Technologies’ Impact

on Privacy
LIVING IN THE IT ERA - WEEK 8-9

Faculty/Instructor: Ms. Sairine C. Pregonero

 The Right to Privacy in the Philippines
The Facts:
Mr. A has this estafa case and the case reached the Supreme Court. Unfortunately, he lost the
case. As we all know, when a case reaches the Supreme Court, the same is published in every
website discussing Philippine jurisprudence. Now, every time someone key-in his name in the
web search engines, the estafa case is displayed as one of its results. Due to such, Mr. A suffered
humiliation and embarrassment from people, who chanced upon such search result of his name.
Because of this, he wants his name be removed from such websites and he therefore invokes his
Constitutional right to privacy

The Issue:
Can a person request that his name be removed from such websites pertaining to Supreme
Court decided cases as the same is a violation of his right to privacy? Why? Why not?

The Answer:
No. A person cannot ask for such removal as the same does not constitute as a violation
of his right to privacy.
 The Philippines has no specific law on privacy. However, the 1987 Constitution
tried to provide under its:
Article III (Bill of Rights) provisions for the right to privacy, namely:
Section 2. The right of the people to be secure in their persons, houses, papers, and
effects against unreasonable searches and seizures of whatever nature and for any
purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except
upon probable cause to be determined personally by the judge after examination under
oath or affirmation of the complainant and the witnesses he may produce, and particularly
describing the place to be searched and the persons or things to be seized.
Section 3. (1) The privacy of communication and correspondence shall be inviolable
except upon lawful order of the court, or when public safety or order requires otherwise, as
prescribed by law.
(2) Any evidence obtained in violation of this or the preceding section shall be inadmissible
for any purpose in any proceeding.
 Note also that under Section 7, Article III of the Constitution, the
right of the people to information on matters of public concern shall be
recognized. A citizen has the right to access to official records, and to
documents and papers pertaining to official acts, transactions, or
decisions, subject to the limitations provided by law. Hence, the case
being jurisprudence, one has the right to access such information.
Given the situation, a person cannot invoke that his right to privacy
has been violated because of the publication of his name along with the
case he was in as the right to privacy does not prohibit the publication of
matter which is of public or general interest.
 The National Identification System
It‘s been two decades since the government first initiated the establishment of a
national ID system.
In 1996, then President Fidel Ramos issued Administrative Order No. 308 adopting
a National Computerized Identification System.
Unfortunately, the order was declared unconstitutional by the Supreme Court. In
striking down A.O. 308, the Supreme Court emphasized that the Court is not per se against
the use of computers to accumulate, store, process, retrieve and transmit data to improve
our bureaucracy. The Supreme Court also emphasized that the right to privacy does not
bar all incursions into the right to individual privacy. This right merely requires that the law
be narrowly focused and a compelling interest justify such intrusions. Intrusions into the
right must be accompanied by proper safeguards and well-defined standards to prevent
unconstitutional invasions.
• The right to privacy is a constitutional right, granted recognition independently of
its identification with liberty. It is recognized and enshrined in several provisions of
our Constitution, specifically in Sections 1, 2, 3 (1), 6, 8 and 17 of the Bill of
Rights. Zones of privacy are also recognized and protected in our laws, including
certain provisions of the Civil Code and the Revised Penal Code, as well as in
special laws (e.g., Anti-Wiretapping Law, the Secrecy of Bank Deposit Act and the
Intellectual Property Code).
• The right to privacy is a fundamental right guaranteed by the Constitution.
Therefore, it is the burden of government to show that A.O. 308 is justified by some
compelling state interest and that it is narrowly drawn. The government failed to
discharge this burden.
A.O. 308 is predicated on two considerations:
(1) the need to provide our citizens and foreigners with the facility to conveniently transact
business with basic service and social security providers and other government
instrumentalities and
(2) the need to reduce, if not totally eradicate, fraudulent transactions and
misrepresentations by persons seeking basic services. While it is debatable whether these
interests are compelling enough to warrant the issuance of A.O. 308, it is not arguable that
the broadness, the vagueness, the overbreadth of A.O. 308, if implemented, will put our
people‘s right to privacy in clear and present danger.
The heart of A.O. 308 lies in its Section 4 which provides for a Population Reference
Number (PRN) as a “common reference number to establish a linkage among concerned
agencies” through the use of “Biometrics Technology” and “computer application
designs.”
 Biometry or biometrics is “the science of the application of statistical methods to
biological facts; a mathematical analysis of biological data.” The methods or forms of biological
encoding include finger-scanning and retinal scanning, as well as the method known as the
“artificial nose” and the thermogram. A.O. 308 does not state what specific biological
characteristics and what particular biometrics technology shall be used.

