Scribd Logo
Upload

Welcome to Scribd!

  • 9 views

    data+privacy+law

    Uploaded by

    Ryll Johnson

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    data+privacy+law

    Uploaded by

    Ryll Johnson
    9 views9 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    9 views9 pages

    data+privacy+law

    Uploaded by

    Ryll Johnson

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 9

    A Summary of RA No.

    10173 or the Data


    Privacy Act of 2012
    Filipinos spend an average of 10 hours and 2 minutes each day online, the highest in
    the world, according to recent data. The Philippines also tops social media use for the
    fourth straight year. Vast amounts of personal information from the Philippines,
    including photos of daily activities, are freely circulating the Web.

    What has the country done to ensure privacy and data protection?

    In 2012, the Philippines passed Republic Act No. 10173 or the Data Privacy Act of 2012
    (DPA) “to protect the fundamental human right to privacy of communication while
    ensuring free flow of information to promote innovation and growth [and] the [State’s]
    inherent obligation to ensure that personal information in information and
    communications systems in government and in the private sector are secured and
    protected”.

    The DPA was passed in accordance with the Philippines agreements under ASEAN
    Vision 2020 and at the urging of the growing business process outsourcing industry.
    The law was modeled after the Data Protection Directive (95/46/EC) with many of its
    terminologies and provisions similar to privacy laws in other jurisdictions.

    What acts are covered by the DPA?


    Photo Courtesy of Christina Morillo via Pexels
    The DPA and its Implementing Rules and Regulations (IRR) apply to all acts done or
    practices engaged in and outside of the Philippines if:

     If the person, either an individual or an institution, involved in the processing of


    personal data is located in the Philippines;
     The act or practice involves personal data of a Philippine citizen or Philippine
    resident;
     The processing of personal data is done in the Philippines; or
     The act, practice or processing of personal data is done by an entity with links to the
    Philippines, subject to international law and comity.

    “Personal data” refers to all types of personal information.

    “Processing” is any operation/s performed upon personal data. These operations


    include, but are not limited to the collection, recording, organization, storage,
    updating or modification, retrieval, consultation, use, consolidation, blocking,
    erasure, or destruction of data.

    Who implements the DPA?


    Photo Courtesy of Pixabay via Pexels
    The National Privacy Commission (NPC) is in charge of administering and implementing
    the DPA. It is also tasked to monitor and ensure compliance of the Philippines with
    international standards for personal data protection. The major functions of the NPC are
    as follows:

    1. Rule making.
    2. Advisory. The NPC is the advisory body on matters related to personal data
    protection.
    3. Public education. – The NPC shall launch initiatives to educate the public about
    data privacy, data protection and fair information rights and responsibilities.
    4. Compliance and monitoring. – The body has compliance and monitoring functions
    to ensure personal information controllers comply with the law. It is also tasked to
    manage the registration of personal data processing systems.
    5. Complaints and investigations.
    6. Enforcement.

    “Personal information controller” is an individual or institution, or any other body who


    controls the processing of personal data, or instructs another to process personal data
    on its behalf.

    How to comply with the Data Privacy Act?


    Photo Courtesy of Startup Stock Photos via Pexels
    If you are a personal information controller, you are required to comply with the
    following in accordance with the law:

    Registration of data processing systems (DPS). An individual or institution employing


    fewer than 250 employees need not register unless its data processing operations:
    involves sensitive personal information of at least 1,000 individuals; likely to pose a risk
    to the rights and freedoms of data subjects; or the processing is not occasional.

    Notification of automated processing operations where the processing becomes the


    sole basis of making decisions about a data subject and when the decisions would
    significantly affect the data subject. A “data subject” is an individual whose personal,
    sensitive personal or privileged information is process.

    NOTE: No decision with legal effects concerning a data subject shall be made solely on
    the basis of automated processing without the consent of the data subject. The consent
    may be in written, electronic or recorded form. It may be given by a lawful
    representative or agent.

    Appointment of a Data Protection Officer in charge of ensuring compliance with the


    DPA;

    Creation of a data breach response team that will immediately address security
    incidents or personal data breach;

    Adoption of data protection policies that provide for data security measures and
    security incident management;

    Annual report of the summary of documented security incidents and personal data
    breaches; and

    Compliance with other requirements as may be provided by the NPC.

    What should you do in the event of a data breach?


    Photo Courtesy of Luis Gomes via Pexels
    The law requires a data breach notification within 72 hours upon knowledge of the
    breach or reasonable belief that it has occurred to the NPC and the data subject. The
    notification is generally required when the breach involves sensitive personal
    information or any other information that may be used to enable identity fraud; this
    information has been acquired by an unauthorized person; and the acquisition is likely
    to give rise to a real risk of serious harm to the affected data subject.

    The NPC may investigate the breach, depending on its nature or if there is a delay or
    failure to notify. Inquiries may include on-site examination of systems and procedures.

    The Philippines has a relatively young data privacy regime. The Data Privacy Act , as
    well as RA No. 10175 or the Cybercrime Prevention Act, was only enacted in 2012,
    although some countries passed data protection laws as early as the 70s. The
    Philippines’ regulatory body NPC was formally organized only in 2016, which issued
    IRRs and circulars in the same year. Nevertheless, the country is on its way to
    developing a stable framework of privacy protection as technological innovations
    liberalize information sharing.Need help with your data security? Contact ECCI today!

    You might also like