Based on NPC Circular Circular 16-02 – Data Sharing Agreements Involving Government Agencies

SECTION 2. Scope. The provisions of this Circular shall only apply to personal data under the control
or custody of a government agency that is being shared with or transferred to a third party, for the
purpose of performing a public function, or providing of a public service: Provided, that it shall also
cover personal data under the control or custody of a private entity that is being shared with or
transferred to a government agency: Provided further, that where the personal data is in the custody of
a personal information processor, the sharing or transfer of personal data shall only be allowed if it is
pursuant to the instructions of the personal information controller concerned. Data sharing
agreements exclusively between private entities, or those for purpose of research, shall be in accordance
with the Implementing Rules and Regulations of the Data Privacy Act of 2012, or other issuances of the
National Privacy Commission.  

Definition of Terms:

A. “Data sharing” is the disclosure or transfer to a third party of personal data under the control
or custody of a personal information controller: Provided, that a personal information processor
may be allowed to make such disclosure or transfer if it is upon the instructions of the personal
information controller concerned. The term excludes outsourcing, or the disclosure or transfer
of personal data by a personal information controller to a personal information processor;
B. “Data Sharing Agreement” refers to a contract, joint issuance, or any similar document that
contains the terms and conditions of a data sharing arrangement between two or more
parties: Provided, that only personal information controllers shall be made parties to a data
sharing agreement;
C. “Personal information controller” refers to a natural or juridical person, or any other body who
controls the processing of personal data, or instructs another to process personal data on its
behalf. The term excludes:
A. A natural or juridical person, or any other body, who performs such functions as
instructed by another person or organization; or
B. A natural person who processes personal data in connection with his or her personal,
family, or household affairs;

There is control if the natural or juridical person or any other body decides on what information
is collected, or the purpose or extent of its processing; For the purpose of this Circular, each
party to a data sharing agreement shall be considered a personal information controller.

SECTION 4. Consent. The personal information controller charged with the collection of personal data
directly from the data subject, on its own or through a personal information processor, shall obtain the
consent of the data subject prior to collection and processing, except where such consent is not required
for the lawful processing of personal data, as provided by law. The personal information controller
may request an advisory opinion from the Commission in determining whether the data sharing
requires consent from the data subject. The data subject shall be provided with the following
information prior to collection or before his or her personal data is shared:
 A. Identity of the personal information controllers or personal information processors that will be
given access to the personal data;
B. Purpose of data sharing;
C. Categories of personal data concerned;
D. Intended recipients or categories of recipients of the personal data;
E. Existence of the rights of data subjects, including the right to access and correction, and the right
to object; and
F. Other information that would sufficiently notify the data subject of the nature and extent of data
sharing and the manner of processing.

SECTION 6. Content of a Data Sharing Agreement. A data sharing agreement shall be in writing and
must comply with the following conditions:

A. It shall specify, with due particularity, the purpose or purposes of the data sharing agreement,
including the public function or public service the performance or provision of which the
agreement is meant to facilitate: Provided, that if the purpose includes the grant of online
access to personal data, or if access is open to the public or private entities, these shall also
be clearly specified in the agreement.
B. It shall identify all personal information controllers that are party to the agreement, and for every
party, specify:
1. the type of personal data to be shared under the agreement;
2. any personal information processor that will have access to or process the personal
data, including the types of processing it shall be allowed to perform;
3. how the party may use or process the personal data, including, but not limited to,
online access;
4. the remedies available to a data subject, in case the processing of personal data violates
his or her rights, and how these may be exercised;
5. the designated data protection officer or compliance officer.
C. It shall specify the term or duration of the agreement, which may be renewed on the ground
that the purpose or purposes of such agreement continues to exist: Provided, that in no case shall
such term or any subsequent extensions thereof exceed five (5) years, without prejudice to
entering into a new data sharing agreement.
D. It shall contain an overview of the operational details of the sharing or transfer of personal
data under the agreement. Such overview must adequately explain to a data subject and the
Commission the need for the agreement, and the procedure that the parties intend to observe in
implementing the same.
E. It shall include a general description of the security measures that will ensure the protection of
the personal data of data subjects, including the policy for retention or disposal of records.
F. It shall state how a copy of the agreement may be accessed by a data subject: Provided, that
the government agency may redact or prevent the disclosure of any detail or information that
could endanger its computer network or system, or expose to harm the integrity, availability or
confidentiality of personal data under its control or custody. Such information may include the
program, middleware and encryption method in use, as provided in the next succeeding
paragraph.
G. If a personal information controller shall grant online access to personal data under its control or
custody, it shall specify the following information:
1. Justification for allowing online access;
2. Parties that shall be granted online access;
3. Types of personal data that shall be made accessible online;
 4. Estimated frequency and volume of the proposed access; and
5. Program, middleware and encryption method that will be used.
H. It shall specify the personal information controller responsible for addressing any
information request, or any complaint filed by a data subject and/or any investigation by the
Commission: Provided, that the Commission shall make the final determination as to which
personal information controller is liable for any breach or violation of the Act, its IRR, or any
applicable issuance of the Commission.
I. It shall identify the method that shall be adopted for the secure return, destruction or
disposal of the shared data and the timeline therefor.
J. It shall specify any other terms or conditions that the parties may agree on.

SECTION 7. Online Access. Where a government agency grants online access to personal data under its
control or custody, such access must be done via a secure encrypted link. The government agency
concerned must deploy middleware that shall have full control over such online access.  

