See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/327281053

Data Privacy Act of 2012: A Case Study Approach to Philippine Government

Agencies Compliance

Article  in  Journal of Computational and Theoretical Nanoscience · October 2018

DOI: 10.1166/asl.2018.12404

CITATIONS READS

12 35,919

3 authors:

Bernie Fabito Michelle Renee Domingo Ching

National University (NU Lipa), Philippines De La Salle University
33 PUBLICATIONS   211 CITATIONS    10 PUBLICATIONS   26 CITATIONS   

SEE PROFILE SEE PROFILE

Nelson J Celis
De La Salle University
5 PUBLICATIONS   35 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

HealthSource: A Web based public health awareness with heat map on common illnesses using social media stream View project

All content following this page was uploaded by Bernie Fabito on 17 March 2019.

The user has requested enhancement of the downloaded file.

 Copyright © XXXX American Scientific Publishers Advanced Science Letters
All rights reserved Vol. XXXXXXXXX
Printed in the United States of America

https://www.ingentaconnect.com/contentone/asp/asl/2018/00000024/00000010/art00007

Data Privacy Act of 2012: A Case Study Approach

to Philippine Government Agencies Compliance
Michelle Renee D. Ching1, Bernie S. Fabito1,2, Nelson J. Celis1
1
College of Computer Studies, De La Salle University, 2401 Taft Avenue, Manila 1004, Philippines
2College of Computer Studies, National University – Manila, 551 MF Jhocson St., Sampaloc, Manila 1008, Philippines

The Philippine Data Privacy Act (DPA) of 2012 was enacted to protect the personal information of its citizens from being
disclosed without its consent. The National Privacy Commission (NPC) was established in 2015 to promote, regulate, and
monitor data privacy compliance of both Government and Private Institutions. This study sought to explore and explain how
and why do the Philippine Government agencies comply with the DPA 2012. Additionally, it also tried to determine and
understand the determinants of compliance as perceived by the government agencies. The Commission on Higher Education
(CHED) and the Commission on Elections (COMELEC) were the focus of the interviews conducted by the researchers. The
NPC was also included in the study to determine the status of the government’s compliance with the law. The study was a
form of a qualitative case study following the context of Yin’s (2014) study of research designs and methods. The case study
is the recommended approach as the main question starts with how and why. As a result of the study, it was found out that
there are three factors that somehow influence government agencies from hampering their compliance to the DPA 2012.
These are (1) lack of awareness, (2) budget, and (3) time constraints. With regards to the determinants of compliance, (1)
deterrence, and (2) legitimacy were the concluded causal factors on why they will comply with the DPA 2012. For future
works, it is recommended that a follow-up study be conducted after the compliance deadline.

Keywords: e-Governance; Security; Data Privacy; Personal Information; Data Privacy Compliance

