Professional Documents
Culture Documents
Personal information controller - refers to a person or b) The title, business address and office telephone
organization who controls the collection, holding, number of the individual;
processing or use of personal information, including a c) The classification, salary range, and
person or organization who instructs another person or responsibilities of the position held by the
organization to collect, hold, process, use, transfer or individual; and
disclose personal information on his or her behalf. The
d) The name of the individual on a document
term excludes:
prepared by the individual in the course of
1) A person or organization who performs such employment with the government;
functions as instructed by another person or
2) Information about an individual who is or was
organization; and
performing service under contact for a
2) An individual who collects, holds, processes or uses government constitution that relates to the services
personal information in connection with the performed, including the terms of the contract, and
individual’s personal, family or household affairs. the name of the individual given in the course of the
Personal information processor - refers to any natural performance of those services;
or juridical person qualified to act as such under this Act 3) Information relating to any discretionary benefit of
to whom a personal information controller may a financial nature such as the granting of a license
outsource the processing of personal data pertaining to or permit given by the government to an individual,
a data subject. including the name of the individual and the exact
nature of the benefit;
ILLUSTRATION: The Human Resource Department,
headed by the Executive Vice President for HR, is 4) Personal information processed for journalistic,
tasked to collect information from applicants who may artistic, literary or research purposes;
eventually be hired and join the company according to 5) Information necessary in order to carry out the
the directives of the Board of Directors. In this case, functions of public authority which includes the
the EVP for HR is the Personal Data Processor processing of personal data for the performance by
because he/she processes the information only through the independent, central monetary authority and law
the directives of the BOD, the latter being the Personal enforcement and regulatory agencies of their
Data Controller. constitutionally and statutorily mandated functions.
No amendments or repeal to the following laws: Functions of the National Privacy Commission: The
Data Privacy commission was created to administer and
a) RA no. 1405 Secrecy of Bank Deposit Act
implement the provisions of the Data Privacy Act and to
b) RA no. 6426 Foreign Currency Deposit Act monitor and ensure compliance of the country with
c) RA no. 9510 Credit Information System Act international standards set for data protection. Its
functions include:
6) Information necessary for banks and other
financial institutions under the jurisdiction of the 1) Ensure compliance of personal information
independent, central monetary authority or BSP to controllers with the provisions of this Act;
comply with the CISA and RA 9160 as amended, 2) Receive complaints, institute investigations,
otherwise known as AMLA and other applicable facilitate or enable settlement of complaints through
laws. the use of alternative dispute resolution processes,
7) Personal information originally collected from the adjudicate, award indemnity on matters affecting
residents of foreign jurisdictions in accordance any personal information, prepare reports on
with the laws of those foreign jurisdictions, disposition of complaints and resolution of any
including any applicable data privacy laws, which is investigation it initiates, and, in cases it deems
being processed in the Philippines. appropriate, publicize any such report: Provided,
That in resolving any complaint or investigation
(except where amicable settlement is reached by the
Protection Afforded to Journalists and Their Sources: parties), the Commission shall act as a collegial
No amendment or repeal of RA no. 53, which affords body. For this purpose; the Commission may be
the publishers, editors or duly accredited reporters of given access to personal information that is subject
any newspaper, magazine or periodical of general of any complaint and to collect the information
circulation protection from being compelled to reveal necessary to perform its functions under this Act:
the source of any news report or information appearing 3) Issue cease and desist orders, impose a temporary or
in said publication which was related to any confidence permanent ban on the processing of personal
to such publisher, editor, or reporter. information, upon finding that the processing will
be detrimental to national security and public
interest;
Extraterritorial Application: The Data Privacy Act
applies to an act done or practice engaged in and outside 4) Compel or petition any entity, government agency
of the Philippines by an entity if: or instrumentality to abide by its orders or take
action on a matter affecting data privacy;
1) The act, practice or processing related to personal
information about a Philippine citizen or a resident; 5) Monitor the compliance of other government
agencies or instrumentalities on their security and
2) The entity has a link with the Philippines, and the technical measures and recommend the necessary
entity is processing personal information in the action in order to meet minimum standards for
Philippines or even if the processing is outside the protection of personal information pursuant to this
