled Consent

I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
Granular Consent
I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
 This consent
form is
confusing as
I have read and agreed to the terms and the first tickbox
conditions stated above. I
asksSfor ON
M IS action
positive
O M to signify
We may contact you about productsY C and agreement,
C
Aopt out. while the
services you may like unless you click
R I V
to
P
N AL second asks for
T I O a positive
E NA action to
F TH signify refusal.
Y O
R
I’d like
E T to receive exclusive discounts and
O P
updates from XYZ by email, post, and SMS.
P R
Please untick this box if you would not like to
 receive emails from XYZ on offers and news.
 PROPORTIONALITY
I ON
I SS
The processing of information shall M M be
C O
adequate, relevant, suitable, necessary,C Y and
I V A
not excessive in relation P Rto a declared and
N AL
specified purpose.
T I O Personal data shall be
N A
processed only
H E if the purpose of the processing
F T reasonably be fulfilled by other
could Y Onot
E R T
P means.
PRO
 I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
 THE FIVE PILLARS OF
COMPLIANCE
I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
 I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
Unauthorized Processing of Personal
Information and Sensitive Personal
Information.
I ON
ISS
Personal Information Sensitive Personal InformationMM
C O
Imprisonment ranging from one Imprisonment ranging YC three
from
V A
(1) year to three (3) years AND PR
(3) years to six (6)I years AND
A L
IO N
Fine of not less than Five hundred AT
Fine of not less than Five hundred
N
T HE
thousand pesos (Php500,000.00) thousand pesos (Php500,000.00)
but not more than O F million
Two but not more than Four million

P E RTY
pesos (Php2,000,000.00) pesos (Php4,000,000.00)

PR O
Accessing Personal Information and
Sensitive Personal Information Due to
Negligence.
I ON
MI SS
O M
Personal Information YC
Sensitive Personal Information
C
I V A
P R
Imprisonment ranging from one AL ranging from three
Imprisonment
N
(1) year to three (3) years and (3)IO
T years to six (6) years and
N A
H E
A fine of not less thanF T
Five A fine of not less than Five
Y O
R T
hundred thousand pesos hundred thousand pesos
O PE
(Php500,000.00) but not more (Php500,000.00) but not more
R
P Two million pesos
than than Four million pesos
(Php2,000,000.00) (Php4,000,000.00)
Improper Disposal of Personal
Information and Sensitive Personal
Information
I ON
MI SS
Personal Information Sensitive Personal Information
O M
Y C
A C
RIV from one
Imprisonment ranging from six (6) ImprisonmentPranging
L
months to two (2) years and NtoAthree (3) years and
(1) year
I O
T
A fine of not less than One E NAA fine of not less than One
T H
hundred thousand pesos
O F hundred thousand pesos
(Php100,000.00)
R T Ybut not more (Php100,000.00) but not more
than O
Five E
Phundred thousand than One million pesos
R
P (Php500,000.00)
pesos (Php1,000,000.00)
Processing of Personal Information and
Sensitive Personal Information for
Unauthorized Purposes.
I ON
MI SS
Personal Information Sensitive Personal Information
O M
Y C
A C
Imprisonment ranging from one R I
Imprisonment ranging V from two
(1) year and six (6) months to five to L
(2) years A
P
seven (7) years and
I O N
(5) years and
N AT
H E A fine of not less than Five
FiveT
A fine of not less than F hundred thousand pesos
Y O
hundred thousand
E R T pesos (Php500,000.00) but not more
O P
(Php500,000.00) but not more than Two million pesos
than
R
P One million pesos (Php2,000,000.00)
(Php1,000,000.00)
Unauthorized Access or Intentional
Breach

I ON
The penalty of Imprisonment ranging from one (1) year to MISS
three (3) years and a fine of not less than Five hundredCO M
thousand pesos (Php500,000.00) but not more than A CYTwo
V
million pesos (Php2,000,000.00).
L PRI
N A
ATIO
E N
T H
O F
RT Y
P E
PR O
Concealment of Security Breaches
Involving Sensitive Personal Information

