well notwithstanding i really appreciate this because i know you have a full schedule and you do

quite a lot of
traveling and so this is really super appreciated so first off
first question did you ever think you would be a data protection officer
perhaps you can share with my students your professional journey probably let's start with your
undergrad course and what did you do soon after graduation um
so the floor is yours okay so thank you uh professor mia for having me over
and uh frankly i never thought that i would end up in
dpo as a matter of fact when i was taking up accountancy in my undergraduate there
was no internet yet so you know data privacy was not
you know wasn't in the area and immediately after college i joined
an ngo as project accountant and
after that i went into sales i went into sales
and then i worked also in the bank so when you told me that uh i'd be
talking about the application of data privacy app in the banking industry this has somehow
picked my interest and i mean i work there as a casa bookkeeper you know a current
account savings account keeper but since the salary of government was
very young by then and an offer from the private sector for credit investigator came in
uh i transferred a ci investigator
and while in law school i had to quit my ci job because i had to travel a lot and
have to attend my my law classes i was taken in by the
university of double believers as legal researcher for the university leader council
yeah wow what what a journey so you were a working student actually
um one section in in in one of my sections the banking
a lot of my students are really working students so i i mean i think you telling them that
it's really really appreciated so they can go a long way really but and i didn't know your
sort of banking background so this is such a perfect fit okay so being dpo
you are to my mind you are a trailblazer that is very courageous taking on a job uh where
neither your undergrad course which is accountancy know your work experience
has anything to do with data privacy law i guess because you said there was no internet and of
course when
you were in school there was no data privacy law so how did you end up uh being
in the data privacy field it is definitely a new field of specialization
and it strikes me like it's an on-the-job kind of training slash specialization
yes actually it was the president the new president of the university that picked
me up for the job uh she was formerly the dean of uh
information technology that's why maybe the application and the compliance with the
data privacy act of 2012 was important to her and the first thing she realized
was that the university had no dpo and this is a basic requirement of the
law so he she wanted someone who had a background in law
in hr because i used to be hr director also of uc and someone who understands ip because
when you look at the application really of the data privacy app the dpo
is really someone who holds many hacks and she thought that maybe
my experience and my academic preparation fits me
wow so she thinks she she cannot choose a better person you are all of those
rolled into one and until now i did not quite realize that those are really in in a sense and
be in dpo you struggle you know you you cut across different platforms
so probably in my case i'm a lawyer but definitely i'm nothing in i.t i don't have any background
on hr so probably i
will flunk being a dpo but okay i i do not wish to spoil probably
the the the conversation any further so i would like you now to start your
presentation with my class so class let us please welcome attorney rayne
ramos a man of many skills a man of many passions
who has journeyed far and wide he is the data protection officer of the
university of contenders so rain the platform is yours thank you for that introduction
professor mia so let's start class

so uh next slide please okay so what i am asked to do

today is to help you navigate the data protection app in relation to banking laws
okay so uh next slide list
what is the basis for
the data protection act of 2012. of course this is republic act 10 173
this was enacted on august 15 2012 and became effective
by september 8 2012. okay you have the link there if you would like to see
the whole law and of course as any law there should be an implementing rules and regulation
okay

next like this the creation of the data privacy act

gave way also to the creation of the national privacy commission so
what is the what are the powers of the npc
of course the first one is to ensure compliance with the DPA if you look at the law there are
a lot of things that
has to be complied read by the uh
person processing the data which we we will discuss as we go along of course
as a law if there are obligations and you cannot comply with these obligations there may
be complaints so part of the job of the npc is to receive these complaints and
resolve these complaints
so what are the nature of these complaints basically data
breaches which we will discuss as we go along

and part of its power also is to issue

cease and desist orders to impose a temporary or permanent
um or permanent on personal information processing

as you will find out later on when we talk of the beta privacy act
the main concern here are personal information these are informations these
are information that are about you and about me

the npc also has the general

authority to compel any entity private public
to abide by the orders or to take action in a matter affecting
data privacy

