You are on page 1of 43


Tonisito M.C. Umali, Esq.

Undersecretary for Legislative Affairs,
External Partnerships and Schools Sports
Article III Sec. 3, 1987 Constitution

The privacy of communication and correspondence

shall be inviolable except upon lawful order of the
court, or when public safety or order requires
otherwise as prescribed by law.
Article III Sec. 2, 1987 Constitution
The right of the people to be secure in their persons,
houses, papers and effects against unreasonable
searches and seizures of whatever nature and for
any purpose shall be inviolable, and no search
warrant or warrant of arrest shall issue except upon
probable cause to be determined personally by the
judge after examination under oath or affirmation of
the complainant and the witnesses he may produce,
and particularly describing the place to be searched
and the persons or things. o be seized.
Data Privacy Act
Sec. 2 The Data Privacy Act of 2012
(Republic Act No. 10173) was
enacted to protect one’s
fundamental right to privacy of
communication while ensuring free
flow of information in order to
promote innovation and growth.

The State recognizes its inherent

obligation to secure and protect
personal information in the
various systems used by and in the
government and private sector.
Scope of the Data Privacy Act

Processing of all types of personal information

Natural or juridical person involved in data personal
information processing

***Juridical Person
refers to the State and its political subdivisions; other corporations, institutions
and entities for public interest or purpose, created by law whose personality
begins as soon as they have been constituted according to law, and;
corporations, partnerships and associations for private interest or purpose to
which the law grants a juridical personality, separate and distinct from that of
each of its shareholder, partner or member as provided by the New Civil Code of
the Philippines.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-021
14 June 2017

Are cooperatives registered under the Cooperative

Development Authority (CDA) covered by the DPA?

The DPA applies to any natural or juridical person involved in the

personal information processing including those personal information
controllers and processors who, although not found or established in the
Philippines, use equipment that are located in the Philippines, or those
who maintain an office, branch or agency in the Philippines.

Upon examination of the nature of information handled by

the CDA and cooperatives, it is clear that cooperatives may
be considered as personal information controllers (PICs) who
collect, hold, process and use personal information of its
DPA and its IRR on DepEd
Pursuant to the Implementing Rules and Regulations
(IRR) of DPA and other related issuances, the National
Privacy Commission (NPC) requires the Department of
Education (DepEd) to:
•register its personal information processing systems;
•regularly conduct privacy impact assessments (PIA)
on the said processes ;
•collate and report data security incidents to the
Commission; and
•establish its own data privacy manual.
Scope of the Data Privacy Act

For the Department of Education:

DPA shall cover all personal data and information

processed in and by the Department and shall
apply to all levels of governance in basic education
as provided under the Governance of Basic Education
Act of 2001 (Republic Act No. 9155) - at the Central
(CO), Region (RO), Division (DO), and District offices 
(PSDS), respectively, and in schools.
As mandated by law, private schools are also required to establish their
respective privacy manuals in accordance with the Data Privacy Act of
2012. In the absence of a privacy manual, private schools are
encouraged to adopt this manual and its applicable provisions.
Scope of the Data Privacy Act
DPA does not apply to:
Section 5. Special Cases.
Information processed for purpose of allowing public access
to information that fall within matters of public concern
1. Information about any individual or person who is or
was an officer or employee of the government that
relates to his or her position or function
2. Information about any individual who is or was
performing a service under contract for a
government institution (service, name of the
individual and terms of his or her contract)
3. Information relating to a benefit of a financial
nature conferred on an individual
upon the discretion of the government.
Scope of the Data Privacy Act

Provided, that the non-applicability of the Act or

these Rules do not extend to personal
information controllers or personal information
processors, who remain subject to the
requirements of implementing security
measures for personal data protection: Provided
further, that the processing of the information
provided in the preceding paragraphs shall be
exempted from the requirements of the Act
only to the minimum extent necessary to
achieve the specific purpose, function, or
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

What does the following paragraph of Section 5

of the IRR mean? How do we interpret or
implement this?

“Section 5. Special Cases. The Act and these Rules shall not apply
to the following specified information, only to the minimum extent
of collection, access, use, disclosure, or other processing
necessary to the purpose, function, or activity concerned:”

(Items as mentioned in previous slides 9 and 10)

Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

The exemptions are not blanket exemptions. These are limited to

the minimum extent necessary to achieve the specific purpose,
function or activity.