1. INTRODUCTION an eye-opener for government agencies. This personal

Data privacy can be defined in the literature as the
desire of an individual to control or influence information
about one’s self1,2. In the Philippines, the National
Privacy Commission (NPC) has defined data privacy as
the right of an individual not to disclose his or her
information and to live free from surveillance. Protecting
personal information comes from one’s free will and is
recognized by all democratic society3. Therefore, it is
imperative that the government provide measures that
protect the interest of its people when it comes to their
personal data. Hence, the creation of the Republic Act No.
10173, or commonly known as the Data Privacy Act
(DPA) of 2012.
Unfortunately, the COMELeak, which is the infamous
personal data breach that happened under the
Commission on Elections (COMELEC) last March 20 to
27, 2016 in the country, where 76,678,750 personal
information of Filipino voters were leaked 4, has become
1
data breach could have been prevented if COMELEC had
an Information Security Management System (ISMS)4 in
place and complied with the DPA 2012. Though this law
does not only apply to COMELEC alone, but to all
government agencies and private sectors that have at least
250 employees and/or at least 1,000 personal data5.
However, even if the law has been signed on August 15,
2012, it has not been a priority for the government
agencies. Hence, with the COMELEC incident, the NPC
had been very active in making sure that both private and
public organizations comply with the law until September
9, 2017, giving all those who are affected with one-year
preparation for compliance.
Consequently, this research study aims to uncover the
challenges and its best practices that the different
government agencies are facing in terms of compliance
with the DPA 2012.
2. REVIEW OF EXISTING STUDIES
Governance, Risk, and Compliance
 According to literature, there is no standard integrated
definition for Governance, Risk, and Compliance (GRC)6,7.
In lieu with this, there is a need to develop one. Racz,
Weippl, and Seufert (2014) developed a single-phrase
definition for GRC, which is ‘an integrated, holistic
approach to organization-wide governance, risk, and
compliance ensuring that an organization acts ethically
correct and in accordance with its risk appetite, internal
policies, and external regulations through the alignment of
strategy, processes, technology, and people, thereby
improving efficiency and effectiveness’6.
Protecting information collected, processed, and stored
by organizations, both private and public, specifically
personal information, can be done through GRC because of
its holistic approach encompassing business processes, the
technologies used for processing data and/or information,
and the people within the organization.
Information Security Management System
There are many security compliance regulatory
organizations that can be tapped by any yorganizations who
want to implement an information security, such as ISO
27001 and COBIT 5. ISO 27001 ‘provides requirements for
establishing, implementing, maintaining, and continually
improving an information security management system’8.
Moreover, COBIT 5, according to Suer and McMonagle
(2017), is a set of guidance that is used for protecting and
governing data and/or information, it also suggests that
compliance should be included in the external laws and
regulations, management of business risk, and internal
enterprise policies, and the key element of risk, which are
information, processing infrastructure, and applications,
should be taken into account9.
Those security compliance regulatory organizations can
be employed to an organization to ensure that information
security is in place and will be efficient and effective.
Republic Act No. 8792 of the Philippines
The Republic Act No. 8792 of the Philippines or the
e-Commerce Act of 2000 is a law that aims to facilitate
domestic and international dealings, transactions,
arrangements, agreements, contracts, and exchanges and
storage of information with the use of electronic, optical,
and technology to recognize the authenticity and
reliability of the electronic documents and to promote the
universal use of the government with electronic
transactions10,11.
This law plays a vital role in compliance with the
DPA 2012 because it is related to data processing and if
an organization has various data processing, protecting
the information is necessary.
Republic Act No. 10173 of the Philippines
The Republic Act No. 10173 of the Philippines or the
Data Privacy Act of 2012 is a law that aims to protect
individual’s personal information in information and
communications systems in both the government and private
sectors that was approved on August 15, 2012, which is
composed of nine chapters and 45 sections12. Moreover, its
Implementing Rules and Regulations (IRR) was