Philippines as long as it is about Philippine citizens Act;
or residents such as, but not limited to, the
following: 6) Coordinate with other government agencies and the
private sector on torts to formulate and implement
a) A contract is entered in the Philippines; plans and policies to strengthen the protection of
b) A juridical entity unincorporated in the personal information in the country;
Philippines but has central management and 7) Publish on a regular basis a guide to all laws
control in the country; and relating to data protection;
c) An entity that has a branch, agency, office or 8) Publish a compilation of agency system of records
subsidiary in the Philippines and the parent or and notices, including index and other finding aids;
affiliate of the Philippine entity has access to
personal information; and 9) To recommend to the Department of Justice (DOJ)
the prosecution and imposition of penalties provided
3) The entity has other links in the Philippines such as, under the Act;
but not limited to:
10) Review, approve, reject or require modification of
a) The entity carries on business in the privacy codes voluntarily adhered to by a personal
Philippines; and information controller. Provided, That the privacy
b) The personal information was collected or held codes shall adhere to the underlying data privacy
by an entity in the Philippines principles embodied in this Act. Provided, further,
That such privacy codes may include private dispute
resolution mechanisms for complaints against any
participating personal information controller. For
this purpose, the Commission shall consult with
relevant regulatory agencies in the formulation and
The National Privacy Commission ministration of privacy codes applying the standards
set out in this Act, with respect to the persons,
entities, business activities and business sectors that shall be filled in the same manner in which the original
said regulatory bodies are authorized to principally appointment was made.
regulate pursuant to the law: Provided, finally, That
the Commission may review such privacy codes and
require changes thereto for purposes of complying Qualifications of The Privacy Commissioner:
with the Data Privacy Act; 1) At least thirty-five (35) years of age;
11) Provide assistance on matters relating to privacy or 2) Of good moral character, unquestionable integrity
data protection at the request of a national or local and known probity, and
agency, a private entity or any person;
3) A recognized expert in the field of information
12) Comment on the implication on data privacy of technology and data privacy
proposed national or local statutes, regulations or
procedures, issue advisory opinions and interpret The Deputy Privacy Commissioners must be recognized
the provisions of this Act and other data privacy experts in the field of information technology and data
laws; privacy.
13) Propose legislation, amendments or modifications Acts done in good faith: The Privacy Commissioner, the
to Philippine laws on privacy or data protection as Deputy Privacy Commissioners, or any person acting on
may be necessary; their behalf or under their direction, shall not be civilly
liable for acts done in good faith in the performance of
14) Ensure proper and effective coordination with data their duties.
privacy regulators in other countries and private
accountability agents, participate in international However, he or she shall be liable for willful or
and regional initiatives for data privacy protection; negligent acts done by him or her which are contrary to
law, morals, public policy and good customs even if he
15) Negotiate and contract with other data privacy or she acted under orders or instructions of superiors. In
authorities of other countries for cross-border case a lawsuit is filed against such official on the subject
application and implementation of respective of the performance of his or her duties, where such
privacy laws; performance is lawful, he or she shall be reimbursed by
16) Assist Philippine companies doing business abroad the Commission for reasonable costs of litigation.
to respond to foreign privacy or data protection laws
and regulations;
The Secretariat: Majority of the members of the
17) Generally perform such acts as may be necessary to Secretariat must have served for at least five (5) years in
facilitate cross-border enforcement of data privacy any agency of the government that is involved in the
protection. processing of personal information including, but not
limited to, the following offices: SSS, GSIS, LTO, BIR,
PhilHealth, COMELEC, DFA, DOJ, and Philpost.
Confidentiality: The Commission shall ensure at all
times the confidentiality of any personal information
that comes to its knowledge and possession. PROCESSING OF PERSONAL INFORMATION
Processing refers to any operation or any set of
Organizational Structure of the Commission: The operations performed upon personal information
Commission shall be attached to the Department of including, but not limited to:
Information and Communications Technology (DICT) 1) Collection
and shall be headed by a Privacy Commissioner, who 2) Recording
shall also act as Chairman of the Commission. 3) Organization
The Privacy Commissioner shall enjoy the benefits, 4) Storage
privileges and emoluments equivalent to the rank of 5) Updating or Modification
Secretary. 6) Retrieval
7) Consultation
The Privacy Commissioner shall be assisted by two (2) 8) Use
Deputy Privacy Commissioners, one to be responsible 9) Consolidation
for Data Processing Systems and one to be responsible 10) Blocking
for Policies and Planning. 11) Erasure; or
They shall enjoy the benefits, privileges and 12) Destruction of Data
emoluments to the rank of Undersecretary.
