Data Privacy Act - Bar Exam Guide

Source is now OFFICIAL.
Data Privacy Act is now covered under Mercantile Law for the
2019 Bar Examinations – http://sc.judiciary.gov.ph/baradmission/2019/MERCANTILE-
LAW.pdf
As a disclaimer, this is guide is based from a Privacy professional and practitioner’s

standpoint with experience in privacy law and practice, not from a lawyer or data privacy
attorney.
The coverage for the Data Privacy Act is as follows (based on unofficial sources):
1. Personal vs Sensitive Personal Information

2. Scope
3. Processing of Personal Information
4. Rights of a Data Subject
Some important Data Privacy topics, of which we already discussed (linked below) under
the Data Privacy Act and Privacy Law in general which are not covered but are important to
know:
1. Constitutional and Statutory Basis for the Right to Privacy under Philippine Law
(except the Data Privacy Act)
2. The Reasonable Expectation of Privacy Test (Pollo vs Constantino-David G.R.
181881, Oct. 18, 2011)
3. The Data Protection Officer – Roles, Responsibilities and Rights
4. Data Controller, Data Processor and Data Subjects (Tripartite privacy relationship)
5. Legal Basis for Processing of Personal Information
6. Cybercrime Warrants
7. Privacy Torts
8. Writ of Habeas Data
9. Mutual Legal Assistance Treaties and Letters Rogatory (for Public International Law)
Today we’re going to discuss about the coverage for the Data Privacy Act specifically for
the 2019 Bar Examinations.
Constitutional Basis
Under the most recent 1987 Philippine Constitution, the Right to Information and
Communications Privacy is recognized under Article III, Sec. 3(1), which states:
The privacy of communication and correspondence shall be inviolable except

upon lawful order of the court, or when public safety or order requires otherwise,
as prescribed by law.
Personal vs Sensitive Personal
Information
Personal Information
Under Sec. 3(g) of the Data Privacy Act, Personal Information is defined as the following:
Refers to any information whether recorded in a material form or not, from which
the identity of an individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.
Basically personal information is anything that can identify an individual.
Examples are your name, ID number, online usernames, email address, phone number,
stage names, etc.
Sec. 3(g) applies to both paper-based and electronic records.
Personal information may also be pieces of information, when aggregated with other
information can reasonably identify an individual based on substantial evidence in which a
prudent person may reasonably believe that such information can be identifiable to a unique
individual.
Context is generally important on how an information is displayed or how it appears, as a

general rule, if such information can be reasonably traced back to an individual, then it is
personal information.
Sample Question: Juan Dela Cruz, a Filipino citizen, filled up a survey form. Such survey
form only asked about his favorite coffee flavors and how much he spends per week for
coffee. The survey also asked for his first name. Is the survey collecting personal
information?
Answer: No. First name by itself cannot reasonably identify an individual. Juan cannot be
identified from other persons named “Juan”. Neither does information about his favorite
coffee flavors and how much he spends for coffee even if taken together with his first name
cannot be said to reasonably identify Juan.
However, if the survey asked for his full name, even if there are more than one (1) Juan
Dela Cruz in the Philippines, it is still considered as collecting personal information.
Sensitive Personal Information

Sensitive Personal Information are special categories of information and are classified
under Sec. 3(l) of the Data Privacy Act as follows:
Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or

to any proceeding for any offense committed or alleged to have been committed
by such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but

not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be

kept classified.
Sensitive personal information must be personal information. This means that it must be
able to identify an individual.
Example, health information such as medical diagnosis or prognosis by itself is not sensitive
personal information unless there is a Patient ID or name of the patient together with the
health information that be used to trace back to an individual.
BIR, SSS, GSIS, PhilHealth and other government records are also classified as Sensitive
Personal Information.
The confusion of most people is how to distinguish “sensitive personal information” versus
“sensitive information” or “confidential information”.
Sensitive Personal Information (SPI) is enumerated by law, under Sec. 3(l) of the Data
Privacy Act. SPIs can be traced back to individuals.
Sensitive Information is any information that may cause harm or prejudice when disclosed
to an individual or the general public. This is not protected under the Data Privacy Act.
Examples are trade secrets and business related information such as business records
which does not contain any personal information. It can also be government information
such as classified documents and national security related information.
Confidential information is specifically provided by law under the Rules of Court (such as
doctor-patient or attorney-client privilege) or statute (such as arbitration proceedings and
awards under the Domestic Arbitration Law). Generally the effect of confidentiality will result
to the information to being inadmissable in any court, in any proceeding.
Scope
Scope is discussed under Sec. 4 of the Data Privacy Act.
x x x Applies to the processing of all types of personal information and to any

natural and juridical person involved in personal information processing including
those personal information controllers and processors who, although not found or
established in the Philippines, use equipment that are located in the Philippines,
or those who maintain an office, branch or agency in the Philippines x x x
Requisites
 Must involve any processing of personal information
 By either natural or juridical persons
 Either acting as a controller or processor
 Whether or not found in the Philippines that uses equipment or maintains an office,
branch or agency in the Philippines.
What are the exceptions (Sec. 4)?