promulgated on August 24, 201613.
The National Privacy Commission
Because of the DPA 2012, the National Privacy
Commission (NPC) was established to oversee and enforce
it. In general, it aims to protect individual’s personal
information and uphold the right to privacy by regulating the
processing of personal information14. Furthermore, the
commission is headed by a privacy commissioner and
chairman, and two deputy privacy commissioners14. Having
this law mandates all government agencies and private
organizations that have 250 or more employees and/or 1,000
or more personal data, which is similar with the General
Data Protection Regulation (GDPR) of Europe15, where this
law was patterned as well.
3. RESEARCH QUESTIONS AND OBJECTIVES OF
THE STUDY
The objective of this research study is to uncover the
challenges and its best practices that the different
government agencies are facing regarding compliance with
the DPA 2012. Thus, the main research question is how and
why will the Philippine government agencies comply with
the DPA 2012? To be able to answer this, the following are
the specific research questions:
1. What are the data processes that deal with personal
data?
2. What are the management information systems in
place that deal with personal data?
3. How do the determinants of compliance by Sutinen
and Kuperan (1999) affect government agencies to
comply with the DPA 2012? and
4. How does the compliance of the government
agencies with the e-Commerce Act of 2000 impact
its compliance with the DPA 2012?
4. SCOPE OF THE STUDY
The government agencies included in this research
study were the NPC, CHED, and COMELEC. The resource
person for NPC was Dr. Rolando Lansigan, the Compliance
and Monitoring Division Chief; for CHED, it was Dr. Maria
Terisita Semana, the Chief Information Officer; and for
COMELEC, it was Atty. Pamela Joy T. Herrera, Attorney
under the Information Technology Department.
5. METHODOLOGY
The study was conducted through qualitative methods
employing case studies. qualitative case studies allowed the
researchers to explain the connections between the
phenomenon and the context in which it exists. Additionally,
several literatures have provided well-established theories
that have been born out of qualitative case study16. Its merits
in the literature have allowed several researchers to employ
qualitative case approach in their studies. a qualitative case
study as explained by Yin (2014) is an empirical inquiry that
tries to investigate certain phenomenon using multiple
sources of evidence17. It starts with planning and followed
by design. Here, it describes the characteristics of the case
study; next would be preparation for the collection of data
and presentation of the findings and analysis at the end;
followed by collect, which describes how the data is
acquired, will it be through observations, surveys, interviews,
documents, and/or archival records; and analyze, which is
the technique, framework, or concept to be employed for
analyzing the collected data17.
Fig. 1. Case Study Model
For the study to be considered in the context of a case
study, the question provided in the main problem should
start with how or why17. As shown in Fig.1., the planning
phase of the model refers to the exploratory approach.
Additionally, the specific research questions tackled with a
what form, this study is also an exploratory17. Furthermore,
the design phase followed a multiple holistic case study
because there were three government agencies examined.
The method for acquiring data were through interviews and
documents collected from the target government agencies.
To analyze the collated data, the determinants of compliance
by Sutinen and Kuperan (1999) was used.
The case studies, in general, can either proposed a new
theory or validate existing theories in which the latter was
used for this research study. As mentioned, the determinants
of compliance proposed by Sutinen and Kuperan (1999) as
shown in Fig.2, were studied to determine whether they
affect the government agencies’ compliance with DPA 2012.
Aside from deterrence, which is perceived as the most
common type of factor for regulatory compliance, the
authors provided other compelling causal factors affecting
the compliance behavior.
Fig. 2. Determinants of Compliance18
As a result of the study, the determinants were
narrowed down to two based on the interviews conducted.
These determinants were (1) deterrence, and (2) legitimacy.
The other determinants of compliance were neglected as
they did not serve as causal factors for the government
agencies compliance with the DPA 2012 (e.g., social
influence).
As defined, deterrence is a strategy that enforces
punishment surpassing any economic gain from failing to
comply with the required rules to promote industry
compliance19. Furthermore, another factor that compels
government agencies to comply with the law is legitimacy.
