DATA PRIVACY ACT

OF 2012
ROREN MARIE M. CHIN
PRIVACY POLICY OFFICE
NATIONAL PRIVACY COMMISSION
PRIVACY
“The right to be let alone - the most
comprehensive of rights and the right
most valued by civilized men”

[Brandeis J, dissenting in Olmstead v. United States,

277 U.S. 438 (1928)].
CONFIDENTIALITY
“The obligations of those who
receive information in the context
of an intimate relationship to
respect the privacy interests of
those to whom the data relate and
to safeguard that
information”
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through
Research http://www.nap.edu/catalog/12458.html
SECURITY
“The procedural and
technical measures required to (a) prevent
unauthorized access, modification, use, and
dissemination of data stored or processed in a
computer system, (b) prevent any deliberate
denial of service, and (c) to protect the system
in its entirety from physical harm.”

Turn, R., and W. H. Ware. 1976. Privacy and security issues in information
systems. The Rand Paper Series. Santa Monica, CA: The Rand Corporation.
Republic Act No. 10173
Data Privacy Act of 2012
 DATA PRIVACY ACT OF 2012
Act protecting
individual personal
information in
information
communications
systems in the
NATIONAL PRIVACY COMMISSION
government and
the private sectors

From the slides of Atty. Ivy D. Patdu, MD

DATA PRIVACY ACT OF 2012: Scope
The general rule is that processing of
personal, sensitive personal and privileged
information is covered by the law.
DATA PRIVACY ACT OF 2012: Terms
SENSITIVE
PERSONAL
INFORMATION PERSONAL
INFORMATION
CONTROLLER
PERSONAL DATA PERSONAL
INFORMATION
PROCESSOR
PERSONAL
PERSONAL
INFORMATION
INFORMATION

PROCESSING
 Personal Data
What is
PERSONAL Personal
INFORMATION? Information
• Any information from which the
identity of an individual is apparent
• Any information that can be put Sensitive Personal
together with other information to Information
reasonably and directly identify an
individual
• Includes sensitive personal
information such as your health,
education, genetic or sexual life
• Includes information that is classified
or privileged Health
Information
 Definition of Terms
Personal Information
Controller (PIC)
person or organization
who controls the
collection, holding,
processing, or use of
personal information
Definition of Terms
Personal Information
Processor (PIP) any natural
or juridical person qualified
to whom the PIC may
outsource the processing of
personal data pertaining to a
data subject.
 GENERAL DATA PRIVACY PRINCIPLES

NATIONAL PRIVACY COMMISSION

General Data Privacy Principles
Transparency Legitimate Proportionality
Purpose
General Data Privacy Principles
Transparency
The data subject must be
aware of the nature
purpose, and extent f the
processing of his or her
personal data.
RIGHTS OF THE DATA SUBJECT
General Data Privacy Principles
Legitimate Purpose
The processing of
information shall be
compatible with a
declared and specified
purpose.
LEGITIMATE PROCESSING OF PERSONAL DATA

Consent CONSENT FORMS

ᴥClear • Waiver of all rights under the

ᴥSpecific Data Privacy Act

ᴥInformed • Bundle Consent

ᴥVoluntary • Opt-out
 Fulfilment
of Contract

Criteria for Lawful Consent

Legal
Processing Obligation

Allowed
Personal -- if
Information Legitimate
purpose by
Vitally
important
interest of
the PIC
the D.S.

National
emergency
 Existing
laws and
regulations
Criteria for Lawful
Consent
Protect life
and health Processing
Prohibited
Sensitive
-- except
Lawful
Lawful and Personal
rights and
interest
non-
commercial Information
object

Medical
treatment
General Data Privacy Principles
Proportionality
The processing of
information shall be
adequate, relevant,
suitable, necessary, and
not excessive.
Republic Act No. 10173
Data Privacy Act of 2012
 DATA PRIVACY ACT OF 2012
Act protecting
individual personal
information in
information
communications
systems in the
NATIONAL PRIVACY COMMISSION
government and
the private sectors

From the slides of Atty. Ivy D. Patdu, MD

DATA PRIVACY ACT OF 2012: Scope
The general rule is that processing of
personal, sensitive personal and privileged
information is covered by the law.
 GENERAL DATA PRIVACY PRINCIPLES

NATIONAL PRIVACY COMMISSION

FIVE PILLARS OF COMPLIANCE

1 – Data Protection Officer

2 – Privacy Impact Assessment
5 3 – Privacy management Program
4
2
3 4 – Security Measures
1
5 – Breach Management
Pillar 1: Designate your DPO
Pillar 2: Conduct Privacy Impact
Assessment
a process undertaken
and used to evaluate and
manage privacy impacts
for each program,
process or measure
within the agency that
involves personal data.
Pillar 3: Create Privacy Management
Program

Serves to aligne
everyone in the
organization in
the same
direction
Pillar 4: Implement Security Measures