This is interpreted to the effect that there is presumption

that personal data may be lawfully processed by a personal
information controller or processor under the special cases
provided (above), but the processing shall be limited to
achieving the specific purpose, function or activity, and that
the personal information controller or processor remains to
be subject to the requirements of implementing measures to
secure and protect personal data.
Key Roles in the Data Privacy Act

An individual whose, The National Privacy

personal, sensitive Commission as
personal, or privileged established by the Data
information is Privacy Act of 2012.
e.g. learners, personnel,

Controls the processing of personal

data, or instructs another to process
personal data on its behalf.
e.g. DepEd
Classification of Personal Information
Personal Information

Any information whether recorded in a material form

or not, from which the identity of an individual is
apparent or can be reasonably and directly
ascertained by the entity holding the information, or
when put together with other information would
directly and certainly identify an individual.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-41
14 August 2017

Are publicly available personal data specifically

those posted on social media sites and published
in news articles, magazines and other reading
materials available to the public, are covered by
We believe that the provisions of the DPA are still applicable even
for those personal data which are available in the public domain…

There is no express mention that personal data which is available

publicly is outside of its scope. Thus, “it is a misconception that
publicly accessible personal data can be further used or
disclosed for any purpose whatsoever without regulation.”
(Office of the Privacy for Personal Data, Hong Kong)
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-41
14 August 2017

With this, we believe that the personal information controller

(PIC) which collects and processes personal data from the
public domain must still observe the requirements under the
law, specifically on the lawful processing of personal,
sensitive personal and privileged information…

Thus, even if the data subject has provided his or her personal
data in a publicly accessible platform, this does not mean he or
she has given blanket consent for the use of his or her personal
data for whatever purposes.
Classification of Personal Information
Sensitive Personal Information
1. Individual’s race, ethnic origin, marital status, age,
complexion, and religious, philosophical or political affiliations

2. Individual’s health, education, genetic or sexual life of a

person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal
of such proceedings, or the sentence of any court in such

3. Issued by government agencies peculiar to an individual such

as: social security numbers, previous or current health
records, licenses or its denials, suspension or revocation, and
tax returns

4. Specifically established by an Executive Order or an act of

Congress to be kept classified.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

How do we interpret the definition of sensitive

personal information particularly with respect to
offenses committed or alleged to have been
committed (Sec. 3 (t)(2), IRR)?
Are we not allowed to publish reports on cases or
complaints filed by (government-run entity) in
court or other tribunal?

“Section 3.(t)(2) About an individual’s health and education, genetic, or

sexual life of a person, or to any proceeding for any offense committed or
alleged to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;”
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2017-35
27 July 2017

We believe that (government run entity’s) processing of sensitive personal

information, which may include the publication of reports containing the
same, is allowed under Section 13(b) and (f) above, i.e. the processing of
the same is provided for by existing laws and regulations, and the
processing concerns such personal information as is necessary for the
protection of lawful rights and interests of natural or legal persons in
court proceedings, or the establishment, exercise and defense of legal
claims, or when provided to government or public authority, respectively.

If it is within the mandate of (government run entity) to publish

reports on cases or complaints filed by the (government run entity)
in order to inform the public, the DPA will not operate to hinder the
said mandate.
Classification of Personal Information
Privileged Information
Any and all forms of data which constitute privileged communication
under the Rules of Court, such as but not limited to:
• marital privilege
• lawyer-client privilege
• doctor-patient privilege
• priest-penitent privilege
• state secret rule and newsman shield rule
• privileged information rooted in separation of powers of
the branches of the government
• information on military and diplomatic secrets
• information affecting national security
• information on investigations of crimes by law
enforcement agencies before the prosecution of the
• trade and industrial secrets
General Principles of the Data Privacy Act

1. Transparency

The data subject must be aware of:

• the nature, purpose, and extent of the processing

• the risks and safeguards involved
• the identity of the authorized personnel of the
• his or her rights
• how these rights shall be exercised
General Principles of the Data Privacy Act

2. Legitimate Purpose

The processing of information shall be compatible

with a declared and specified purpose, which must
not be contrary to law, morals, or public policy.

3. Proportionality

The processing of information shall be adequate,

relevant, suitable, necessary, and not excessive in
relation to a declared and specified purpose.

Do not overcollect.
Advisory Opinion
Privacy Policy Office
Advisory Opinion No. 2018-008
02 April 2018
Letter seeking to clarify whether the employer’s disclosure
of the list of employees with their corresponding salary to
the (Government Office) is in consonance with RA 10173,
its IRR and relevant issuances.
(Upon evaluation, the personal information being requested by the
(Government Office) satisfies the general data privacy principles of
transparency, legitimacy and proportionality.