Legitimacy is defined as the recognition and acceptance to a
governing body. An organization who recognizes one’s
3
legitimacy are expected to comply regardless of its own
dictates20.
Overall, Fig.3 describes the operational framework in
which the research study was analyzed.
Fig. 3. Operational Framework
6. FINDINGS
Commission on Higher Education (CHED)
From the interview conducted with Dr. Semana, it was
found out that not all of their business processes are
automated (not fully compliant with RA 8792). For this very
reason, they are in the process of developing their
information system and updating their portal. Hence,
requiring a need to re-engineer their business processes.
With the requirement of complying with the DPA 2012, the
commission is trying to fast track the development of the
needed information system through employing IT
consultants. Through there were already previous plans and
attempts to upgrade their information system prior to the
requirement of complying the DPA 2012, the law has made
the agency to speed up the development and upgrade of their
information system.
Consequently, it seems that the absence of their
information system and portal, which is a core requirement
for the RA 8792, may have also hampered their compliance.
Aside from the time constraint that somehow impedes
the agency’s compliance, they are also suffering from
meager funds. This is because they have already submitted
their 2017 budget two years prior the NPC conducted a
workshop or seminar last December 2016. For this reason,
the agency failed to allot the needed fund to comply with the
DPA 2012. The budget constraint issue holds true not just for
CHED but also to other remaining government agencies.
This was confirmed by Atty. Herrera of the COMELEC.
Furthermore, when asked if the agency would be able to
comply in time with the given deadline, Dr. Semana
answered that they are doing their very best to exhaust all
means to comply with the law, regardless of accompanying
challenges that it brings. Additionally, the corresponding
punishment associated with its failure to comply is too much
for the Data Protection Officer (DPO) and the agency to bear.
Commission on Elections (COMELEC)
Based on the study conducted by Bonsol, Carillo,
Ching M., Ching K, Duran, and Tatel (2011), the top three
information systems that are prioritized for development
were the (1) Automated Election System; (2) Voter
Education and Awareness System; and (3) Case
Management System among others. All these information
systems process personal data.
Between CHED and COMELEC, it seemed that the
latter is highly more compliant with the DPA 2012. Based on
the interview with Atty. Herrera, the agency is ahead of the
compliance as opposed to other government agencies. The
agency has already appointed their DPO, conducted their
Privacy Impact Assessment (PIA), which is a core
requirement for the DPA 2012 compliance, submitted the
Breach Management Plan (BMP), which stemmed out from
their Privacy Management Program (PMP), and has started
developing their information security policies.
Atty. Herrera, however, shared that the vast number of
offices starting from the regional field offices down to the
municipality level is somehow challenging as they should
make sure that all offices all over the country are able to
comply with the law. The logistics and operations in the
physical aspect of the IRR would require high amount of
financial resources that could keep all data in all regional,
provincial, and municipality levels safe and secured.
Furthermore, just like CHED, this was not also included in
the budge of COMELEC.
When asked about the agency’s determinants of
compliance, Atty. Herrera answered deterrence as the
number one factor followed by legitimacy. Though the law
existed since 2012, no one acted on it. It was only after 2015
when the agency started to act on their compliance. Since
the repercussion for non-compliance is high, the agency
must comply. This also holds true for CHED.
On the latter part of the interview, it was found out that
due to their ongoing case with the NPC regarding
COMELeak, the agency is able to fast track their
compliance. This only means that though NPC, as
represented by Dr. Lansigan, mentioned that no government
agency has yet complied with DPA 2012, it seemed that
COMELEC is readier with their compliance vis-à-vis with
CHED and other government agencies readiness to DPA
2012 compliance.
National Privacy Commission (NPC)
The side of the NPC was also considered for interview
in relation to the status of the government agencies’ DPA
2012 compliance. According to Dr. Lansigan, no
government agencies have fully complied yet. However,
some agencies have already submitted partial documents for
compliance.
When asked about possible reasons why it would be
difficult for government agencies to comply, he shared the
following reasons: (1) there is no DPO plantilla position
