ASSESS

Section 25: Unauthorized Section 25: Unauthorized Section 25: Unauthorized

Processing of Personal and Processing of Personal and Processing of Personal and
Sensitive Personal Sensitive Personal Sensitive Personal
Information Information Information

The student nurse copied the files The student nurse presented the case The student nurse disclosed the case
written in the chart without the of the patient in school for her of the patient in her school without
permission from the patient. research project without the consent of the patient.
authorization by the patient.

What are the identified threat and breach in data security?

SEC. 25. Unauthorized Processing of SEC. 28. Processing of Personal and SEC. 32 Unauthorized SEC. 33 Combination or
Personal and Sensitive Personal Sensitive Personal Information for Disclosure Series Of Acts
Information Unauthorized Purposes

Any person who processes
personal information without
the consent of the data
subject, or without being
authorized under this Act or
any existing law.
Any person who processes
personal information for
purposes not authorized by
the data subject, or otherwise
authorized under this Act or
under existing laws.
Any personal information controller or Any combination or series of
personal information processor or any
acts as defined in Sections 25
of its officials, employees or agents,
who discloses to a third party personal to 32 being violated.
or sensitive personal information not
covered by the immediately preceding
section without the consent of the data
subject.

What are the penalties?

Section 25: Unauthorized Section 28: Processing of Section 32: A disclosure of Section 33: Any combination
processing of personal personal information and information to an individual or series of acts as defined
sensitive personal information
sensitive personal with no authorization to in Sections 25 to 32:
for unauthorized purposes: (1)
information: :ONE (1) YEAR receive it: (1) YEAR TO THREE SUBJECT TO IMPRISONMENT
YEAR AND SIX (6) MONTHS TO
TO THREE (3) YEARS AND A FIVE (5) YEARS AND A FINE OF (3) YEAR AND A FINE OF NOT RANGING FROM THREE (3)
FINE OF NOT LESS THAN NOT LESS THAN FIVE HUNDRED LESS THAN FIVE HUNDRED YEARS TO SIX (6) YEARS AND
FIVE HUNDRED THOUSAND THOUSAND PESOS THOUSAND PESOS A FINE OF NOT LESS THAN
PESOS (PHP500,000.00) BUT (PHP500,000.00) BUT NOT MORE (Php500,000.00) BUT NOT ONE MILLION PESOS
NOT MORE THAN TWO THAN ONE MILLION PESOS MORE THAN ONE MILLION (PHP1,000,000.00) BUT NOT
(PHP1,000,000.00)
MILLION PESOS PESOS (Php1,000,000.00) MORE THAN FIVE MILLION
(PHP2,000,000.00) PESOS (PHP5,000,000.00)

What are a few managements?

Section 25 and Section 28 Section 32

To avoid violating these sections, the student The student nurse could also have asked
nurse could have first secured permission from
permission from the patient if it is okay
the patient, and even from the hospital, before
to present his/her case in the school for a
copying the files or information written in the
chart. research project. Disclosing one's
The student nurse could also have acquired an personal information without the
informed consent from the patient and the consent of the patient may guarantee the
hospital. Obtaining informed consent is a must student nurse a penalty.
because it is where the patient and the hospital
give their permission to use the information in
the chart. With that, the student nurse could
have avoided violating the Data Privacy Act.