Moreover, A.O. 308 does not state whether encoding of data is limited to biological
information alone for identification purposes. The Solicitor General‘s claim that the adoption of
the Identification Reference System will contribute to the “generation of population data for
development planning” is an admission that the PRN will not be used solely for identification but
for the generation of other data with remote relation to the avowed purposes of A.O. 308. The
computer linkage gives other government agencies access to the information, but there are no
controls to guard against leakage of information. When the access code of the control programs
of the particular computer system is broken, an intruder, without fear of sanction or penalty, can
make use of the data for whatever purpose, or worse, manipulate the data stored within the
system.
 A.O. 308 falls short of assuring that personal information which will be gathered
about our people will only be processed for unequivocally specified purposes. The
lack of proper safeguards in this regard of A.O. 308 may interfere with the
individual‘s liberty of abode and travel by enabling authorities to track down his
movement; it may also enable unscrupulous persons to access confidential
information and circumvent the right against self-incrimination; it may pave the way
for “fishing expeditions” by government authorities and evade the right against
unreasonable searches and seizures. The possibilities of abuse and misuse of the
PRN, biometrics and computer technology are accentuated when we consider that
the individual lacks control over what can be read or placed on his ID, much less
verify the correctness of the data encoded. They threaten the very abuses that the
Bill of Rights seeks to prevent.
Identity Theft in the Philippines
Today, personal information is captured, processed, and disseminated
in a bewildering variety of ways, and through increasingly
sophisticated, miniaturized, and distributed technologies: identity
cards, biometrics, video surveillance, the use of cookies and spyware
by websites, data mining and profiling, and many others.

Identity theft is the deliberate use of someone else's identity, usually

as a method to gain a financial advantage or obtain credit and other
benefits in the other person's name, and perhaps to the other person's
disadvantage or loss.
 In the Philippines, many syndicated groups used skimming
machine to perform such acts. ATM skimming is like identity theft
for debit cards: Thieves use hidden electronics to steal the personal
information stored on your card and record your PIN number to
access all that hard-earned cash in your account. That's why
skimming takes two separate components to work.
• The first part is the skimmer itself, a card reader placed over the
ATM's real card slot.
Always pay attention to objects mounted on the ATM or located
close by. A pinhole or off-color piece of plastic could give away the
camera's hiding place. Cameras could even be hidden in brochure
racks.
Some ATM skimming schemes employ fake keypads in lieu of
cameras to capture PIN numbers. Just like the card skimmers fit
over the ATM's true card slot, skimming keypads are designed to
mimic the keypad's design and fit over it like a glove. If you notice
that the keypad on your ATM seems to protrude oddly from the
surface around it, or if you spy an odd color change between the
pad and the rest of the ATM, it could be a fake.
The Blogger’s Freedom of Expression and the Libel Law