 Government employee data relating to their official functions and position
 Government contractor data
 Licenses or permits and any other discretionary benefit given by the government
 Processing of information for journalistic, artistic, literary or research purposes
 Personal information processed by public authorities relating to the performance of
their constitutionally and statutorily mandated functions.
 Personal information processed for Anti-Money Laundering purposes
 Personal information originally collected from resident of foreign jurisdictions even if
the personal information is processed in the Philippines
 Personal information relating to media sources (Sec. 5)
Extraterritorial application (Sec. 6)

Applies to entities within and outside of the Philippines when
 Processing of personal information about a Philippine citizen or resident

 Processing of personal information when the entity has a link with the Philippines
and such personal information is about a Philippine citizen or resident.
 Examples:
 Contract entered in the Philippines
 A foreign company with central management and control in the Philippines
 A Philippine subsidiary of a foreign company where the latter has access to
personal information in the Philippines.
 Entity is doing business in the Philippines
 Personal information is collected by an entity in the Philippines
Processing of Personal Information
Principles of Transparency, Legitimate Purpose and
Proportionality (Sec. 11)
 Transparency
 The data subject must be aware of the nature, purpose, and extent of the
processing of his or her personal data, including the risks and safeguards
involved, the identity of personal information controller, his or her rights as a data
subject, and how these can be exercised. Any information and communication
relating to the processing of personal data should be easy to access and
understand, using clear and plain language.
 Legitimate purpose
 The processing of information shall be compatible with a declared and specified
purpose which must not be contrary to law, morals, or public policy.
 Proportionality
 The processing of information shall be adequate, relevant, suitable, necessary,
and not excessive in relation to a declared and specified purpose. Personal data
shall be processed only if the purpose of the processing could not reasonably be
fulfilled by other means.
General principles in collection, processing and retention

of personal information. (Sec. 11)
 Collection must be for a declared, specified, and legitimate purpose.
 Personal data shall be processed fairly and lawfully.
 Processing should ensure data quality.
 Personal Data shall not be retained longer than necessary.
 Any authorized further processing shall have adequate safeguards.
Legal Basis for Processing of Personal Information (Sec.

12 and 13)
 Consent (express) – Processing of personal information express consent of the
data subject, implied consent is not allowed. (Sec. 12(a) and 13(a))
 Contractual necessity – Processing in fulfillment of a contractual obligation (Sec.
12(b))
 Legal obligation – Processing under a legal obligation by the personal information
Controller (Sec. 12(c) and 13(f))
 Vital interest – Processing to protect health and safety of the data subject (Sec.
12(d) and 13(c) and 13(e))
 Public interest – Processing in the event of a national emergency, public order and
safety (Sec. 12(e))
 Legitimate interest – Processing under legitimate interests pursued by the Personal
Information Controller (Sec. 12(f))
Full details in my separate post here – https://privacyph.net/2018/11/22/processing-of-

personal-information-data-privacy-act/
General rule – Processing of sensitive Personal Information is prohibited except those

enumerated under Sec. 13.

Data Privacy Act - Bar Exam Guide

Uploaded by

Copyright:

Available Formats

Data Privacy Act - Bar Exam Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Data Privacy Act - Bar Exam Guide

Uploaded by

Copyright:

Available Formats

Source is now OFFICIAL.

As a disclaimer, this is guide is based from a Privacy professional and practitioner’s

1. Personal vs Sensitive Personal Information

The privacy of communication and correspondence shall be inviolable except

Sec. 3(g) applies to both paper-based and electronic records.

Context is generally important on how an information is displayed or how it appears, as a

Sensitive Personal Information

Sensitive personal information refers to personal information:

(2) About an individual’s health, education, genetic or sexual life of a person, or

(3) Issued by government agencies peculiar to an individual which includes, but

(4) Specifically established by an executive order or an act of Congress to be

x x x Applies to the processing of all types of personal information and to any

What are the exceptions (Sec. 4)?

Extraterritorial application (Sec. 6)

 Processing of personal information about a Philippine citizen or resident

General principles in collection, processing and retention

Legal Basis for Processing of Personal Information (Sec.

Full details in my separate post here – https://privacyph.net/2018/11/22/processing-of-

General rule – Processing of sensitive Personal Information is prohibited except those

You might also like