Republic Act 10173 – Data Privacy Act of 2012

CHAPTER I – GENERAL PROVISIONS

SECTION 1. Short Title. CHAPTER I
SECTION 2. Declaration of Policy. GENERAL PROVISIONS
SECTION 3. Definition of Terms.
SECTION 4. Scope. SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”.
SECTION 5. Protection Afforded to Journalists and Their Sources.
SECTION 6. Extraterritorial Application. SEC. 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human
CHAPTER II – THE NATIONAL PRIVACY COMMISSION right of privacy, of communication while ensuring free flow of information to promote
SECTION 7. Functions of the National Privacy Commission. innovation and growth. The State recognizes the vital role of information and
SECTION 8. Confidentiality. communications technology in nation-building and its inherent obligation to ensure that
SECTION 9. Organizational Structure of the Commission. personal information in information and communications systems in the government and in
SECTION 10. The Secretariat. the private sector are secured and protected.
CHAPTER III – PROCESSING OF PERSONAL INFORMATION
SECTION 11. General Data Privacy Principles. SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the
SECTION 12. Criteria for Lawful Processing of Personal Information. respective meanings hereafter set forth:
SECTION 13. Sensitive Personal Information and Privileged Information.
SECTION 14. Subcontract of Personal Information. (a) Commission shall refer to the National Privacy Commission created by virtue of this Act.
SECTION 15. Extension of Privileged Communication.
CHAPTER IV – RIGHTS OF THE DATA SUBJECT (b) Consent of the data subject refers to any freely given, specific, informed indication of will,
SECTION 16. Rights of the Data Subject. whereby the data subject agrees to the collection and processing of personal information
SECTION 17. Transmissibility of Rights of the Data Subjects. about and/or relating to him or her. Consent shall be evidenced by written, electronic or
SECTION 18. Right to Data Portability. recorded means. It may also be given on behalf of the data subject by an agent specifically
SECTION 19. Non-Applicability. authorized by the data subject to do so.
CHAPTER V – SECURITY OF PERSONAL INFORMATION
SECTION 20. Security of Personal Information. (c) Data subject refers to an individual whose personal information is processed.
CHAPTER VI – ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION
SECTION 21. Principle of Accountability. (d) Direct marketing refers to communication by whatever means of any advertising or
CHAPTER VII – SECURITY OF SENSITIVE PERSONAL INFORMATION IN marketing material which is directed to particular individuals.
GOVERNMENT
SECTION 22. Responsibility of Heads of Agencies. (e) Filing system refers to any act of information relating to natural or juridical persons to
SECTION 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal the extent that, although the information is not processed by equipment operating
Information. automatically in response to instructions given for that purpose, the set is structured, either
SECTION 24. Applicability to Government Contractors. by reference to individuals or by reference to criteria relating to individuals, in such a way
CHAPTER VIII – PENALTIES that specific information relating to a particular person is readily accessible.
SECTION 25. Unauthorized Processing of Personal Information and Sensitive Personal
Information. (f) Information and Communications System refers to a system for generating, sending,
SECTION 26. Accessing Personal Information and Sensitive Personal Information Due to receiving, storing or otherwise processing electronic data messages or electronic documents
Negligence. and includes the computer system or other similar device by or which data is recorded,
SECTION 27. Improper Disposal of Personal Information and Sensitive Personal transmitted or stored and any procedure related to the recording, transmission or storage of
Information. electronic data, electronic message, or electronic document.
SECTION 28. Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes. (g) Personal information refers to any information whether recorded in a material form or
SECTION 29. Unauthorized Access or Intentional Breach. not, from which the identity of an individual is apparent or can be reasonably and directly
SECTION 30. Concealment of Security Breaches Involving Sensitive Personal Information. ascertained by the entity holding the information, or when put together with other
SECTION 31. Malicious Disclosure. information would directly and certainly identify an individual.
SECTION 32. Unauthorized Disclosure.
SECTION 33. Combination or Series of Acts. (h) Personal information controller refers to a person or organization who controls the
SECTION 34. Extent of Liability. collection, holding, processing or use of personal information, including a person or
SECTION 35. Large-Scale. organization who instructs another person or organization to collect, hold, process, use,
SECTION 36. Offense Committed by Public Officer. transfer or disclose personal information on his or her behalf. The term excludes:
SECTION 37. Restitution.
CHAPTER IX – MISCELLANEOUS PROVISIONS (1) A person or organization who performs such functions as instructed by another person or
SECTION 38. Interpretation. organization; and
SECTION 39. Implementing Rules and Regulations (IRR).
SECTION 40. Reports and Information. (2) An individual who collects, holds, processes or uses personal information in connection
SECTION 41. Appropriations Clause. with the individual’s personal, family or household affairs.
SECTION 42. Transitory Provision.
SECTION 43. Separability Clause. (i) Personal information processor refers to any natural or juridical person qualified to act as
SECTION 44. Repealing Clause. such under this Act to whom a personal information controller may outsource the processing
SECTION 45. Effectivity Clause. of personal data pertaining to a data subject.
Republic of the Philippines
Congress of the Philippines (j) Processing refers to any operation or any set of operations performed upon personal
Metro Manila information including, but not limited to, the collection, recording, organization, storage,
Fifteenth Congress updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
Second Regular Session destruction of data.