available for government agencies. The NPC, however,
together with the Department of Budget and Management
(DBM), is now working together to provide a plantilla
position to all government agencies. For the meantime,
several government agencies have already pointed their
DPO in the form of designations; (2) a misconception about
the DPO’s accountability to a breach. There’s a myth that
says when a breach is made, it is the DPO who will
immediately suffer the consequences; (3) lack of awareness
on the responsibility of a DPO. The role of a DPO is not yet
clear to the agencies; (4) lack of awareness to the DPA 2012;
and (5) the wait-and-see attitude, wherein they will comply
what they can until the set deadline and then wait and see
what punishments the NPC will impose to those government
agencies that were not able to fully comply with the DPA
2012.
Dr. Lansigan also shared that following pillars that
must be met for government agencies to be considered fully
compliant. These are (1) Appointment of DPO; (2) Conduct
of Privacy Impact Assessment; (3) creation of the Privacy
Management Program; (4) creation of the Data Protection
Measures; and (5) creation of Breach Management Program.
Out of the five pillars, the second to the fifth pillars are those
that are difficult to achieve. Some government organizations
would outsource it, while others chose to do it within their
organizations.
With respect to the determinants of compliance, he
shared that (1) legitimacy; (2) deterrence; and (3) reputation
are the reasons why they need to comply. Since it is what the
law dictates, it is expected that the government agencies
should follow. However, when compared with the
government agencies’ compliance with the e-Commerce law,
they are more worried with the DPA 2012 due to the
accompanying repercussions. Deterrence, in this case,
seemed to be the most compelling reason why they need to
comply.
Furthermore, according to Dr. Lansigan, they think that
the deadline provided for the compliance was fair, given that
the law was in existent since 2012 and there is only one-year
compliant period whenever a law mandates the government
agencies to comply.
Additionally, the agency provides various assistance to
the government agencies who are having difficulties in
complying with the DPA 2012. They also provided a
Toolkit21 to guide both private and public sectors affected by
the law.
7. CONCLUSION
This research study has provided useful insights on the
government agencies’ compliance with the DPA 2012.
Based on the interviews conducted with COMELEC, CHED,
and NPC, it can be concluded that three factors that
somehow influence government agencies from hampering
their compliance. These are (1) lack of awareness; (2)
budget; and (3) time constraints.
As discussed by Dr. Lansigan, several government
agencies are experiencing problems with regards to the
understanding the DPO’s accountability and its role is not
yet fully absorbed by the designated DPO. This is true for
CHED as their appointed DPO is in doubt of the
responsibilities and accountabilities assigned to his
designation. Budget constraints also hold an important factor
that pulls away from their compliance to the law. CHED and
COMELEC have not included in their budget the needed
financial resources to work on their compliance since the
budget for 2017 was approved two years back, which is
2015. That was the time when the DPA 2012 was enacted
but no IRR has been established until 201613. Additionally, it
was only in 2016 when the NPC has started doing tis
awareness campaign, it was only then where it became clear
for the government agencies about the requirements for the
compliance and its accompanying punishments.
Furthermore, since the government agencies were only
given a year to comply, it is limited. This was also
influenced by the absence of information systems and
portals that should have existed a long time ago in
compliance with the e-Commerce Act of 2000.
With regards to the determinants of compliance,
deterrence and legitimacy were concluded causal factors on
why government agencies comply with the DPA 2012. As
compared to the e-Commerce Act of 2000, they are more
compelled to comply with the DPA 2012. However, both are
laws that need to be observed, the e-Commerce law does not
have any associated repercussions for the failure of
compliance. Though, the two government agencies are
trying to adhere to it but are not fully compliant10. Moreover,
in the case of the DPA 2012, they are more aggressive to
comply due to the consequences solely indicated for the
non-compliance and the possible breach after it.
Another example that is similar with deterrence as a
determinant for compliance is the case of COMELEC with
NPC. The COMELEC was able to fast track their
compliance due to their ongoing case. If it had not been for it,
the result might have been a different story.
8. FUTURE WORK
