Joan M.

Villo MSIT 611

Research about the Data Privacy Act 2012

In 2012 the Philippines passed the Data Privacy Act 2012, comprehensive and strict privacy
legislation “to protect the fundamental human right of privacy, of communication while ensuring
free flow of information to promote innovation and growth.” (Republic Act. No. 10173, Ch. 1,
Sec. 2). This comprehensive privacy law also established a National Privacy Commission that
enforces and oversees it and is endowed with rulemaking power. On September 9, 2016, the
final implementing rules and regulations came into force, adding specificity to the Privacy Act.

Briefly describe the following:

• Scope and application

The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application,
applying not only to businesses with offices in the Philippines, but when equipment
based in the Philippines is used for processing. The act further applies to the processing
of the personal information of Philippines citizens regardless of where they reside..[1] In
our world today, especially now that we are facing pandemic, our only weapon is to stay
at home and some of us who has access in the internet can do whatever they want. The
DPA is to “to protect the fundamental human right of privacy, of communication while
ensuring free flow of information to promote innovation and growth.” (Republic Act. No.
10173, Ch. 1, Sec. 2)

One exception in the act provides that the law does not apply to the processing of personal
information in the Philippines that was lawfully collected from residents of foreign jurisdictions
— an exception helpful for Philippines companies that offer cloud services.

• Approach

The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”

• Provisions on Collection

The act states that the collection of personal data “must be a declared, specified, and legitimate
purpose” and further provides that consent is required prior to the collection of all personal
data. It requires that when obtaining consent, the data subject be informed about the extent
and purpose of processing, and it specifically mentions the “automated processing of his or her
personal data for profiling, or processing for direct marketing, and data sharing.” Consent is
further required for sharing information with affiliates or even mother companies.

• Provision on Processing
 Processing does not always require consent. Consent is not required for processing where
the data subject is party to a contractual agreement, for purposes of fulfilling that
contract. The exceptions of compliance with a legal obligation upon the data controller,
protection of the vital interests of the data subject, and response to a national emergency
are also available.

• Provision on Consent

Consent must be “freely given, specific, informed,” and the definition further requires
that consent to collection and processing be evidenced by recorded means. An exception
to consent is allowed where processing is necessary to pursue the legitimate interests of
the data controller, except where overridden by the fundamental rights and freedoms of
the data subject.

• What are Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;
 About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding or any offense committed or alleged to have committed;
 Issued by government agencies “peculiar” (unique) to an individual, such as social
security number;
 Marked as classified by executive order or act of Congress.

All processing of sensitive and personal information is prohibited except in certain

circumstances. The exceptions are:

• Consent of the data subject;

• Pursuant to law that does not require consent;
• Necessity to protect life and health of a person;
• Necessity for medical treatment;
• Necessity to protect the lawful rights of data subjects in court proceedings, legal
proceedings, or regulation.

• Define: “security incident” and “personal data breach”

The law defines “security incident” and “personal data breach” ensuring that the two are
not confused. A “security incident” is an event or occurrence that affects or tends to
affect data protection, or may compromise availability, integrity or confidentiality. This
 definition includes incidents that would result in a personal breach, if not for safeguards
that have been put in place.

A “personal data breach,” on the other hand, is a subset of a security breach that actually
leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of,
or access to, personal data transmitted, stored, or otherwise processed.

Source:

1. https://iapp.org/news/a/summary-philippines-data-protection-act-and-implementing-
regulations/