Begun and held in Metro Manila, on Monday, the twenty-fifth day of July, two thousand (k) Privileged information refers to any and all forms of data which under the Rules of Court
eleven. and other pertinent laws constitute privileged communication.

[REPUBLIC ACT NO. 10173] (l) Sensitive personal information refers to personal information:

AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION (1) About an individual’s race, ethnic origin, marital status, age, color, and religious,
AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE philosophical or political affiliations;
SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION,
AND FOR OTHER PURPOSES (2) About an individual’s health, education, genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged to have been committed by such person, the
Be it enacted, by the Senate and House of Representatives of the Philippines in Congress disposal of such proceedings, or the sentence of any court in such proceedings;
assembled:
(3) Issued by government agencies peculiar to an individual which includes, but not limited (c) The entity has other links in the Philippines such as, but not limited to:
to, social security numbers, previous or current health records, licenses or its denials,
suspension or revocation, and tax returns; and (1) The entity carries on business in the Philippines; and

(4) Specifically established by an executive order or an act of Congress to be kept classified. (2) The personal information was collected or held by an entity in the Philippines.

SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to Back To Top
any natural and juridical person involved in personal information processing including those CHAPTER II
personal information controllers and processors who, although not found or established in THE NATIONAL PRIVACY COMMISSION
the Philippines, use equipment that are located in the Philippines, or those who maintain an
office, branch or agency in the Philippines subject to the immediately succeeding paragraph: SEC. 7. Functions of the National Privacy Commission. – To administer and implement the
Provided, That the requirements of Section 5 are complied with. provisions of this Act, and to monitor and ensure compliance of the country with
international standards set for data protection, there is hereby created an independent body
This Act does not apply to the following: to be known as the National Privacy Commission, winch shall have the following functions:

(a) Information about any individual who is or was an officer or employee of a government (a) Ensure compliance of personal information controllers with the provisions of this Act;
institution that relates to the position or functions of the individual, including:
(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints
(1) The fact that the individual is or was an officer or employee of the government institution; through the use of alternative dispute resolution processes, adjudicate, award indemnity on
matters affecting any personal information, prepare reports on disposition of complaints and
(2) The title, business address and office telephone number of the individual; resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any
such report: Provided, That in resolving any complaint or investigation (except where
(3) The classification, salary range and responsibilities of the position held by the individual; amicable settlement is reached by the parties), the Commission shall act as a collegial body.
and For this purpose, the Commission may be given access to personal information that is subject
of any complaint and to collect the information necessary to perform its functions under this
(4) The name of the individual on a document prepared by the individual in the course of Act;
employment with the government;
(c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of
(b) Information about an individual who is or was performing service under contract for a personal information, upon finding that the processing will be detrimental to national
government institution that relates to the services performed, including the terms of the security and public interest;
contract, and the name of the individual given in the course of the performance of those
services; (d) Compel or petition any entity, government agency or instrumentality to abide by its
orders or take action on a matter affecting data privacy;
(c) Information relating to any discretionary benefit of a financial nature such as the
granting of a license or permit given by the government to an individual, including the name (e) Monitor the compliance of other government agencies or instrumentalities on their
of the individual and the exact nature of the benefit; security and technical measures and recommend the necessary action in order to meet
minimum standards for protection of personal information pursuant to this Act;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(f) Coordinate with other government agencies and the private sector on efforts to formulate
(e) Information necessary in order to carry out the functions of public authority which and implement plans and policies to strengthen the protection of personal information in the
includes the processing of personal data for the performance by the independent, central country;
monetary authority and law enforcement and regulatory agencies of their constitutionally
and statutorily mandated functions. Nothing in this Act shall be construed as to have (g) Publish on a regular basis a guide to all laws relating to data protection;
amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank
Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; (h) Publish a compilation of agency system of records and notices, including index and other
and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA); finding aids;

