Professional Documents
Culture Documents
OF 2012
ROREN MARIE M. CHIN
PRIVACY POLICY OFFICE
NATIONAL PRIVACY COMMISSION
PRIVACY
“The right to be let alone - the most
comprehensive of rights and the right
most valued by civilized men”
Turn, R., and W. H. Ware. 1976. Privacy and security issues in information
systems. The Rand Paper Series. Santa Monica, CA: The Rand Corporation.
Republic Act No. 10173
Data Privacy Act of 2012
DATA PRIVACY ACT OF 2012
Act protecting
individual personal
information in
information
communications
systems in the
NATIONAL PRIVACY COMMISSION
government and
the private sectors
PROCESSING
Personal Data
What is
PERSONAL Personal
INFORMATION? Information
• Any information from which the
identity of an individual is apparent
• Any information that can be put Sensitive Personal
together with other information to Information
reasonably and directly identify an
individual
• Includes sensitive personal
information such as your health,
education, genetic or sexual life
• Includes information that is classified
or privileged Health
Information
Definition of Terms
Personal Information
Controller (PIC)
person or organization
who controls the
collection, holding,
processing, or use of
personal information
Definition of Terms
Personal Information
Processor (PIP) any natural
or juridical person qualified
to whom the PIC may
outsource the processing of
personal data pertaining to a
data subject.
GENERAL DATA PRIVACY PRINCIPLES
ᴥVoluntary • Opt-out
Fulfilment
of Contract
Allowed
Personal -- if
Information Legitimate
purpose by
Vitally
important
interest of
the PIC
the D.S.
National
emergency
Existing
laws and
regulations
Criteria for Lawful
Consent
Protect life
and health Processing
Prohibited
Sensitive
-- except
Lawful
Lawful and Personal
rights and
interest
non-
commercial Information
object
Medical
treatment
General Data Privacy Principles
Proportionality
The processing of
information shall be
adequate, relevant,
suitable, necessary, and
not excessive.
Republic Act No. 10173
Data Privacy Act of 2012
DATA PRIVACY ACT OF 2012
Act protecting
individual personal
information in
information
communications
systems in the
NATIONAL PRIVACY COMMISSION
government and
the private sectors
Serves to aligne
everyone in the
organization in
the same
direction
Pillar 4: Implement Security Measures
Organizational Technical
Physical
Pillar 5: Prepare for Breach
CConfidentiality
I
Integrity
A
Availability
Confidentiality breach
The Office of the Ombudsman in the Visayas has recommended the filing
of criminal and administrative charges against doctors and nurses involved
in what is now known as the "canister scandal" at the government-
Source: http://news.abs- run Vicente Sotto Memorial Medical Center in Cebu province.
cbn.com/nation/regions/05/06/08/ombu
dsman-charge-docs-nurses-cebu-canister-
scandal The Ombudsman found that the medical attendants committed misconduct
for "unlawful behavior and gross negligence of a public officer" and
negligence, for "acting or omitting to act in a situation where there is a duty
to act."
Integrity breach
25 Processed info without one (1) to three 500,000 to three (3) to six (6) 500,000 to
authorization (e.g. a doctor (3) years 2,000,000 pesos years 4,000,000 pesos
accesses a patient record that
he's not authorized to view)
26 Provided access to info due to one (1) to three 500,000 to three (3) to six (6) 500,000 to
negligence (e.g. a CIO who did (3) years 2,000,000 pesos years 4,000,000 pesos
not properly deploy security
measures on email or devices, or
a health worker who provided
password to someone else)
35
RA 10173 if you do Personal Information Sensitive Personal Information
27 Improper disposal of info (e.g. six (6) months 100,000 to one (1) to three 100,000 to
failing to shred paper records, to two (2) years 500,000 pesos (3) years 1,000,000 pesos
or failing to ensure
that a cloud provider has
completely wiped all data)
28 Processing of info for eighteen (18) 500,000 to two (2) to seven 500,000 to
unauthorized purposes (e.g. months to five 1,000,000 pesos (7) years 2,000,000 pesos
doctor is authorized to use (5) years
patient data for treatment, but
also used it for clinical
research)
36
RA 10173 if you do Personal Information Sensitive Personal Information
Section this… Imprisonment Fine Imprisonment Fine
29 Intentional breach of info one (1) to three 500,000 to one (1) to three 500,000 to
(e.g. viewing a record using a (3) years 2,000,000 pesos (3) years 2,000,000 pesos
password stolen from
someone else)
37
RA 10173 if you do Personal Information Sensitive Personal Information
Section this… Imprisonment Fine Imprisonment Fine
32 Unauthorized disclosure one (1) to three 500,000 to three (3) to five 500,000 to
(other disclosures not (3) years 1,000,000 pesos (5) years 2,000,000 pesos
covered by "malice", e.g.
posting to social media about
a patient's case)
33 Combination of series of acts three (3) years 1,000,000 to three (3) years 1,000,000 to
from all of the above to six (6) years 5,000,000 pesos to six (6) years 5,000,000 pesos
38
RA 10173 if you do Personal Information Sensitive Personal Information
Section this… Imprisonment Fine Imprisonment Fine
35 ...and more than 100 persons *maximum penalty applies when 100 or more
are affected persons are harmed, affected, or involved
36 ...and you are a public officer **when offender is a public officer, disqualification from occupying
public office will also be levied
3 *any information from which the *personal information about an
identity of an individual is individual's race, ethnicity, age,
apparent or may be ascertained etc. including health, education,
and government issued numbers
and licenses
39
Initiatives for Privacy
2016 - Present
• Conduct of Orientation with various health facilities, health related
societies, and other health allied institutions
• Conduct of PIA and Privacy Management Program Workshops for
various health facilities, health related societies, and other health allied
instiutions Speaking engagements and meeting
Health Sector Initiatives