SECTION 8. Transfer of Personal Data. Where a data sharing agreement involves the actual transfer of
personal data or a copy thereof from one party to another, such transfer shall comply with the security
requirements imposed by the Act, its IRR, and all applicable issuances of the Commission.  

SECTION 9. Responsibility of the Parties. All parties to a data sharing agreement shall comply with the
Act, its IRR, and all applicable issuances of the Commission, including putting in place adequate
safeguards for data privacy and security. The designated data protection officer shall be accountable for
ensuring such compliance. In the case of a government agency, the head of agency shall be responsible
for complying with the security requirements provided in the Act, its IRR and all applicable issuances of
the Commission.  

SECTION 10. Accountability for Cross-border Transfer of Personal Data. Each party to a data sharing
agreement shall be responsible for any personal data under its control or custody, including those it has
outsourced or subcontracted to a personal information processor. This extends to personal data it shares
with or transfers to a third party located outside the Philippines, subject to cross-border arrangement and
cooperation.  

SECTION 11. Prior Consultation. Prior to the execution of a data sharing agreement, the parties thereto
may consult with and invite comments thereon from:

A. the Commission;
B. any person or organization that the parties to the proposed data sharing agreement recognize as
representing the interests of the classes of data subjects whose personal data will be shared under
the proposed agreement; and
C. any other person or organization whose view or opinion the parties to the proposed data sharing
agreement deem necessary.

Failure to conduct prior consultation by the parties shall not invalidate a data sharing
agreement: Provided, however, that in the event of a breach or a reported violation of the Act, its IRR, or
any issuance by the Commission, the latter shall take into account the conduct of such consultation in
evaluating the circumstances surrounding the violation.  

SECTION 12. Security of Personal Data. Data sharing shall only be allowed where there are adequate
safeguards for data privacy and security. The parties to a data sharing agreement shall use contractual or
other reasonable means to ensure that personal data is covered by a consistent level of protection when it
is shared or transferred.  

SECTION 13. Review by the Commission. A data sharing agreement shall be subject to a review by the
Commission, on its own initiative or upon a complaint by a data subject.  

SECTION 14. Mandatory Periodic Review. The terms and conditions of a data sharing agreement shall
be subject to a mandatory review by the parties thereto upon the expiration of its term, and any
subsequent extensions thereof. The parties shall document and include in its records:

A. reason for terminating the agreement or, in the alternative, for renewing its term; and
B. in case of renewal, any changes made to the terms and conditions of the agreement.

 SECTION 15. Revisions and Amendments. Revisions or amendments to a data sharing agreement while
it is still in effect shall follow the same procedure observed in the creation of a new agreement.  

 SECTION 16. Termination. A data sharing agreement may be terminated:

A. upon the expiration of its term, or any valid extension thereof;

Nothing in this Section shall prevent the Commission from ordering motu proprio the termination of any
data sharing agreement when a party is determined to have breached any of its provisions, or when the
agreement is in violation of the Act, its IRR, or any applicable issuance by the Commission.  

Back to Top

SECTION 17. Return, Destruction, or Disposal of Transferred Personal Data. Unless otherwise

SECTION 18. Penalties. Violations of these Rules shall, upon notice and hearing, be subject to
compliance and enforcement orders, cease and desist orders, temporary or permanent ban on the
processing of personal data, or payment of fines in accordance with the schedule to be published by the
Commission. Failure to comply with the provisions of this Circular may be a ground for administrative
and disciplinary sanctions against any erring public officer or employee in accordance with existing laws
or regulations. The commencement of any action under this Circular is independent and without prejudice
to the filing of any action with the regular courts or other quasi-judicial bodies.  

SECTION 19. Transitory Period. Upon the effectivity of this Circular, all existing data sharing
arrangements shall be reviewed by the concerned parties to determine compliance with its provisions.
Where an existing data sharing arrangement is not covered by any written contract, joint issuance, or any
similar document, the parties thereto shall execute or enter into the appropriate agreement pursuant to the
provisions of this Circular. Where an existing data sharing agreement is evidenced by a contract, joint
issuance, or any similar document, but fails to comply with the provisions of this Circular, the parties
thereto shall make the necessary revisions or amendments. An existing data sharing agreement found to
be compliant with this Circular, except for the requirements set out in Section 4 (Consent) hereof, shall be
allowed to continue until the expiration of such agreement or within two (2) years from the effectivity of
this Circular, whichever is earlier, subject to the immediately succeeding paragraph: Provided, that any
renewal or extension of such agreement shall comply with all the provisions of this Circular. In all cases,
the personal information controller that collected the personal data directly from the data subjects shall, at
the soonest practicable time, notify and provide the data subjects whose personal data were shared or
transferred without their consent with all the information set out in Section 4 (Consent) of this
Circular: Provided, that where individual notification is not possible or would require a disproportionate
effort, the personal information controller may seek the approval of the Commission to use alternative
means of notification: Provided, further, that the personal information controller shall establish means
through which the data subjects can exercise their rights and obtain more detailed information relating to
the data sharing agreement. If an existing data sharing arrangement is not for the purpose of performing a
public function or providing a public service, the parties thereto shall immediately terminate the sharing
or transfer of personal data. Any or all related contracts predicated on the existence of such arrangement
shall likewise be terminated for being contrary to law.