(f) Information necessary for banks and other financial institutions under the jurisdiction of (i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of
the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with penalties specified in Sections 25 to 29 of this Act;
Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the
Anti-Money Laundering Act and other applicable laws; and (j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by
personal information controllers:Provided, That the privacy codes shall adhere to the
(g) Personal information originally collected from residents of foreign jurisdictions in underlying data privacy principles embodied in this Act: Provided, further,That such
accordance with the laws of those foreign jurisdictions, including any applicable data privacy privacy codes may include private dispute resolution mechanisms for complaints against any
laws, which is being processed in the Philippines. participating personal information controller. For this purpose, the Commission shall consult
with relevant regulatory agencies in the formulation and administration of privacy codes
SEC. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be applying the standards set out in this Act, with respect to the persons, entities, business
construed as to have amended or repealed the provisions of Republic Act No. 53, which activities and business sectors that said regulatory bodies are authorized to principally
affords the publishers, editors or duly accredited reporters of any newspaper, magazine or regulate pursuant to the law: Provided, finally. That the Commission may review such
periodical of general circulation protection from being compelled to reveal the source of any privacy codes and require changes thereto for purposes of complying with this Act;
news report or information appearing in said publication which was related in any
confidence to such publisher, editor, or reporter. (k) Provide assistance on matters relating to privacy or data protection at the request of a
national or local agency, a private entity or any person;
SEC. 6. Extraterritorial Application. – This Act applies to an act done or practice engaged in
and outside of the Philippines by an entity if: (l) Comment on the implication on data privacy of proposed national or local statutes,
regulations or procedures, issue advisory opinions and interpret the provisions of this Act
(a) The act, practice or processing relates to personal information about a Philippine citizen and other data privacy laws;
or a resident;
(m) Propose legislation, amendments or modifications to Philippine laws on privacy or data
(b) The entity has a link with the Philippines, and the entity is processing personal protection as may be necessary;
information in the Philippines or even if the processing is outside the Philippines as long as it
is about Philippine citizens or residents such as, but not limited to, the following: (n) Ensure proper and effective coordination with data privacy regulators in other countries
and private accountability agents, participate in international and regional initiatives for
(1) A contract is entered in the Philippines; data privacy protection;

(2) A juridical entity unincorporated in the Philippines but has central management and (o) Negotiate and contract with other data privacy authorities of other countries for cross-
control in the country; and border application and implementation of respective privacy laws;

(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent (p) Assist Philippine companies doing business abroad to respond to foreign privacy or data
or affiliate of the Philippine entity has access to personal information; and protection laws and regulations; and
(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of
of data privacy protection. personal information shall be permitted only if not otherwise prohibited by law, and when at
least one of the following conditions exists:
SEC. 8. Confidentiality. – The Commission shall ensure at all times the confidentiality of any
personal information that comes to its knowledge and possession. (a) The data subject has given his or her consent;

SEC. 9. Organizational Structure of the Commission. – The Commission shall be attached to (b) The processing of personal information is necessary and is related to the fulfillment of a
the Department of Information and Communications Technology (DICT) and shall be contract with the data subject or in order to take steps at the request of the data subject prior
headed by a Privacy Commissioner, who shall also act as Chairman of the Commission. The to entering into a contract;
Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners, one to be
responsible for Data Processing Systems and one to be responsible for Policies and Planning. (c) The processing is necessary for compliance with a legal obligation to which the personal
The Privacy Commissioner and the two (2) Deputy Privacy Commissioners shall be information controller is subject;
appointed by the President of the Philippines for a term of three (3) years, and may be
reappointed for another term of three (3) years. Vacancies in the Commission shall be filled (d) The processing is necessary to protect vitally important interests of the data subject,
in the same manner in which the original appointment was made. including life and health;

The Privacy Commissioner must be at least thirty-five (35) years of age and of good moral (e) The processing is necessary in order to respond to national emergency, to comply with the
character, unquestionable integrity and known probity, and a recognized expert in the field requirements of public order and safety, or to fulfill functions of public authority which
of information technology and data privacy. The Privacy Commissioner shall enjoy the necessarily includes the processing of personal data for the fulfillment of its mandate; or
benefits, privileges and emoluments equivalent to the rank of Secretary.
(f) The processing is necessary for the purposes of the legitimate interests pursued by the
The Deputy Privacy Commissioners must be recognized experts in the field of information personal information controller or by a third party or parties to whom the data is disclosed,
and communications technology and data privacy. They shall enjoy the benefits, privileges except where such interests are overridden by fundamental rights and freedoms of the data
and emoluments equivalent to the rank of Undersecretary. subject which require protection under the Philippine Constitution.

The Privacy Commissioner, the Deputy Commissioners, or any person acting on their behalf SEC. 13. Sensitive Personal Information and Privileged Information. – The processing of
or under their direction, shall not be civilly liable for acts done in good faith in the sensitive personal information and privileged information shall be prohibited, except in the
performance of their duties. However, he or she shall be liable for willful or negligent acts following cases:
done by him or her which are contrary to law, morals, public policy and good customs even if
he or she acted under orders or instructions of superiors: Provided, That in case a lawsuit is (a) The data subject has given his or her consent, specific to the purpose prior to the
filed against such official on the subject of the performance of his or her duties, where such processing, or in the case of privileged information, all parties to the exchange have given
performance is lawful, he or she shall be reimbursed by the Commission for reasonable costs their consent prior to processing;
of litigation.
(b) The processing of the same is provided for by existing laws and regulations: Provided,
SEC. 10. The Secretariat. – The Commission is hereby authorized to establish a Secretariat. That such regulatory enactments guarantee the protection of the sensitive personal
Majority of the members of the Secretariat must have served for at least five (5) years in any information and the privileged information: Provided, further, That the consent of the data
agency of the government that is involved in the processing of personal information subjects are not required by law or regulation permitting the processing of the sensitive
including, but not limited to, the following offices: Social Security System (SSS), Government personal information or the privileged information;
Service Insurance System (GSIS), Land Transportation Office (LTO), Bureau of Internal
Revenue (BIR), Philippine Health Insurance Corporation (PhilHealth), Commission on (c) The processing is necessary to protect the life and health of the data subject or another
Elections (COMELEC), Department of Foreign Affairs (DFA), Department of Justice (DOJ), person, and the data subject is not legally or physically able to express his or her consent
and Philippine Postal Corporation (Philpost). prior to the processing;