First, the collection and processing of personal information is pursuant to a

statutory mandate.
Second, there is an assurance that the personal information collected will
be stored securely and kept confidential.
Third, the information requested are relevant and necessary to enable the
(Government Office) to accurately compute and determine the (purpose of
disclosure as stated) from every employee.
The Data Life Cycle
The Data Life Cycle should be based on the Department of Education
Records’ Retention Period and Disposition Schedule.
Talk Excerpt
Commissioner Raymund Liboro on Data Life Cycle:

Focusing on the tendency of government (including

the private sector) to over-collect personal information,
Liboro reminded everyone that there is a Data Life

The Data Life Cycle includes the proper and secure

disposal of personal data that have already served its

“Data has a life. It has a beginning and it has an end.”

Liboro said.
Privacy Policy Office
Advisory Opinion No. 2017-54
11 September 2017
Privacy Policy Office
Advisory Opinion No. 2017-54
11 September 2017
Privacy Policy Office
Advisory Opinion No. 2018-015
12 April 2018
Privacy Policy Office
Advisory Opinion No. 2018-015
12 April 2018


Commit to comply:
Appoint a Data Protection Officer

Know your risks:

Conduct a Privacy Impact Assessment

Be Accountable:
Write your Privacy Management Program and
Privacy Manual

Demonstrate your Compliance:

Implement Privacy and Data Protection Measures

Be Prepared for Breach:

Regularly Exercise your Breach Reporting Process
Prohibited Acts and Penalties
Prohibited Acts and Penalties
Cases of Identity
Russian Cyber Hacker Pleads Guilty in Identity
Theft Case (Las Vegas)

“A Russian cybercriminal identified as a leader of a $50 million

identity theft and credit card fraud ring has pleaded guilty in
Atlanta to helping to steal millions of debit card numbers and
swiftly loot accounts in cities around the world, federal
authorities said.”
“In the Georgia case, he admitted working with hackers who in
November 2008 stole 45.5 million debit card numbers from an
Atlanta-based credit and debit transactions processing company.
Within 12 hours, thieves withdrew more than $9.4 million from
2,100 ATMs in 280 cities around the world, prosecutors said.”
The Case of Anndorie Sachs
“Anndorie Sachs was the victim of medical identity theft, a growing and
alarming trend in identity theft-related crime. Someone stole her driver’s
license, walked into a hospital and delievered baby, leaving her with a
$10,000 bill in her name. According to leading identity theft experts,
millions of people find themselves being the victim of this uncommon form
of identity theft where people use stolen identities to receive medical
treatment. Since the rise in medical identity theft, many hospitals and
other medical facilities began requiring multiple proofs of indentity before
admitting patients for treatment. Millions of people have found themselves
saddled in debt because of this form of identity theft. Many people have
been able to defraud medical facilities and insurance companies out of
treatments and prescriptions using someone else’s name.”
The Case of Raphael Golb
“Raphael Golb, a New York University religious studies professor and the son of a
respected Jewish studies scholar, was charged with 51 counts of identity theft,
aggravated harassment, criminal impersonation, forgery and unauthorized use
of computers in a NYU library after authorities alleged that he used fake online
personalities to defend his father’s intellectual contributions. According to
documents filed in a New York City courthouse, Golb engaged in an online
campaign using fake aliases, names and plagiarized documents in order to
defend his father’s intellectual contributions and theories surrounding the
ancient Dead Sea Scrolls. Golb’s father, a world renowned scholar based out of
the University of Chicago holds a minority opinion on the origin of the Dead Sea
Scrolls. After feeling that his father’s intellectual contributions were being
deliberately left out of mainstream coverage, Golb took the internet to engage in
a relentless campaign using fake aliases to defend his father’s name.”
Public School Teacher in Debt because of
Identity Theft (Philippines)

“A public school teacher may be a victim of identity

theft as he owes three banks P800,000 for loans he did
not apply for, according to a report by John Consulta on
GMA-7’s “24 Oras” on Friday.
Mark Joseph Lontok said he received notifications from
three banks saying that he borrowed a total of P800,000
in salary loans. He denied applying for the loans.
However, Lontok remembered posting a photo of his
Professional Regulation Commission (PRC) ID online.”
Man Arrested for Credit Card Fraud, Identity

“The PNP-Anti Cybercrime Group (PNP-ACG) has

arrested a 44-year-old man for credit card fraud and
identity theft.
Gabriel Mackay was caught red-handed accepting the
delivery of a credit card replacement in his residence in
Recto, Manila earlier Thursday.
The suspect's modus is to call the credit card company,
pretend to be a legitimate card holder and ask for a
replacement card to be delivered to his address. “
OFW Won’t Get Back Money He Lost through
Internet Banking

“Two months after losing almost P50,000 from

internet banking, overseas Filipino worker
Stephen Yu is still struggling to get his money
back, which he might not be able to do because
the bank refuses to pay for it.
Instead, 31-year-old Yu said he was offered by
local banking giant Banco de Oro Unibank Inc.
P25,000 worth of gift cheques as a “sign of
good will.”
Thank you!