data privacy of whom these are data privacy of subject data

data subjects that are like you and me and of course to provide
guidance on the protection of data and to facilitate cross-border
enforcement of data privacy laws

as you will find out later on the dpa also has extra territorial applications
okay next slide please okay so what does the dpa do basically it
regulates the collecting and processing of personal information and sensitive
personal information actually when you add both your pi and your spi
you you can call them as personal data okay
so they collect and process

so how does the dpa regulate the

collection and processing of data it imposes requirements and obligations on personal data
controllers
and processors and grant rights to data subjects

so who are
personal data controllers and processors okay you are students law students
banking students
when you're involved at the lasalle you are giving them what?
your personal information like your name your address your
phone number etc these are personal information
that and personal data that you are giving to the school and the school
is what you call someone who is a personal data controller or processor
and later on as we go into the application of the DPA to the banks
in this case the banks becomes the personal data controller or processor and you
as depositor or borrower as the case will be is the data
subject
thus personal data controllers and professor
and processors can only collect and process data if a criterion for lawful
processing is present we will discuss this later and must observe the general
privacy principle of transparency legitimate purpose and proportionality when collecting
and processing personal data and are subject to certain obligations
including the need to observe rights of the data subjects these things we will discuss as
we go along and any violation of this since the dpa law of 2012 is criminal in nature in a
sense that it provides sanctions and penalties to data processors
who may fail to protect your data then the non-compliance obviously can trigger
sanctions okay i hope i am being clear so far

so when does let's go now to the middle of the discussion when does the dpa apply
to banks and in general okay next level
okay the data privacy act applies if the bank is involved in the collection or
processing of personal data found in the philippines of course

obviously
it applies to the bank because when you go to the bank i know most of you will have a bank
account or an ATM account
before you can get your atm or before you can get your passport or open an account
they make you fill up either online
or through a bank form personal data okay
about yourself okay and in a sense when you give
this data this is already part of collection and processing which you will discuss further as we go
along and
uh that the act practice or processing relates to personal data about a philippine citizen or
president

first you're a filipino citizen you're a resident of the philippines it is a data that is about you
okay and it is being done in the philippines of course like in you open an account at the bank of
philippine islands maybe in makati or elsewhere
in manila you are in the philippines obviously and the act practice or processing of
personal data is done or engaged in by an entity with links to the philippines or
this could be extra territorial so it could be a bank in new york with a
branch in the philippines or vice versa

QUESTION i'm
curious especially there the processing is done in the philippines
that is physically here in the philippines is that what it says?
um yes ma'am actually uh it's the keeping actually of the data i
see and the processing itself like when you go to amman you do it here
the reason i'm asking because in the age of digital banking
i'm thinking if the if i if someone outside of the philippines a filipino
who is in the outside of the philippines would like to say open an account like
say example union bank or go bank then they are outside
but the processing is done here in the philippines and it works also vice versa
if i want to open a bank account within a singapore bank that's is that covered
by the dpa as well so i think i'm a little confused on the processing whether dito and what does it
really entail

GR: if they do it here it has a

head office here we can we can say that the processing is done here

but let's
say that it's a BDO account in uae in dubai
and and uh they have a branch in dubai
and they have the head office in the philippines in the philippines even the processing month in
dubai can be
considered and can be covered by the dpa you know extra territorially extensive ah okay
thank you because i i thought the question before i lose it in my mind thank you
that's why the law even provides for extraterritoriality because of the very nature of the
data now that you know
it is it goes beyond borders so it has it there should be a way of uh
covering it even if it goes outside the philippines

so let's go now to personal information so actually this is

defined by the law and it's easier that personal information refers to any information
whether recorded in a material form or not from which the identity of an individual
is apparent or can be reasonably and directly asserted by the entity holding the information or
when put
together with other information would directly and certainly identify
an individual okay so any information that may identify
a person can be considered personal information or
putting certain things together then you can identify the person
um [Music] when you look at this, this is bigger than the sensitive personal information
but when you put them together you can call them as what personal data