Back To Top (d) The processing is necessary to achieve the lawful and noncommercial objectives of public
CHAPTER III organizations and their associations: Provided, That such processing is only confined and
PROCESSING OF PERSONAL INFORMATION related to the bona fide members of these organizations or their associations: Provided,
further, That the sensitive personal information are not transferred to third parties:
SEC. 11. General Data Privacy Principles. – The processing of personal information shall be Provided, finally, That consent of the data subject was obtained prior to processing;
allowed, subject to compliance with the requirements of this Act and other laws allowing
disclosure of information to the public and adherence to the principles of transparency, (e) The processing is necessary for purposes of medical treatment, is carried out by a medical
legitimate purpose and proportionality. practitioner or a medical treatment institution, and an adequate level of protection of
personal information is ensured; or
Personal information must, be:,
(f) The processing concerns such personal information as is necessary for the protection of
(a) Collected for specified and legitimate purposes determined and declared before, or as lawful rights and interests of natural or legal persons in court proceedings, or the
soon as reasonably practicable after collection, and later processed in a way compatible with establishment, exercise or defense of legal claims, or when provided to government or public
such declared, specified and legitimate purposes only; authority.

(b) Processed fairly and lawfully; SEC. 14. Subcontract of Personal Information. – A personal information controller may
subcontract the processing of personal information: Provided, That the personal information
(c) Accurate, relevant and, where necessary for purposes for which it is to be used the controller shall be responsible for ensuring that proper safeguards are in place to ensure the
processing of personal information, kept up to date; inaccurate or incomplete data must be confidentiality of the personal information processed, prevent its use for unauthorized
rectified, supplemented, destroyed or their further processing restricted; purposes, and generally, comply with the requirements of this Act and other laws for
processing of personal information. The personal information processor shall comply with all
(d) Adequate and not excessive in relation to the purposes for which they are collected and the requirements of this Act and other applicable laws.
processed;
SEC. 15. Extension of Privileged Communication. – Personal information controllers may
(e) Retained only for as long as necessary for the fulfillment of the purposes for which the invoke the principle of privileged communication over privileged information that they
data was obtained or for the establishment, exercise or defense of legal claims, or for lawfully control or process. Subject to existing laws and regulations, any evidence gathered
legitimate business purposes, or as provided by law; and on privileged information is inadmissible.

(f) Kept in a form which permits identification of data subjects for no longer than is Back To Top
necessary for the purposes for which the data were collected and processed: Provided, That CHAPTER IV
personal information collected for other purposes may lie processed for historical, statistical RIGHTS OF THE DATA SUBJECT
or scientific purposes, and in cases laid down in law may be stored for longer periods:
Provided, further,That adequate safeguards are guaranteed by said laws authorizing their SEC. 16. Rights of the Data Subject. – The data subject is entitled to:
processing.
(a) Be informed whether personal information pertaining to him or her shall be, are being or
The personal information controller must ensure implementation of personal information have been processed;
processing principles set out herein.
(b) Be furnished the information indicated hereunder before the entry of his or her personal data subject. The Commission may specify the electronic format referred to above, as well as
information into the processing system of the personal information controller, or at the next the technical standards, modalities and procedures for their transfer.
practical opportunity:
SEC. 19. Non-Applicability. – The immediately preceding sections are not applicable if the
(1) Description of the personal information to be entered into the system; processed personal information are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are taken
(2) Purposes for which they are being or are to be processed; regarding the data subject: Provided, That the personal information shall be held under
strict confidentiality and shall be used only for the declared purpose. Likewise, the
(3) Scope and method of the personal information processing; immediately preceding sections are not applicable to processing of personal information
gathered for the purpose of investigations in relation to any criminal, administrative or tax
(4) The recipients or classes of recipients to whom they are or may be disclosed; liabilities of a data subject.

(5) Methods utilized for automated access, if the same is allowed by the data subject, and the Back To Top
extent to which such access is authorized; CHAPTER V
SECURITY OF PERSONAL INFORMATION
(6) The identity and contact details of the personal information controller or its
representative; SEC. 20. Security of Personal Information. – (a) The personal information controller must
implement reasonable and appropriate organizational, physical and technical measures
(7) The period for which the information will be stored; and intended for the protection of personal information against any accidental or unlawful
destruction, alteration and disclosure, as well as against any other unlawful processing.
(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a
complaint before the Commission. (b) The personal information controller shall implement reasonable and appropriate
measures to protect personal information against natural dangers such as accidental loss or
Any information supplied or declaration made to the data subject on these matters shall not destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
be amended without prior notification of data subject: Provided, That the notification under destruction, alteration and contamination.
subsection (b) shall not apply should the personal information be needed pursuant to a
subpoena or when the collection and processing are for obvious purposes, including when it (c) The determination of the appropriate level of security under this section must take into
is necessary for the performance of or in relation to a contract or service or when necessary account the nature of the personal information to be protected, the risks represented by the
or desirable in the context of an employer-employee relationship, between the collector and processing, the size of the organization and complexity of its operations, current data privacy
the data subject, or when the information is being collected and processed as a result of legal best practices and the cost of security implementation. Subject to guidelines as the
obligation; Commission may issue from time to time, the measures implemented must include:

(c) Reasonable access to, upon demand, the following: (1) Safeguards to protect its computer network against accidental, unlawful or unauthorized
usage or interference with or hindering of their functioning or availability;
(1) Contents of his or her personal information that were processed;
(2) A security policy with respect to the processing of personal information;
(2) Sources from which personal information were obtained;
(3) A process for identifying and accessing reasonably foreseeable vulnerabilities in its
(3) Names and addresses of recipients of the personal information; computer networks, and for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach; and
(4) Manner by which such data were processed;
(4) Regular monitoring for security breaches and a process for taking preventive, corrective
(5) Reasons for the disclosure of the personal information to recipients; and mitigating action against security incidents that can lead to a security breach.

(6) Information on automated processes where the data will or likely to be made as the sole (d) The personal information controller must further ensure that third parties processing
basis for any decision significantly affecting or will affect the data subject; personal information on its behalf shall implement the security measures required by this
provision.
(7) Date when his or her personal information concerning the data subject were last accessed
and modified; and (e) The employees, agents or representatives of a personal information controller who are
involved in the processing of personal information shall operate and hold personal
(8) The designation, or name or identity and address of the personal information controller; information under strict confidentiality if the personal information are not intended for
public disclosure. This obligation shall continue even after leaving the public service, transfer
(d) Dispute the inaccuracy or error in the personal information and have the personal to another position or upon termination of employment or contractual relations.
information controller correct it immediately and accordingly, unless the request is vexatious
or otherwise unreasonable. If the personal information have been corrected, the personal (f) The personal information controller shall promptly notify the Commission and affected
information controller shall ensure the accessibility of both the new and the retracted data subjects when sensitive personal information or other information that may, under the
information and the simultaneous receipt of the new and the retracted information by circumstances, be used to enable identity fraud are reasonably believed to have been
recipients thereof: Provided, That the third parties who have previously received such acquired by an unauthorized person, and the personal information controller or the
processed personal information shall he informed of its inaccuracy and its rectification upon Commission believes (bat such unauthorized acquisition is likely to give rise to a real risk of
reasonable request of the data subject; serious harm to any affected data subject. The notification shall at least describe the nature
of the breach, the sensitive personal information possibly involved, and the measures taken
(e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal by the entity to address the breach. Notification may be delayed only to the extent necessary
information from the personal information controller’s filing system upon discovery and to determine the scope of the breach, to prevent further disclosures, or to restore reasonable
substantial proof that the personal information are incomplete, outdated, false, unlawfully integrity to the information and communications system.
obtained, used for unauthorized purposes or are no longer necessary for the purposes for
which they were collected. In this case, the personal information controller may notify third (1) In evaluating if notification is unwarranted, the Commission may take into account
parties who have previously received such processed personal information; and compliance by the personal information controller with this section and existence of good
faith in the acquisition of personal information.
(f) Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use of personal information. (2) The Commission may exempt a personal information controller from notification where,
in its reasonable judgment, such notification would not be in the public interest or in the
SEC. 17. Transmissibility of Rights of the Data Subject. – The lawful heirs and assigns of the interests of the affected data subjects.
data subject may invoke the rights of the data subject for, which he or she is an heir or
assignee at any time after the death of the data subject or when the data subject is (3) The Commission may authorize postponement of notification where it may hinder the
incapacitated or incapable of exercising the rights as enumerated in the immediately progress of a criminal investigation related to a serious breach.
preceding section.
Back To Top
SEC. 18. Right to Data Portability. – The data subject shall have the right, where personal CHAPTER VI
information is processed by electronic means and in a structured and commonly used format, ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION
to obtain from the personal information controller a copy of data undergoing processing in
an electronic or structured format, which is commonly used and allows for further use by the
SEC. 21. Principle of Accountability. – Each personal information controller is responsible hundred thousand pesos (Php500,000.00) but not more than Two million pesos
for personal information under its control or custody, including information that have been (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to
transferred to a third party for processing, whether domestically or internationally, subject personal information without being authorized under this Act or any existing law.
to cross-border arrangement and cooperation.
(b) Accessing sensitive personal information due to negligence shall be penalized by
(a) The personal information controller is accountable for complying with the requirements imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five
of this Act and shall use contractual or other reasonable means to provide a comparable level hundred thousand pesos (Php500,000.00) but not more than Four million pesos
of protection while the information are being processed by a third party. (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to
personal information without being authorized under this Act or any existing law.
(b) The personal information controller shall designate an individual or individuals who are
accountable for the organization’s compliance with this Act. The identity of the individual(s) SEC. 27. Improper Disposal of Personal Information and Sensitive Personal Information. –
so designated shall be made known to any data subject upon request. (a) The improper disposal of personal information shall be penalized by imprisonment
ranging from six (6) months to two (2) years and a fine of not less than One hundred
Back To Top thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos
CHAPTER VII (Php500,000.00) shall be imposed on persons who knowingly or negligently dispose, discard
SECURITY OF SENSITIVE PERSONAL or abandon the personal information of an individual in an area accessible to the public or