b) Purposes for which they are being or are to be g) Date when his or her personal information
processed; concerning the data subject were last accessed
and modified; and
c) Scope and method of the personal information
processing; h) The designation, or name or identity and
address of the personal data controller
d) The recipients or classes of recipients to
whom they are or may be disclosed; 5. Right to Correction - The data subject shall have
the right to dispute the inaccuracy or error in the
e) Methods utilized for automated access, if the personal information and have the personal
same is allowed by the data subject, and the information controller correct it immediately and
extent to which such access is authorized; accordingly, unless the request is vexatious or
otherwise unreasonable.
If the personal information has been corrected, the
personal information controller shall ensure the
accessibility of both the new and retracted information
and the simultaneous receipt of new and retracted
information by recipients thereof: Provided, That the
third parties have previously received such processed
personal information shall be informed of its inaccuracy SECURITY OF PERSONAL INFORMATION
and its rectification upon reasonable request of the data Security of Personal Information:
subject;
1. The personal information controller must implement
6. Right to Erasure - the data subject shall have the reasonable and appropriate organizational, physical
right to suspend, withdrawal or order the blocking, and technical measures intended for the protection
removal or destruction of his or her personal of personal information against any accidental or
information from the personal information unlawful destruction, alteration and disclosure,
controller’s filing system upon discovery and as well as against any other unlawful processing.
substantial proof that the personal information is
incomplete, outdated, false, unlawfully obtained, 2. The personal information controller shall implement
used for unauthorized purposes or are no longer reasonable and appropriate measures to protect
necessary for the purposes for which they were personal information against natural dangers such
collected. In this case, the personal information as accidental loss or destruction, and human dangers
controller may notify third parties who have such as unlawful access, fraudulent misuse,
previously received such processed personal unlawful destruction, alteration and contamination.
information; 3. The determination of the appropriate level of
7. Right to Damages - The data subject shall be security must take into account (1) the nature of
indemnified for any damages sustained due to such the personal information to be protected, (2) the
inaccurate, incomplete, outdated, false unlawfully risks represented by the processing, (3) the size of
obtained or unauthorized use of personal the organization and complexity of its operations,
information. (4) current data privacy best practices and (5) the
cost of security implementation.
8. Right to Data Portability - The right of the data
subject to obtain from the personal information
controller a copy of data, where personal Subject to guidelines as the Commission may issue from
information is processed: time to time, the measures implemented must include:
a) by electronic means and a. Safeguards to protect its computer network against
b) in a structured and commonly used format accidental, unlawful or unauthorized usage or
interference with or hindering of their functioning
or availability;
The Commission may specify the electronic format b. A security policy with respect to the processing of
referred to above, as well as the technical standards, personal information;
modalities and procedures for their transfer.
c. A process for identifying and accessing
reasonably foreseeable vulnerabilities in its
Transmissibility of Rights of the Data Subject - The computer networks, and for taking preventive
lawful heirs and assigns of the data subject may invoke corrective and mitigating action against security
the rights of the data subject for which he or she is an incidents that can lead to a security breach; and
heir or assignee at any time after the death of the data d. Regular monitoring for security breaches and a
subject or when the data subject is incapacitated or process for taking preventive, corrective and
incapable of exercising the right as enumerated above. mitigating action against security incidents that can
lead to a security breach.
Non-Applicability of Rights - The above rights of a data 4. The personal information controller must further
subject are not applicable: ensure that third parties processing personal
information on its behalf shall implement the
1) If the processed personal information is used only security measures required by this provision.
for the needs of scientific and statistical research
and, on the basis of such, no activities are carried 5. The employees, agents or representatives of a
out and no decisions are taken regarding the data personal information controller who are involved in
subject: Provided, That the personal information the processing of personal information shall operate
shall be held under strict confidentiality and shall be and hold personal information under strict
used only for the declared purpose; and confidentiality if the personal information is not
intended for public disclosure. This obligation shall
2) To processing of personal information gathered for continue even after leaving the public service,
the purpose of investigations in relation to any transfer to another position or upon termination of
criminal, administrative or tax liabilities of a data employment or contractual relations.
subject.