okay so let's go to the next slide uh

let this gives the definition of sensitive personal information okay
this refers to what an individual's race ethnic origin marital status age color and religious
philosophical or political affiliation so if you look at the sensitive personal
information you will find out that most of the things that you are putting in your bank application
are really
sensitive personal information because status
age religious affiliation tapos
sensitive personal information maybe for also to
individuals health education genetic or sexual life of a person
Or to a proceeding for an offense committed or allege to have been committed by such
individuals and the disposal of such proceedings or the sentence of any court
in such proceedings these are sensitive personal
information like in the case of education in the university of the cordilleras we do not release
any information about our students just to anyone
okay because they are protected and uh i also see in the agreements
committee if one of the employees were removed for cause we do not
we do not disclose the reason for uh being suspended
or being removed from the job because these are considered as
sensitive personal information
in fact even information in the clinic
of the university is sensitive like the kind of medicine you
are taking the kind of illness you have these are sensitive personal information
what else
those that are issued by government agencies peculiar to an individual which
includes but it's not limited to your sss number your current
uh previous or current health records licenses its denial suspension or education
and tax returns okay
and those specifically established by an
executive order or of congress to be kept classified no like banking laws require
confidentiality of customer data
when i was what they called this credit
investigator we asked we asked the prospective borrower to sign a consent
form allowing us to go to their bank and get
their bank balances

so because of the consent we are able to

get this data from the bank

as a general rule banks do not give those

information unless there's a lawful court order there is a consent by the
depositor or in cases of money laundering or there is already an express waiver
on the part of the bank to disclose the information or in cases of tax
evasion wherein the banks have no choice but to show
the records of
the client or the customer okay next
so what um when are you processing personal data so what is the definition of processing we've
been talking about
processing of data so
● this refers to any operation or any set of operations performed upon
personal information including but not limited to collection recording organization storage
updating or modification retrieval consultation use
consolidation blocking erasure or destruction of data

as you can see when

you talk of processing this is from the time you collect the data
up to the time you destroy the data

it is the whole process

okay so the processing does not only involve the collection but it involves
everything from recording storage updating retrieval consolidation
blocking evasion and destruction of data in fact in the university we
we did it proper that after five years we are already allowed to
dispose of certain records because uh we normally
receive 15 000 students every semester or every trimester and this is a lot of
data so there has there has to be a way of of disposing
the data properly

in fact there was one case uh

wherein the npc find a credit card company but this was the
case of um rejected credit card application forms
what happened was their janitor just uh you know that did not
dispose the rejected application forms
and somebody got those application rejected application forms and some data were
taken in and used illegally and this was brought before the npc t

he
defense of the credit card company was you know this is not considered our records because
these
are uh rejected credit card applications but the uh
npc said no you're still liable because even though they were rejected and they were not able to
get credit card with you you process their
data and therefore you should still be protecting those data and since you did not protect that
those data then
you are reliable under the dpa the data protection act of 2012

so that
is how important it is to us to really protect the data especially if you are disposing them from the
time you collect them up to the
time you dispose them because you might still be liable

okay next okay examples of processing of course

completion of 201 files of personnel so when you get a job or when you are already employed
the
first time you entered your job you were required by the human resource development office
to fight to fill up some forms and this forms part
of your 201 files or personal records of course reviewing job applications is
part of processing collating contact details of individual
representatives of suppliers and customers sending employee data of lead entities
into parent company okay these are in the instances like like a subsidiary
referring certain personal record to the parent or main company and surveying surveying
individual
customers for satisfaction of products these are considered processing and kyc
procedures or know your procedures that is being done now these are part and examples of
processing
Next

so what are the basic requirements for

lawful processing of personal data by the banks okay so this is the weight of the discussion now

okay what are the requirements the

criteria for lawful processing again

first the data subject has given

consent that is first and foremost
if you remember the time you filled up a form in the bank
there's a portion there that says that you are consenting, that you give your consent and
giving your personal data