INFORMATION IN GOVERNMENT has otherwise placed the personal information of an individual in its container for trash
collection.
SEC. 22. Responsibility of Heads of Agencies. – All sensitive personal information
maintained by the government, its agencies and instrumentalities shall be secured, as far as (b) The improper disposal of sensitive personal information shall be penalized by
practicable, with the use of the most appropriate standard recognized by the information and imprisonment ranging from one (1) year to three (3) years and a fine of not less than One
communications technology industry, and as recommended by the Commission. The head of hundred thousand pesos (Php100,000.00) but not more than One million pesos
each government agency or instrumentality shall be responsible for complying with the (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose, discard
security requirements mentioned herein while the Commission shall monitor the compliance or abandon the personal information of an individual in an area accessible to the public or
and may recommend the necessary action in order to satisfy the minimum standards. has otherwise placed the personal information of an individual in its container for trash
collection.
SEC. 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal
Information. – (a) On-site and Online Access – Except as may be allowed through guidelines SEC. 28. Processing of Personal Information and Sensitive Personal Information for
to be issued by the Commission, no employee of the government shall have access to sensitive Unauthorized Purposes. – The processing of personal information for unauthorized purposes
personal information on government property or through online facilities unless the shall be penalized by imprisonment ranging from one (1) year and six (6) months to five (5)
employee has received a security clearance from the head of the source agency. years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more
than One million pesos (Php1,000,000.00) shall be imposed on persons processing personal
(b) Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, information for purposes not authorized by the data subject, or otherwise authorized under
sensitive personal information maintained by an agency may not be transported or accessed this Act or under existing laws.
from a location off government property unless a request for such transportation or access is
submitted and approved by the head of the agency in accordance with the following The processing of sensitive personal information for unauthorized purposes shall be
guidelines: penalized by imprisonment ranging from two (2) years to seven (7) years and a fine of not
less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(1) Deadline for Approval or Disapproval – In the case of any request submitted to the head (Php2,000,000.00) shall be imposed on persons processing sensitive personal information for
of an agency, such head of the agency shall approve or disapprove the request within two (2) purposes not authorized by the data subject, or otherwise authorized under this Act or under
business days after the date of submission of the request. In case there is no action by the existing laws.
head of the agency, then such request is considered disapproved;
SEC. 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging
(2) Limitation to One thousand (1,000) Records – If a request is approved, the head of the from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos
agency shall limit the access to not more than one thousand (1,000) records at a time; and (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who knowingly and unlawfully, or violating data confidentiality and security data
(3) Encryption – Any technology used to store, transport or access sensitive personal systems, breaks in any way into any system where personal and sensitive personal
information for purposes of off-site access approved under this subsection shall be secured by information is stored.
the use of the most secure encryption standard recognized by the Commission.
SEC. 30. Concealment of Security Breaches Involving Sensitive Personal Information. – The
The requirements of this subsection shall be implemented not later than six (6) months after penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not
the date of the enactment of this Act. less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos
(Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security
SEC. 24. Applicability to Government Contractors. – In entering into any contract that may breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally
involve accessing or requiring sensitive personal information from one thousand (1,000) or or by omission conceals the fact of such security breach.
more individuals, an agency shall require a contractor and its employees to register their
personal information processing system with the Commission in accordance with this Act SEC. 31. Malicious Disclosure. – Any personal information controller or personal
and to comply with the other provisions of this Act including the immediately preceding information processor or any of its officials, employees or agents, who, with malice or in bad
section, in the same manner as agencies and government employees comply with such faith, discloses unwarranted or false information relative to any personal information or
requirements. personal sensitive information obtained by him or her, shall be subject to imprisonment
ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five
Back To Top hundred thousand pesos (Php500,000.00) but not more than One million pesos
CHAPTER VIII (Php1,000,000.00).
PENALTIES
SEC. 32. Unauthorized Disclosure. – (a) Any personal information controller or personal
SEC. 25. Unauthorized Processing of Personal Information and Sensitive Personal information processor or any of its officials, employees or agents, who discloses to a third
Information. – (a) The unauthorized processing of personal information shall be penalized by party personal information not covered by the immediately preceding section without the
imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five consent of the data subject, shall he subject to imprisonment ranging from one (1) year to
hundred thousand pesos (Php500,000.00) but not more than Two million pesos three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
(Php2,000,000.00) shall be imposed on persons who process personal information without the not more than One million pesos (Php1,000,000.00).
consent of the data subject, or without being authorized under this Act or any existing law.
(b) Any personal information controller or personal information processor or any of its
(b) The unauthorized processing of personal sensitive information shall be penalized by officials, employees or agents, who discloses to a third party sensitive personal information
imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five not covered by the immediately preceding section without the consent of the data subject,
hundred thousand pesos (Php500,000.00) but not more than Four million pesos shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of
(Php4,000,000.00) shall be imposed on persons who process personal information without the not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million
consent of the data subject, or without being authorized under this Act or any existing law. pesos (Php2,000,000.00).

SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to SEC. 33. Combination or Series of Acts. – Any combination or series of acts as defined in
Negligence. – (a) Accessing personal information due to negligence shall be penalized by Sections 25 to 32 shall make the person subject to imprisonment ranging from three (3) years
imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five
to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more
than Five million pesos (Php5,000,000.00). Begun and held in Metro Manila, on Monday the Twenty-fifth day of July two thousand
eleven.
SEC. 34. Extent of Liability. – If the offender is a corporation, partnership or any juridical
[ Republic Act No. 10175 ]
person, the penalty shall be imposed upon the responsible officers, as the case may be, who
participated in, or by their gross negligence, allowed the commission of the crime. If the AN ACT DEFINING CYBERCRIME, PROVIDING FOR THE PREVENTION,
offender is a juridical person, the court may suspend or revoke any of its rights under this INVESTIGATION, SUPPRESSION AND THE IMPOSITION OF PENALTIES
Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, THEREFOR AND FOR OTHER PURPOSES
be deported without further proceedings after serving the penalties prescribed. If the
offender is a public official or employee and lie or she is found guilty of acts penalized under Be it enacted by the Senate and House of Representatives of the Philippines in Congress
assembled:
Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed herein,
suffer perpetual or temporary absolute disqualification from office, as the case may be. CHAPTER I
PRELIMINARY PROVISIONS
SEC. 35. Large-Scale. – The maximum penalty in the scale of penalties respectively provided
for the preceding offenses shall be imposed when the personal information of at least one SECTION 1. Title. — This Act shall be known as the “Cybercrime Prevention Act of 2012”.
hundred (100) persons is harmed, affected or involved as the result of the above mentioned
actions. SEC. 2. Declaration of Policy. — The State recognizes the vital role of information and
communications industries such as content production, telecommunications, broadcasting
electronic commerce, and data processing, in the nation’s overall social and economic
SEC. 36. Offense Committed by Public Officer. – When the offender or the person development. The State also recognizes the importance of providing an environment
responsible for the offense is a public officer as defined in the Administrative Code of the conducive to the development, acceleration, and rational application and exploitation of
Philippines in the exercise of his or her duties, an accessory penalty consisting in the information and communications technology (ICT) to attain free, easy, and intelligible access
disqualification to occupy public office for a term double the term of criminal penalty to exchange and/or delivery of information; and the need to protect and safeguard the
imposed shall he applied. integrity of computer, computer and communications systems, networks, and databases, and
the confidentiality, integrity, and availability of information and data stored therein, from all
forms of misuse, abuse, and illegal access by making punishable under the law such conduct
SEC. 37. Restitution. – Restitution for any aggrieved party shall be governed by the or conducts. In this light, the State shall adopt sufficient powers to effectively prevent and
provisions of the New Civil Code. combat such offenses by facilitating their detection, investigation, and prosecution at both the
domestic and international levels, and by providing arrangements for fast and reliable
Back To Top international cooperation.
CHAPTER IX
MISCELLANEOUS PROVISIONS SEC. 3. Definition of Terms. — For purposes of this Act, the following terms are hereby
defined as follows:
SEC. 38. Interpretation. – Any doubt in the interpretation of any provision of this Act shall (a) Access refers to the instruction, communication with, storing data in, retrieving data
be liberally interpreted in a manner mindful of the rights and interests of the individual from, or otherwise making use of any resources of a computer system or communication
about whom personal information is processed. network.