Since this research study was conducted during the
compliance period of the government agencies, it is
recommended to follow-up with the CHED and COMELEC
after the compliance deadline to see if they are fully
compliant of not.
ACKNOWLEDGMENTS
The authors would like to express their gratitude to
their Case Study professor, Dr. Nelson J. Celis, for imparting
his knowledge on conducting a case study research, his
expertise with the e-Commerce Act of 2000 and the Data
Privacy Act of 2012, and networks with various Philippine
government agencies. To the authors’ subject matter experts,
Dr. Maria Terisita Semana of CHED, Atty. Pamela Joy T.
Herrera of COMELEC, and Dr. Rolando Lansigan and Mr.
Cleo Martinez of the NPC. And last but not the least, to our
Heavenly Father for providing us wisdom, knowledge, and
strength in finishing this valuable research study.
REFERENCES
[1] France Bélanger and Robert E. Crossler. 2011. Privacy in the Digital
Age: A Review of Information Privacy Research in Information
Systems. MIS Quarterly 35, 1017–1041.
DOI:https://doi.org/10.2307/41409971
[2] Donald International Information Management Association.,
Shoshana Altschuller, and Eric Moscato. 2014. Communications of
the IIMA. International Information Management Association.
Retrieved August 20, 2017
http://scholarworks.lib.csusb.edu/ciima/vol13/iss4/7
[3] Anna Romanou. 2017. The necessity of the implementation of
Privacy by Design in sectors where data protection concerns arise.
Comput. Law Secur. Rev. (2017),
DOI:https://doi.org/10.1016/j.clsr.2017.05.021
[4] Nelson J. Celis. 2017. “COMELeak”: Telltale Sign of Poor
Governance Part 1. The Manila Times Online. Retrieved from
http://www.manilatimes.net/comeleak-telltale-sign-poor-
governance/306281/
[5] 2011. Republic Act No. 10173. Congress of the Philippines, Metro
Manila.
[6] Nicolas Racz, Edgar Weippl, and Andreas Seufert. 2010. A Frame of
Reference for Research of Integrated Governance, Risk, and
Compliance (GRC). Commun. Multimed. Secur. (2010), 106–117.
DOI:https://doi.org/10.1007/978-3-642-13241-4_11
5
View publication stats
[7] Manuel Wiesche, Michael Schermann, and Helmut Krcmar. 2011.
Exploring the Contribution of Information Technology to
Governance, Risk Management, and Compliance ( GRC ) Initiatives.
Eur. Conf. Inf. Syst. 49, 2011 (2011), Paper 4. Retrieved from
http://aisel.aisnet.org/ecis2011/4
[8] ISO/IEC 27001. 2013. Information Technology — Security
Techniques — Information Security Management Systems —
Requirements. ISO/IEC 11, (2013), 1–24.
[9] Myles Suer and Les McMonagle. 2017. Extending COBIT 5 Data
Security and Governance Guidance. COBIT Focus January (2017),
1–6.
[10] Nelson J. Celis. 2005. Compliance with Philippine e-Commerce Act:
A Manifestation of Organizational Commitment in Automating
Processes.
[11] 2000. Republic Act No .8792 of Philippines Electronic Commerce
Act of 2000. Philippines Senate and House of Representatives of the
Republic of the Philippines.
[12] 2011. Republic Act No. 10173. Congress of the Philippines, Metro
Manila. Retrieved June 15, 2017 from http://www.dict.gov.ph/wp-
content/uploads/2014/10/20120815-RA-10173-BSA.pdf
[13] 2012. Republic of the Philippines Implementing Rules and
Regulations of Republic Act No. 10173. National Privacy
Commission.
[14] About Us | National Privacy Commission. Retrieved August 20, 2017
from https://privacy.gov.ph/about-us/#visionmission
[15] 2016. Regulation of the European Parliament and of the Council. The
European Parliament The European Council.
DOI:https://doi.org/http://eur-
lex.europa.eu/pri/en/oj/dat/2003/l_285/l_28520031101en00330037.p
df
[16] Andrea Runfola, Andrea Perna, Enrico Baraldi, and Gian Luca
Gregori. 2017. The use of qualitative case studies in top business and
management journals: A quantitative analysis of recent patterns. Eur.
Manag. J. 35, 1 (February 2017), 116–127.
DOI:https://doi.org/https://doi.org/10.1016/j.emj.2016.04.001
[17] Robert K. Yin. 2014. Case Study Research.
[18] Jon G. Sutinen and K. Kuperan. 1999. A Socio‐Economic Theory of
Regulatory Compliance. Int. J. Soc. Econ. 26, 1/2/3 (1999), 174–193.
DOI:https://doi.org/10.1108/03068299910229569
[19] Paul R. Zimmerman. 2014. The deterrence of crime through private
security efforts: Theory and evidence. Int. Rev. Law Econ. 37, (2014),
66–75. DOI:https://doi.org/10.1016/j.irle.2013.06.003
[20] Jee Young Chung. 2010. Examining Organizational Legitimacy: an
Empirical Analysis of Organizational Legitimacy, Issue Legitimacy,
Legitimacy Gaps, and Factors Affecting the Legitimacy Regarding
the Issue of Direct-To- Consumer Advertising in the Pharmaceutical
Industry. (2010), 152. Retrieved from
http://gateway.proquest.com/openurl?url_ver=Z39.88-
2004&res_dat=xri:pqdiss&rft_val_fmt=info:ofi/fmt:kev:mtx:dissertat
ion&rft_dat=xri:pqdiss:3426011 (18. 3. 2014)
[21] 2017. National Privacy Commission Toolkit: A Guide for
Management and Data Protection Officers.
from
1–12.