Scope of the Freedom of Expression

Article III (Bill of Rights) Section 4 of the 1987 Philippine
Constitution provides that ―No law shall be passed abridging the
freedom of speech, of expression, or of the press, or the right of the
people peaceably to assemble and petition the government for redress
of grievances.ǁ In addition, to protect the rights of people having an
adverse political beliefs and aspirations, Article III Section 18 (1)
further provides ― “No person shall be detained solely by reason
of his political beliefs and aspirations.”
Defamation Laws in the Philippines
Under Article 353 of the Revised Penal Code of the Philippines, libel is
defined as a public and malicious imputation of a crime, or of a vice or
defect, real or imaginary, or any act, omission, condition, status or
circumstance tending to discredit or cause the dishonor or contempt of a
natural or juridical person, or to blacken the memory of one who is dead.
Thus, the elements of libel are:
(a) imputation of a discreditable act or condition to another;
(b) publication of the imputation;
(c) identity of the person
defamed; and,
(d) existence of malice. [Daez v. Court of Appeals, G.R. No. 47971, 31
October 1990, 191 SCRA 61, 67]
 In libel cases, the question is not what the writer of an alleged libel means, but what the
words used by him mean. Jurisprudence has laid down a test to determine the defamatory
character of words used in the following manner, viz:
“Words calculated to induce suspicion are sometimes more effective to destroy reputation
than false charges directly made. Ironical and metaphorical language is a favored vehicle
for slander. A charge is sufficient if the words are calculated to induce the hearers to
suppose and understand that the person or persons against whom they were uttered were
guilty of certain offenses, or are sufficient to impeach their honesty, virtue, or reputation, or
to hold the person or persons up to public ridicule. . . .” [Lacsa v. Intermediate Appellate
Court, 161 SCRA 427 (1988) citing U.S. v. O‘Connell, 37 Phil. 767 (1918)]
An allegation is considered defamatory if it ascribes to a person the commission of a
crime, the possession of a vice or defect, real or imaginary, or any act, omission, condition,
status or circumstances which tends to dishonor or discredit or put him in contempt, or
which tends to blacken the memory of one who is dead.
Presumption of Malice:
The law also presumes that malice is present in every defamatory imputation. Thus, Article 354
of the Revised Penal Code provides that:
Every defamatory imputation is presumed to be malicious, even if it be true, if no good intention
and justifiable motive for making it is shown, except in the following cases:
1. A private communication made by any person to another in the performance of any legal,
moral or social duty; and
2. A fair and true report, made in good faith, without any comments or remarks, of any judicial,
legislative or other official proceedings which are not of confidential nature, or of any statement,
report or speech delivered in said proceedings, or of any other act performed by public officers in
the exercise of their functions.
Paragraph 2 aforequoted refers to a qualifiedly privileged communication, the character of
which is a matter of defense that may be lost by positive proof of express malice on the part of
the accused. Once it is established that the article is of a privileged character, the onus of
proving actual malice rests on the plaintiff who must then convince the court that the offender
was prompted by malice or ill will. When this is accomplished the defense of privilege becomes
unavailing. [Santos v. Court of Appeals, No. L-45031, 21 October 1991, 203 SCRA 110, 114]
 Prescinding from this provision, when the imputation is defamatory, as in this case,
the prosecution need not prove malice on the part of the defendant (malice in fact), for
the law already presumes that the defendant‘s imputation is malicious (malice in law).
The burden is on the side of the defendant to show good intention and justifiable
motive in order to overcome the legal inference of malice.
In order to constitute malice, it will must be personal. So if the ill will is engendered
by one‘s sense of justice or other legitimate or plausible motive, such feeling negatives
actual malice. [Aquino, Ramon C., The Revised Penal Code, Vol. III, Bk. II, 1997 Ed.,
citing People v. de los Reyes, Jr., 47 OG 3569]
It is established doctrine that the malice that attends the dissemination of the
article alleged to be libelous must attend the distribution itself. It cannot be merely a
resentment against a person, manifested unconnectedly several months earlier or one
displayed at a much later date.
How Committed:
Under Article 355 of the Revised Penal Code, libel may be committed by means of writing,
printing, lithography, engraving, radio, phonograph, painting, theatrical exhibition,
cinematographic exhibition, or any similar means.
Persons Responsible:
Any person who shall publish, exhibit, or cause the publication or exhibition of any defamation
in writing or by similar means, shall be responsible for the same. The author or editor of a book
or pamphlet, or the editor or business manager of a daily newspaper, magazine or serial
publication, shall be responsible for the defamations contained therein to the same extent as if
he were the author thereof.
Defenses:
In every criminal prosecution for libel, the truth may be given in evidence to the court and if it
appears that the matter charged as libelous is true, and, moreover, that it was published with
good motives and for justifiable ends, the defendants shall be acquitted.
 Proof of the truth of an imputation of an act or omission not constituting a crime
shall not be admitted, unless the imputation shall have been made against
Government employees with respect to facts related to the discharge of their official
duties.
In such cases if the defendant proves the truth of the imputation made by him, he
shall be acquitted.
It is important to remember that any of the imputations covered by Article 353 is
defamatory and, under the general rule laid down in Article 354, every defamatory
imputation is presumed to be malicious, even if it be true; if no good intention and
justifiable motive for making it is shown. There is malice when the author of the
imputation is prompted by personal ill-will or spite and speaks not in response to duty
but merely to injure the reputation of the person who claims to have been defamed.
Truth then is not a defense, unless it is shown that the matter charged as libelous was
made with good motives and for justifiable ends.
 Online Libel in the Philippines
The Supreme Court (SC) of the Philippines upheld the constitutionality of most parts of
the Cybercrime Prevention Act of 2012, including the contentious provision that punishes online
libel.
The execution of the law was suspended in October 2012 by a temporary restraining order
issued by the Supreme Court, following criticisms and protests among the media and human
rights advocates.
However, with this new ruling of the Supreme Court, a person or entity who posts something
(in words or pictures) — which can be proven false, and is intended to harm the reputation of
another by tending to bring the target into ridicule, hatred, scorn or contempt of others — may be
arrested, detained, and imprisoned because of libel.Yes, in the Philippines, libel is still a
criminal offense. It is defamation in its very essence, but covers published work on print,
television and other traditional media. The same is now true for new media like the
internet.
This online/internet libel law, however, punishes only the original author of the post. Those who
“liked”, “shared,” “re-tweeted” or re-blogged a post will not be criminally liable, unless the person
added a comment that may deemed to be libelous by a complainant.
 Computer Hackers and the Cybercrime Law
The ILOVEYOU Virus
Where were you when the ILOVEYOU bug started spreading on May 4th, 2000?
Was your computer one of the tens of millions of PCs the Love Letter attacked?
Sixteen years ago, a young Filipino computer student made history by unleashing the
world‘s first global Internet-borne virus. Known as the Love Bug, the virus spread from East to
West in a single day, inflicting $5.5 billion in damages, corrupting files, and shutting down
computer systems at major corporations, newsrooms, Wall Street firms and government
offices across the world.