QUESTION: is there a
requirement for the bank to alert a potential customer on that
Like nakahighlight ba yan or that is something that is in the fine
print na hindi natin nakikita
- Usually di na nakikita
so what has been your experience in this i mean
that by you signing by signing whereby filling up this application you agree
on language
- Dapat nakahiwalay talaga ung consent form sabi ng NPC
- Pero the practice is kasama na

take note is very useful information that is what

i'm concerned with it now we will not take time to read especially
the fine print tapos yung a question gonna relate the detail is
Valid ba yan na by any data subject has given consent now by signing
uh on this application you are deemed consent
is that really valid valid or you consider that to be major grain
actually um
[Music]
so even now potentially what i'm hearing you say is potentially even a
bank application to open an account could potentially be considered a contract of adhesion
already at least
especially here as against the criteria dpa very useful information ring again
sorry for interrupting but i just thought i cannot let go because
this is a realization at least for me na merong requirements and dpa as to how this should go
should go know that you mentioned my consent my explanation as to why
the purpose is blah blah blah okay
and
[Music]
i would call con this shortcuts no uh for compliance are litigated in the
supreme court very interesting thank you rain thank you yes ma'am okay so um
again when we uh

when we look at the criteria another one

is the processing is necessary for compliance with the legal or contractual
obligation okay in the case of a bank form the banco central requires that w a borrower uh
signs on a form on a bank form in
order for for for uh for it to have a what the legal uh
contractual obligation in the bank as as you would know when you become a depositor
the banks become becomes
a debtor and you become a creditor to the bank because they are just holding your money in
trust and because of this
you need to sign certain forms and this is this is a contractual obligation
so you have to sign these forms and then the processing is necessary for the protection of the
data subject or
another person of course if they require you to process certain documents
the DPA requires that these data are protected and of course processing
is necessary for public purposes and processes necessary to pursue legitimate
interest
this is only allowed in the processing of personal information but not on
special personal information okay next slide please

so this is an example of uh what i was telling you mam it is fine print

who have read and understood the bank's privacy statement posted on www okay bpi
and in the branch i agree may process
[Music]
blah blah blah the philippines and in other jurisdictions including but not limited to
ra 1405 r846 uh 6426
r8791 and consent required under the DPA - nilump na lahat dito
but the moment you sign this you consent already and that they have already complied
with the requirements of the
data privacy act of 2012

Q: interrupt do you use the word

they lump it together young data privacy
but not limited to my my class us is very familiar with all those other laws
now we've taken them up
and back
okay good to know again thank you rain yes ma'am so
as you can see class uh even in this sample form used by a bank
you consent as required by
the data privacy act but if you you study the data privacy act in itself
it should be a different form of
okay next slide

please okay so requirements and obligation for

uh general privacy principles these are the things you have to consider in
getting data first transparency data subject must be aware of the nature purpose and
extent
of the processing for the catalog
foreign
[Music] m
[Music]
doing your application to take the bar exams param acceptance supreme court and office of the
bar confidential in your
application to take the bar etc uh you know those things
apparently don't suffer and purpose while you are filling the cup or in the case of the
bank
borrower then legitimate purpose processing must
be compatible with a declared and specified purpose
okay so obviously it should always be for a legitimate
[Music]
credit card etc

and another thing is proportionality processing shall be adequate relevant

suitable necessary and not excessive actually before the data protection act
when of 2012 was implemented by uc when i was hr director we used to take a lot of
data from students or from personnel as a concept
the more data
from [Music] 48 forms we reduce it to about 24.
[Music] the spiderman to whom much responsibility and much power is given
there is much responsibility and data

okay so these rights are supposed to be included

in the in the data privacy statement every time you fill up a form
human rights okay
the first one is right to be informed - yun yung purpose ng transparency: ano ang nature and
on purpose and one extent

and of course with the right to give and data is the right to object when the moon
[Music]
okay gender if ayaw mo idisclose
if you do not want to disclose that should be acceptable already (gender-sensitivity)

you have your right to access your data at any time

all right to rectification - nagkamali ung processor (male ginawa nyang female)
then also the right to erase or block

