DATA PRIVACY ACT OF 2012

WHY DATA PRIVACY

ACT IS NECESSARY?
STAGES OF DATA PRIVACY GRIEF

VS
DATA PRIVACY ACT OF 2012
REPUBLIC ACT NO. 10173

 An act protecting individual personal information in information and communication

systems in the government and the private sector creating for this purpose a National
Privacy Commission and for other purposes.

 This Act was passed in 2012 in the Philippines and came into force its implementing
rules and regulations (IRRs) on September 9, 2016.

 Also, established the National Privacy Commission (NPC), which is tasked with
implementing the provisions of the Act.

 This is intended to bring the Philippines to the next level and ensure compliance with
international standards of data protection.
 NATIONAL PRIVACY
COMMISION

Department of Information and Privacy Commissioner

Communications Technology (Chairman of the
(DICT) Commission)

Deputy Privacy Deputy Privacy

Commissioners Commissioners
-Data Processing -Policies and
Systems  Planning

COMMISSION’S ORGANIZATIONAL STRUCTURE

DETERMINE AUDIT SUBJECT

• Social media
• Cloud computing
• Mobile devices
• Big data analytics/machine learning/AI
• Internet of Things (IoT)
• Personal devices (bring your own device [BYOD])
• Tracking/surveillance technologies—drones, radio frequency identification (RFID) tags, closed circuit
television (CCTV), global positioning satellite (GPS) devices
WHY DATA PRIVACY IN AUDIT?
 “WHEN IT COMES TO PRIVACY AND
ACCOUNTABILITY, PEOPLE ALWAYS
DEMAND THE FORMER FOR THEMSELVES
AND THE LATTER FOR EVERYONE ELSE.”

― DAVID BRIN
GENERAL DATA PRIVACY PRINCIPLES

TRANSPARENCY LEGITIMATE PURPOSE PROPORTIONALITY

 EXTRATERRITORIAL
PROCESSING OF ALL
TYPES OF PERSONAL ( A CT DO NE O R P R A CT I C E
INFORMATION E NG A G E D I N A ND O U T S I D E
OF THE PHILIPPINES)

 Philippine citizen or a resident’s

 Any natural and juridical
personal information relating to
person
an act, practice and processing. DATA PRIVACY
 Philippine citizens or residents ACT SCOPE OF
 Personal information personal information processed
controllers within or outside the
Philippines by the linked entity
APPLICATION
 Personal information
processors
 Those are not in the Philippines  The entity has other links in the
but use equipment located in
Philippines
the Philippines.
 The entity carries on business in
 Those who maintain an office,
the Philippines
branch or agency in the
  The personal information was
Philippines subject to
collected or held by an entity in
compliance of the requirements
the Philippines.
of Section 5 “Protection
Afforded to Journalists and
their sources”
 SIGNIFICANT IN DATA PROCESSING

CONSENT CONTROLLER

PERSONAL AND/ OR
SENSITIVE INFORMATION
PRIVILEGED
INFORMATION

PROCESSOR
 CRITERIA OF LAWFUL PROCESSING OF PERSONAL
INFORMATION

The data subject has The processing of The processing is The processing is The processing is
given his or her personal information necessary for necessary to protect necessary in order to
respond to national
consent is necessary and is compliance with a vitally important
emergency, to comply
related to the legal obligation to interests of the data with the requirements of
fulfillment of a which the personal subject, including life public order and safety, or
contract with the data information controller and health to fulfill functions of
subject or in order to is subject public authority;
take steps at the The processing is
necessary for the purposes
request of the data
of the legitimate interests
subject prior to pursued by the personal
entering into a information controller or
contract. by a third party or parties
to whom the data is
disclosed
IMPORTANT RESPONDING
LEGAL NATIONAL
FULFFILLMENT INTERESTS
CONSENT OBLIGATION’S EMERGENCY AND
OF A CONTRACT VITAL LEGITIMATE
COMPLIANCE
PROTECTION INTERESTS PURPOSES
  Information about any individual who is or was an officer
or employee of a government institution

Information about an individual who is or was performing

1 0 1 7 3 service under contract for a government institution 

. N o .
R .A n ’s
o
Information relating to any discretionary benefit of a

l ic a ti financial nature 

App Personal information processed

Information necessary in order to carry out the functions

of public authority

Information necessary for banks and other financial

institutions

Personal information originally collected from residents of

foreign jurisdictions in accordance with the laws of
those foreign jurisdictions
 The fact that the individual
is or was an officer or
employee of the
government institution;

The title, business address

and office telephone number
of the individual;

The classification, salary

range and responsibilities of
the position held by the
RELATING TO THE individual
POSITION OR
FUNCTIONS The name of the individual on a
document prepared by the individual
in the course of employment with the
government;
 Terms of the contract

Name of the individual given

in the course of the
performance of those services
 Name of the
individual

Granting of a
license or permit
given by the
government

The exact nature of

the benefit
Journalistic Artistic Literary

Research
purposes
 Central
monetary
authority
law
enforcement
Independent and
regulatory
agencies

Processing
Personal
data
 DE NT
E PEN
IND
CENTRAL MONETARY AUTHORITY
DATA SUBJECT’S RIGHTS
PENALTIES
VIDEO SLIDE
REFERENCES

 LAWPHIL PROJECT ARELLANO LAW FOUNDATION-PHILIPPINE

LAWS AND JURISPRUDENCE DATABANK
• https://www.lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html
 https://storage.googleapis.com/infodiagramprod-hrd.appspot.com/diagram_ima
ges/diagram_gdpr/main_zoom.png
 https://www.youtube.com/watch?v=6vNxslcf9AE
 https://www.isaca.org/resources/isaca-journal/issues/2018/volume-3/is-audit-bas
ics-auditing-data-privacy
 ISACA, ISACA Privacy Principles and Program Management Guide, USA, 2016, 
www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/ISA
CA-Privacy-Principles-and-Program-Management-Guide.aspx
 Cooke, I.; “Audit Programs,” ISACA Journal, vol. 4, 2017, 
https://www.isaca.org/Journal/archives

 5 Cooke, I.; “Auditing Mobile Devices,” ISACA Journal, vol. 6, 2017, 

https://www.isaca.org/Journal/archives

 6 ISACA, Information Systems Auditing: Tools and Techniques, Creating Audit

Programs, USA, 2016, 
http://www.isaca.org/Knowledge-Center/Research/Documents/IS-auditing-cre
ating-audit-programs_whp_eng_0316.pdf

  Op cit ISACA, ISACA Privacy Principles and Program Management Guide, p.11

7
 LinkedIn
Link to Philippine Law
https://www.lawphil.net/s
tatutes/repacts/ra2012/ra_
10173_2012.html

Facebook
airene_bonio@yahoo.com

THANKS BE TO
GOD! Email
songjiho209@gmail.com

Phone
09777066928