I ON
The penalty of Imprisonment of one (1) year and six (6) MISS
months to five (5) years and a fine of not less than FiveCO M
C Y than
hundred thousand pesos (Php500,000.00) but not
I V A more
One million pesos (Php1,000,000.00) P R
A L
IO N
N AT
H E
F T
Y O
P E RT
PR O
Unauthorized Disclosure

I ON
Imprisonment ranging from one (1) year to three (3) years MISS
O M
and a fine of not less than Five hundred thousand pesos
Y C
A
(Php500,000.00) but not more than One million pesosC
V
(Php1,000,000.00).
L PRI
N A
ATIO
E N
T H
O F
RT Y
P E
PR O
Combination or Series of Acts

I ON
Any combination or series of acts as defined in MI SS
O M
Sections 25 to 32 shall make the person subject to C
imprisonment ranging from three (3) years to sixA CY
(6)
R I V
L P
years and a fine of not less than One million pesos
(Php1,000,000.00) but not more than A
N Five million
pesos (Php5,000,000.00). AT I O
E N
TH
O F
R T Y
PE
PRO
Large-Scale

The maximum penalty in the scale of penalties

respectively provided for the offenses shall be imposed
I ON
when the personal information of at least one hundred I SS
M M
(100) persons is harmed, affected or involved as the
C O
result of the above mentioned actions.
ACY
I V
L PR
N A
ATIO
E N
T H
O F
RT Y
P E
PR O
 I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
EXTENT OF LIABILITY?
Corporation
If the offender is a corporation, partnership
I ON
or any juridical person, the penalty shall be
MI SS
imposed upon the responsible officers, as
O M
C
CY
the case may be, who participated in, or by
their gross negligence, allowed the
I V A
R
commission of the crime.
A LP
IO N
N AT
H E
F T
Y O
P E RT
PR O
 AVOIDING
LIABILITY I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
OF
RT Y
PE
PR O
THE NPC DATA PRIVACY ACCOUNTABILITY
AND COMPLIANCE FRAMEWORK

I ON
M I SS
I. GOVERNANCE II. RISK ASSESSMENT
O M
C
III. ORGANIZATION IV. DAY TO DAY V. DATA SECURITY

C Y
IVA
E. Privacy Management G. Privacy Notice Q. Organizational
A. Choose a DPO B. Register
R. Physical
R
C. Records of Program H-O. Data Subject
processing activities F. Privacy Manual
L P
Rights S. Technical
D. Conduct PIA
N A P. Data Life Cycle  Data Center
 Encryption

AT IO  Access Control Policy

E N
T H
O F
RT Y
P E
PR O
VI. BREACHES VII. THIRD PARTIES VIII. MANAGE HR IX. CONTINUITY X. PRIVACY ECOSYSTEM

T. Data Breach U. Third Parties; V. Trainings and X. Continuing Y. New technologies

Management;  Legal Basis for Certifications Assessment and
and standards
 Security Policy Disclosure Development
 Data Breach  Data Sharing
W. Security  Regular PIA Z. New legal
Response Team Agreements Clearance  Review Contracts
requirements
 Incident  Cross Border  Internal Assessments
Response Transfer Agreement  Review PMP
Procedure  Accreditations
 Document
 Breach
Notification
 I ON
SSMI
If you can't protect it, don't CY
collect
C O M it.
The Data Privacy Golden Rule PRIV A
N AL
T I O
E NA
T H
O F
R T Y
O PE
PR
 Thank you!
I ON
MI SS
O M
Y C
AC
I V
L PR
N A
ATIO
E N
T H
O F
RT Y
O PE
PR
facebook.com/privacy.gov.ph

twitter.com/privacyPH

info@privacy.gov.ph