The worm arrived in people‘s email boxes with a provocative subject line, ― “I LOVE
YOU: A love letter for you.” When recipients opened the attachment, ― “LOVE
LETTER-FOR-YOU.TXT.vbs,” they unwittingly infected their own computer with the
self_x0002_replicating worm as well as the computers of everyone in their contact list.
 The author of the virus is believed to be Onel de Guzman, then 25, a student at
AMA Computer University in Makati.
What many people did not realize at the time was that de Guzman‘s original
intention for creating the worm was altruistic at its roots. In the Philippines, an hour‘s
worth of Internet access cost as much as half a day‘s wage: 100 pesos, the
equivalent of two dollars.
For his graduation thesis in computer science, de Guzman wrote a program that
would enable the average Filipino to get free Internet access by stealing passwords
from the rich. His school rejected his thesis because of its bandit nature, so he could
not graduate. Undeterred, de Guzman, with the help of friends, unleashed his virus
the day before the university held its graduation ceremony.
The Philippine authorities filed theft and other charges against Mr. de Guzman,
but dropped them in August because of insufficient evidence. The case against him
was weakened because at the time, the Philippines did not have laws governing
computer espionage.
 Cybercrime Prevention Act of 2012 (Republic Act 10175)
The following are the punishable acts according to Chapter II of the Cybercrime Prevention Act of 2012:
SEC. 4. Cybercrime Offenses. — The following acts constitute the offense of cybercrime punishable
under this Act:
(a) Offenses against the confidentiality, integrity and availability of computer data and systems:
(1) Illegal Access. – The access to the whole or any part of a computer system without right.
(2) Illegal Interception. – The interception made by technical means without right of any non-public
transmission of computer data to, from, or within a computer system including electromagnetic emissions
from a computer system carrying such computer data.
(3) Data Interference. — The intentional or reckless alteration, damaging, deletion or deterioration of
computer data, electronic document, or electronic data message, without right, including the introduction
or transmission of viruses.
(4) System Interference. — The intentional alteration or reckless hindering or interference with the
functioning of a computer or computer network by inputting, transmitting, damaging, deleting,
deteriorating, altering or suppressing computer data or program, electronic document, or electronic data
message, without right or authority, including the introduction or transmission of viruses.
(5) Misuse of Devices.
(i) The use, production, sale, procurement, importation, distribution, or otherwise making available, without
right, of:
(aa) A device, including a computer program, designed or adapted primarily for the purpose of committing
any of the offenses under this Act; or
(bb) A computer password, access code, or similar data by which the whole or any part of a computer
system is capableof being accessed with intent that it be used for the purpose of committing any of the
offenses under this Act.
(ii) The possession of an item referred to in paragraphs 5(i)(aa) or
(bb) above with intent to use said devices for the purpose of committing any of the offenses under this
section.
(6) Cyber-squatting. – The acquisition of a domain name over the internet in bad faith to profit,
mislead, destroy reputation, and deprive others from registering the same, if such a domain name is:
(i) Similar, identical, or confusingly similar to an existing trademark registered with the appropriate
government agency at the time of the domain name registration:
(ii) Identical or in any way similar with the name of a person other than the registrant, in case of a personal
name; and
(iii) Acquired without right or with intellectual property interests in it.
(b) Computer-related Offenses:
(1) Computer-related Forgery. —
(i) The input, alteration, or deletion of any computer data without right resulting in inauthentic
data with the intent that it be considered or acted upon for legal purposes as if it were
authentic, regardless whether or not the data is directly readable and intelligible; or
(ii) The act of knowingly using computer data which is the product of computer-related forgery
as defined herein, for the purpose of perpetuating a fraudulent or dishonest design.
(2) Computer-related Fraud. — The unauthorized input, alteration, or deletion of computer
data or program or interference in the functioning of a computer system, causing damage
thereby with fraudulent intent: Provided, That if no damage has yet been caused, the penalty
imposable shall be one (1) degree lower.
(3) Computer-related Identity Theft. – The intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another, whether
natural or juridical, without right: Provided, That if no damage has yet been caused, the
penalty imposable shall be one (1) degree lower.
(c) Content-related Offenses:
(1) Cybersex. — The willful engagement, maintenance, control, or
operation, directly or indirectly, of any lascivious exhibition of sexual
organs or sexual activity, with the aid of a computer system, for favor or
consideration.
(2) Child Pornography. — The unlawful or prohibited acts defined and
punishable by Republic Act No. 9775 or the Anti-Child Pornography Act
of 2009, committed through a computer system: Provided, that the
penalty to be imposed shall be (1) one degree higher than that provided
for in Republic Act No. 9775.
(3) Unsolicited Commercial Communications. — The transmission of commercial electronic
communication with the use of computer system which seek to advertise, sell, or offer for sale
products and services are prohibited unless:
(i) There is prior affirmative consent from the recipient; or
(ii) The primary intent of the communication is for service and/or administrative announcements from
the sender to its existing users, subscribers or customers; or
(iii) The following conditions are present:
(aa) The commercial electronic communication contains a simple, valid, and reliable way for the
recipient to reject. receipt of further commercial electronic messages (opt-out) from the same source;
(bb) The commercial electronic communication does not purposely disguise the source of the
electronic message; and
(cc) The commercial electronic communication does not purposely include misleading information
in any part of the message in order to induce the recipients to read the message.
(4) Libel. — The unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal
Code, as amended, committed through a computer system or any other similar means which may be
devised in the future.
SEC. 5. Other Offenses. — The following acts shall also constitute an offense:
(a) Aiding or Abetting in the Commission of Cybercrime. – Any person who
willfully abets or aids in the commission of any of the offenses enumerated in this Act
shall be held liable.
(b) Attempt in the Commission of Cybercrime. — Any person who willfully
attempts to commit any of the offenses enumerated in this Act shall be held liable.