6. The personal information controller shall promptly SECURITY OF SENSITIVE PERSONAL
notify the Commission and affected data subjects INFORMATION IN GOVERNMENT
when sensitive personal information or other Responsibility of Heads of Agencies - All sensitive
information that may, under the circumstances, be personal information maintained by the government,
used to enable identity fraud are reasonably its agencies and instrumentalities shall be assured, as far
believed to have been acquired by an as practicable, with the use of the most appropriate
unauthorized person, and the personal information standard recognized by the information and
controller or the Commission believes that such communications technology industry, and is
unauthorized acquisition is likely to give rise to a recommended by the Commission.
real risk of serious harm to any affected data
subject.
Notification to the Commission - The notification shall The head of each government agency or
at least describe the nature of the breach, the sensitive instrumentality shall be responsible for complying
personal information possibly involved, and the with the security requirements mentioned while the
measures taken by the entity to address the breath Commission shall monitor the compliance and may
Notification may be delayed only to the extent necessary recommend the necessary action in order to satisfy the
to determine e scope of the breach, to prevent further minimum standards.
disclosures, or to restore reasonable integrity to the
information and communications system
Requirements Relating to Access by Agency Personnel
a. In evaluating if notification is unwarranted, the to Sensitive Personal Information:
Commission may take into account compliance by
the personal information controller with this 1. On-site and Online Access - Except as may be
provision and existence of good faith in the allowed through guidelines to be issued by the
acquisition of personal information. Commission, no employee of the government shall
have access to sensitive personal information on
b. The Commission may exempt a personal government property or through online facilities
information controller from the notification where, unless the employee has received a security
in its reasonable judgment, such notification would clearance from the head of the source agency.
not be in the public interest or in the interests of the
affected data subjects. 2. Off-site Access - Unless otherwise provided in
guidelines to be issued by the Commission,
c. The Commission may authorize postponement of sensitive personal information maintained by an
notification where it may hinder the progress of a agency may not be transported or accessed from
criminal investigation related to a serious breach. a location of government property unless a request
Period to Report - If there is likelihood of risk to for such transportation or access is submitted
individuals, the data processor must report data breaches and approved by the head of the agency in
within 72 hours. accordance with the following guidelines:
a) Deadline for Approval or Disapproval - in
the case of any request submitted to the head of
ACCOUNTABILITY FOR TRANSFER OF an agency, such head of the agency shall
PERSONAL INFORMATION approve or disapprove the request within two
Principle of Accountability - Each personal information (2) business days after the date of submission
controller is responsible for personal information under of the request.
its control or custody, including information that has In case there is no action by the head of the agency,
been transferred to a third party for processing, whether then such request is considered disapproved;
domestically or internationally, subject to cross-border
arrangement and cooperation. b) Limitation to 1,000 Records - If a request is
approved, the head d the agency shall limit the
1) The personal information controller is accountable access to not more than one thousand (1,000)
for complying with the requirements of the Data records at a time; and
Privacy Act and shall use contractual or other
reasonable means to provide a comparable level of c) Encryption - Any technology used to store,
protection while the information is being processed transport or acres sensitive personal information
by a third party. for purposes of off-site acres approved under
this subsection shall be secured by the use of
2) Data Protection Officer: The personal information the most secure encryption standard
controller shall designate an individual or recognized by the Commission
individuals who are accountable for the
organization's compliance with the Data Privacy
Act. The identity of the individual(s) so designated Applicability to Government Contractors - In entering
shall be made known to any data subject upon into any contract that may involve accessing or requiring
request. sensitive personal information from one thousand
(4,000) or more individuals, an agency shall require a
contractor and its employees to register their
personal information processing system with the
Commission in accordance with the Data Privacy Act data confidentiality and security data systems,
and to comply with the other provisions of said Act in breaks in any way into any system where personal
the same manner as agencies and government employees and sensitive personal information is stored. Penalty
comply with such requirements. shall be imprisonment of 1 year to 3 years and a fine
of P500,000 to P2,000,000.
6) Concealment of Security Breaches Involving
Sensitive Personal Information - any person who,
UNLAWFUL ACTS AND PENALTIES later having knowledge of a security breach and of
1) Unauthorized Processing - any person who the obligation to notify the Commission,
processes personal information without the consent intentionally or by omission conceals the fact of
of the data subject, or without being authorized such security breach. The penalty shall be
under the Data Privacy Act or any existing law. imprisonment of 1 year and 6 months to 5 years and
Penalties: a fine of P500,000 to P1,000,000.