Organizational Technical

Physical
Pillar 5: Prepare for Breach

CConfidentiality
I
Integrity
A
Availability
 Confidentiality breach
Source: http://news.abs-
cbn.com/nation/regions/05/06/08/ombu
dsman-charge-docs-nurses-cebu-canister-
scandal
The Office of the Ombudsman in the Visayas has recommended the filing
of criminal and administrative charges against doctors and nurses involved
in what is now known as the "canister scandal" at the government-
run Vicente Sotto Memorial Medical Center in Cebu province.
The Ombudsman found that the medical attendants committed misconduct
for "unlawful behavior and gross negligence of a public officer" and
negligence, for "acting or omitting to act in a situation where there is a duty
to act."
Integrity breach

Source: Russia’s cyberattack on the U.S. electoral system

https://www.bloom
berg.com/news/arti
cles/2017-06-
before Donald Trump’s election was far more widespread
13/russian-breach-
of-39-states-
than has been publicly revealed, including incursions into
threatens-future-u-
s-elections
voter databases and software systems in almost twice as
many states as previously reported.
Availability breach

Tyler Durden, "Worst-

Ever Recorded"
Ransomware Attack
Strikes Over 57,000
Users Worldwide, Using
NSA-Leaked Tools,
ZeroHedge, 12 May
2017, available at
http://www.zerohedge.co
m/news/2017-05-
12/massive-ransomware-
attack-goes-global-huge
(last accessed May 14,
2017).
Penalties
RA 10173 if you do Personal Information Sensitive Personal Information

Section this… Imprisonment Fine Imprisonment Fine

25 Processed info without one (1) to three 500,000 to three (3) to six (6) 500,000 to
authorization (e.g. a doctor (3) years 2,000,000 pesos years 4,000,000 pesos
accesses a patient record that
he's not authorized to view)

26 Provided access to info due to one (1) to three 500,000 to three (3) to six (6) 500,000 to
negligence (e.g. a CIO who did (3) years 2,000,000 pesos years 4,000,000 pesos
not properly deploy security
measures on email or devices, or
a health worker who provided
password to someone else)

35
RA 10173 if you do Personal Information Sensitive Personal Information

Section this… Imprisonment Fine Imprisonment Fine

27 Improper disposal of info (e.g. six (6) months 100,000 to one (1) to three 100,000 to
failing to shred paper records, to two (2) years 500,000 pesos (3) years 1,000,000 pesos
or failing to ensure
that a cloud provider has
completely wiped all data)

28 Processing of info for eighteen (18) 500,000 to two (2) to seven 500,000 to
unauthorized purposes (e.g. months to five 1,000,000 pesos (7) years 2,000,000 pesos
doctor is authorized to use (5) years
patient data for treatment, but
also used it for clinical
research)

36
RA 10173 if you do Personal Information Sensitive Personal Information
Section this… Imprisonment Fine Imprisonment Fine

29 Intentional breach of info one (1) to three 500,000 to one (1) to three 500,000 to
(e.g. viewing a record using a (3) years 2,000,000 pesos (3) years 2,000,000 pesos
password stolen from
someone else)

30 Concealing security breach eighteen (18) 500,000 to

(e.g. not informing patients months to five 1,000,000 pesos
that their sensitive (5) years
information was
exposed/hacked)

37
RA 10173 if you do Personal Information Sensitive Personal Information
Section this… Imprisonment Fine Imprisonment Fine

31 Malicious disclosure (e.g. a eighteen (18) 500,000 to eighteen (18) 500,000 to

treatment record is leaked to months to five 1,000,000 pesos months to five 1,000,000 pesos
the press) (5) years (5) years

32 Unauthorized disclosure one (1) to three 500,000 to three (3) to five 500,000 to
(other disclosures not (3) years 1,000,000 pesos (5) years 2,000,000 pesos
covered by "malice", e.g.
posting to social media about
a patient's case)

33 Combination of series of acts three (3) years 1,000,000 to three (3) years 1,000,000 to
from all of the above to six (6) years 5,000,000 pesos to six (6) years 5,000,000 pesos

38
RA 10173 if you do Personal Information Sensitive Personal Information
Section this… Imprisonment Fine Imprisonment Fine

35 ...and more than 100 persons *maximum penalty applies when 100 or more
are affected persons are harmed, affected, or involved
36 ...and you are a public officer **when offender is a public officer, disqualification from occupying
public office will also be levied
3 *any information from which the *personal information about an
identity of an individual is individual's race, ethnicity, age,
apparent or may be ascertained etc. including health, education,
and government issued numbers
and licenses

39
 Initiatives for Privacy

NATIONAL PRIVACY COMMISSION

2017
• DPO Assembly in coordination with DOH and Philippine Heart center
• DPO Summit for Private Hospitals in coordination with Private Hospitals
Association of the Philippines, Inc
• ICT Forum for Health in coordination with DOH

2016 - Present
• Conduct of Orientation with various health facilities, health related
societies, and other health allied institutions
• Conduct of PIA and Privacy Management Program Workshops for
various health facilities, health related societies, and other health allied
instiutions Speaking engagements and meeting
 Health Sector Initiatives

NATIONAL PRIVACY COMMISSION

DOH initiatives on Privacy
DOH initiatives on Privacy
 Thank you!

NATIONAL PRIVACY COMMISSION