The following are the punishment for such acts:

SEC. 8. Penalties. — Any person found guilty of any of the punishable acts
enumerated in Sections 4(a) and 4(b) of this Act shall be punished with imprisonment
of prison mayor or a fine of at least Two hundred thousand pesos (PhP200,000.00)
up to a maximum amount commensurate to the damage incurred or both.
 Any person found guilty of the punishable act under Section 4(a)(5)
shall be punished with imprisonment of prison mayor or a fine of not
more than Five hundred thousand pesos (PhP500,000.00) or both.
If punishable acts in Section 4(a) are committed against critical
infrastructure, the penalty of reclusion temporal or a fine of at least Five
hundred thousand pesos (PhP500,000.00) up to maximum amount
commensurate to the damage incurred ornboth, shall be imposed.
Any person found guilty of any of the punishable acts enumerated in
Section 4(c)(1) of this Act shall be punished with imprisonment of prison
mayor or a fine of atleast Two hundred thousand pesos (PhP200,000.00)
but not exceeding One million pesos (PhP1,000,000.00) or both.
 Any person found guilty of any of the punishable acts enumerated in Section 4(c)(2) of
this Act shall be punished with the penalties as enumerated in Republic Act No. 9775 or the
“Anti-Child Pornography Act of 2009”: Provided, That the penalty to be imposed shall be
one (1) degree higher than that provided for in Republic Act No. 9775, if committed through
a computer system.