Yung right to data portability - magdala ka ng usb or anything you can get your data

okay and right to damages in case of breach of your data or illegally

then you have a right to file a case against the data processor for
damages and if when you look at the law five hundred thousand yet
[Music]

okay so next data sharing okay uh outsourcing you

know so another example
uh the university of the cordilleras
May govt scholars - if need icheck ng govt ung identities, need namin ishare ung data ng
students and meron kaming data sharing

yung
outsourcing or subcontracting
Nangyari when may manpower pooling agencies uh uae dubai
um emirati but they engage a company
to uh check the records academic records of their applicants who come from our
university
to check the data and to classes the data okay so you know outsourcing and
subcontracting of personal data in behalf of a controller

so important
Covered ng data outsourcing or subcontracting agreement na kung kanino mapupunta ung
data, applicable ung DPA
okay next okay five commandments of the npc
next next please so uh actually this is the the main
requirement of the law uh that we implement data policy and
security measures but security measures because of the possibility of data breach along you
know in this
day of technology and age you know your data can be used anywhere in the in the
world and this data should be protected

in fact
sells our information facebook
you know this can be used and through data analytics and through the ai
alumni preferences

Appoint a data protection officer all um offices in the philippines whether

government non-government or private are required to have a data protection
officer precisely because they need someone
who will be the point person so far as data protection is concerned

of course the first thing we did before was to conduct a privacy impact assessment we
have already finished our
data privacy manual
Q&A

pnp for
example gets uh tries or attempts
to get the list of your graduating
students for criminology and i would
imagine that is because they are on the
loop out for recruits but you just said
you refuse

don't you get

flack or something

oh we just said that you know

we are just complying with the data
protection
Act of 2012 of
and we told them anyway the student
graduate of uc who would like to take
the exams can give his consent or her
consent then we will give you we will
just give you a certification that we
Graduated

TOR is prima facie evidence na graduate sya samin

Q: i see i see
so i would imagine the range of
inquiries or
the range of
how how do you
keep track my goodness i didn't realize
that
this is such like
stressful
because the
you you always have to be very vigilant
to ensure compliance with the dpa but i
would imagine there would be uh
many instances in a workday
where you would probably be bordering on
or where you have to make judgment calls
on
how do you cope i mean where do you draw
the line
do you always have to exercise like high
level judgment calls with respect to
data privacy

A:
well what we did in the uh inducing what
i did was to of course orient everyone
and then i went one office for office
and then
x number how many male 1 will be
specific
oops
foreign

do you know i have encountered school of

one of my children
that
they do not even buy that point now as a
matter of fact i'm the one issuing the
checks we indeed i had to get the
signature of my son
wow
but you have a point there
especially
very interesting

what other sort of

challenging
requests do you receive

requesting an nbi for a

for a
schedule a class schedule
class schedule or
some particular students
and their obligations

but what is interesting in what you just

said is
you made time to really go into a what i
call uh
education obviously all who are
day-to-day so you said
you made the rounds within the whole
university to educate people about data
privacy
so that means to say once they are
trained
uh they can somehow make the basic
decisions
only when they are really they cannot
resolve it that they have you have an
escalation procedure
[Music]
affairs
clinic
accounting
library you know so you could just
imagine the number of data
[Music]
and i would imagine
the
the
complexity
of um compliance of the data privacy law
is
multiplied by of course the number of
people you have to deal with the number
of units that would process
universities
your opening of the bank account
monitoring but again banks are also not
immune to inquiries from
practically the same entities that
you've mentioned potentially nti
or you know nbi and pnp and the courts
or whatever
[Music]
[Music]
the less of the other enforced law
enforcement law enforcement agencies
uh
using the guise of the uh police power
of the state champion
we know that uh
that is the ultimate weapon police power
when you start screaming police power
we were trained in law school that that
has precedence it trumps a lot of things
but usually
it can be used not for exactly the most
noble of purposes so to say
okay
i i really wish and i i hope i do not
abuse
them to probably call on you again
uh
so i think angel we can close the
session now