Any person found guilty of any of the punishable acts enumerated in Section 4(c)(3) shall
be punished with imprisonment of arresto mayor or a fine of at least Fifty thousand pesos
(PhP50,000.00) but not exceeding Two hundred fifty thousand pesos (PhP250,000.00) or
both.

Any person found guilty of any of the punishable acts enumerated in Section 5 shall be
punished with imprisonment one (1) degree lower than that of the prescribed penalty for the
offense or a fine of at least One hundred thousand pesos (PhP100,000.00) but not exceeding
Five hundred thousand pesos (PhP500,000.00) or both.
 The Data Privacy Act (RA 10173):

What is The Data Privacy Act of the

Philippines?
• The Data Privacy Act (DPA), or Republic Act No. 10173 was
passed by the Philippines Congress in 2012 and finally implemented
five years later in 2016. RA 10173 assures the ―free flow of
information to promote innovation and growthǁ(Republic Act. No.
10173, Ch. 1, Sec. 2) while protecting the users‘ fundamental rights
to privacy
The Data Privacy Act (RA 10173):

How is it implemented?
• RA 10173 protects and maintains the right of customers to
confidentiality by setting a legal list of rules for companies to
regulate the collection, handling, and disposal of all personal
information. Companies legally responsible for keeping their
customers‘ data protected from third parties or any form of misuse,
internally or externally.
 The Data Privacy Act (RA 10173):

What does that mean for data collectors/companies?

• The Act applies to any process of personal data by anyone in government or
private sectors.
• All personal data must have legitimate reasons for collection as well as should be
clear to both parties giving and receiving information. With that being said, all
collection must be done with the customer the customers‘ proper consent.
• All personal information used must also be relevant solely used for its intended
and state purposes. Companies must protect customer information from collection
to proper disposal, avoiding access from unauthorized parties.
The Data Privacy Act (RA 10173):

What is “personal information?”

“Personal information” refers to any information, whether recorded
in a material form or not, from which the identity of an individual is
apparent or can be reasonably and directly ascertained by the entity
holding the information, or when put together with other information
would directly and certainly identify an individualǁ (Republic Act. No.
10173, Ch. 1, Sec. 3)
 The Data Privacy Act (RA 10173):

What is “sensitive personal information?”

(1) About an individual‘s race, ethnic origin, marital status, age, color, and religious, philosophical
or political affiliations;
(2) About an individual‘s health, education, genetic or sexual life of a person, or to any proceeding
for any offense committed or alleged to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to,
social security numbers, previous or cm-rent health records, licenses or its denials, suspension or
revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.ǁ(Republic Act. No. 10173, Ch. 1, Sec. ).
The Data Privacy Act (RA 10173):

What is “consent?”
Consent of the data subject refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and
processing of personal information about and/or relating to him or her. Consent
shall be evidenced by written, electronic or recorded means. It may also be given
on behalf of the data subject by an agent specifically authorized by the data
subject to do so (RA. No. 10173, Ch. 1, Sec. 1).
The Data Privacy Act (RA 10173):

What are the rights of the data subject?

The data subject or the individual sharing his/her personal information has to be
fully informed of several factors of the data collecting process. This list includes,
but isn‘t limited to:
(1) the reason for use
(2) methods for access
(3) the identity and contact details of the personal information controller
(4) how long the information will be stored for
(5) access to their rights.
The Data Privacy Act (RA 10173):

What steps do I need to take in compliance with the Data

Privacy Act?
Companies essentially have to ensure that their data collection methods are
flawless as well as consistently share the entire process with data subjects,
including a breach of security. To do this, companies should
1.Appointing a Data Protection Officer
2.Conducting a privacy impact assessment
3.Creating a privacy knowledge management program
4.Implementing a privacy and data protection policy
5.Exercising a breach reporting procedure
The Data Privacy Act (RA 10173):

What happens if I do not comply?

Improper/unauthorized processing, handling or disposal of personal

information can be penalized by imprisonment up to six years and a fine of
not less than Five hundred thousand pesos (PHP 500,000).
Sprout Solutions puts data privacy with the utmost priority and takes
advanced measures to maintain confidentiality in information handling