SEC. 39. Implementing Rules and Regulations (IRR). – Within ninety (90) days from the (b) Alteration refers to the modification or change, in form or substance, of an existing
effectivity of this Act, the Commission shall promulgate the rules and regulations to computer data or program.
effectively implement the provisions of this Act.
(c) Communication refers to the transmission of information through ICT media, including
voice, video and other forms of data.
SEC. 40. Reports and Information. – The Commission shall annually report to the President
and Congress on its activities in carrying out the provisions of this Act. The Commission shall (d) Computer refers to an electronic, magnetic, optical, electrochemical, or other data
undertake whatever efforts it may determine to be necessary or appropriate to inform and processing or communications device, or grouping of such devices, capable of performing
educate the public of data privacy, data protection and fair information rights and logical, arithmetic, routing, or storage functions and which includes any storage facility or
responsibilities. equipment or communications facility or equipment directly related to or operating in
conjunction with such device. It covers any type of computer device including devices with
data processing capabilities like mobile phones, smart phones, computer networks and other
SEC. 41. Appropriations Clause. – The Commission shall be provided with an initial devices connected to the internet.
appropriation of Twenty million pesos (Php20,000,000.00) to be drawn from the national
government. Appropriations for the succeeding years shall be included in the General (e) Computer data refers to any representation of facts, information, or concepts in a form
Appropriations Act. It shall likewise receive Ten million pesos (Php10,000,000.00) per year suitable for processing in a computer system including a program suitable to cause a
for five (5) years upon implementation of this Act drawn from the national government. computer system to perform a function and includes electronic documents and/or electronic
data messages whether stored in local computer systems or online.
SEC. 42. Transitory Provision. – Existing industries, businesses and offices affected by the (f) Computer program refers to a set of instructions executed by the computer to achieve
implementation of this Act shall be given one (1) year transitory period from the effectivity of intended results.
the IRR or such other period as may be determined by the Commission, to comply with the
requirements of this Act. (g) Computer system refers to any device or group of interconnected or related devices, one
or more of which, pursuant to a program, performs automated processing of data. It covers
In case that the DICT has not yet been created by the time the law takes full force and effect, any type of device with data processing capabilities including, but not limited to, computers
and mobile phones. The device consisting of hardware and software may include input,
the National Privacy Commission shall be attached to the Office of the President.
output and storage components which may stand alone or be connected in a network or other
similar devices. It also includes computer data storage devices or media.
SEC. 43. Separability Clause. – If any provision or part hereof is held invalid or
unconstitutional, the remainder of the law or the provision not otherwise affected shall (h) Without right refers to either: (i) conduct undertaken without or in excess of authority;
remain valid and subsisting. or (ii) conduct not covered by established legal defenses, excuses, court orders, justifications,
or relevant principles under the law.
SEC. 44. Repealing Clause. – The provision of Section 7 of Republic Act No. 9372, otherwise
(i) Cyber refers to a computer or a computer network, the electronic medium in which online
known as the “Human Security Act of 2007”, is hereby amended. Except as otherwise
communication takes place.
expressly provided in this Act, all other laws, decrees, executive orders, proclamations and
administrative regulations or parts thereof inconsistent herewith are hereby repealed or (j) Critical infrastructure refers to the computer systems, and/or networks, whether physical
modified accordingly. or virtual, and/or the computer programs, computer data and/or traffic data so vital to this
country that the incapacity or destruction of or interference with such system and assets
SEC. 45. Effectivity Clause. – This Act shall take effect fifteen (15) days after its publication would have a debilitating impact on security, national or economic security, national public
health and safety, or any combination of those matters.
in at least two (2) national newspapers of general circulation.
(k) Cybersecurity refers to the collection of tools, policies, risk management approaches,
Republic Act No. 10175 actions, training, best practices, assurance and technologies that can be used to protect the
September 12, 2012 cyber environment and organization and user’s assets.
S. No. 2796
H. No. 5808 (l) Database refers to a representation of information, knowledge, facts, concepts, or
instructions which are being prepared, processed or stored or have been prepared, processed
Republic of the Philippines or stored in a formalized manner and which are intended for use in a computer system.
Congress of the Philippines
Metro Manila (m) Interception refers to listening to, recording, monitoring or surveillance of the content of
Fifteenth Congress communications, including procuring of the content of data, either directly, through access
Second Regular Session
and use of a computer system or indirectly, through the use of electronic eavesdropping or (2) Computer-related Fraud. — The unauthorized input, alteration, or deletion of computer
tapping devices, at the same time that the communication is occurring. data or program or interference in the functioning of a computer system, causing damage
thereby with fraudulent intent: Provided, That if no
(n) Service provider refers to:
damage has yet been caused, the penalty imposable shall be one (1) degree lower.
(1) Any public or private entity that provides to users of its service the ability to
communicate by means of a computer system; and (3) Computer-related Identity Theft. – The intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying information belonging to another, whether
(2) Any other entity that processes or stores computer data on behalf of such communication natural or juridical, without right: Provided, That if no damage has yet been caused, the
service or users of such service. penalty imposable shall be one (1) degree lower.

(o) Subscriber’s information refers to any information contained in the form of computer (c) Content-related Offenses:
data or any other form that is held by a service provider, relating to subscribers of its
services other than traffic or content data and by which identity can be established: (1) Cybersex. — The willful engagement, maintenance, control, or operation, directly or
indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a
(1) The type of communication service used, the technical provisions taken thereto and the computer system, for favor or consideration.
period of service;
(2) Child Pornography. — The unlawful or prohibited acts defined and punishable by
(2) The subscriber’s identity, postal or geographic address, telephone and other access Republic Act No. 9775 or the Anti-Child Pornography Act of 2009, committed through a
numbers, any assigned network address, billing and payment information, available on the computer system: Provided, That the penalty to be imposed shall be (1) one degree higher
basis of the service agreement or arrangement; and than that provided for in Republic Act No. 9775.

(3) Any other available information on the site of the installation of communication (3) Unsolicited Commercial Communications. — The transmission of commercial electronic
equipment, available on the basis of the service agreement or arrangement. communication with the use of computer system which seek to advertise, sell, or offer for sale
products and services are prohibited unless:
(p) Traffic data or non-content data refers to any computer data other than the content of the
communication including, but not limited to, the communication’s origin, destination, route, (i) There is prior affirmative consent from the recipient; or
time, date, size, duration, or type of underlying service.
(ii) The primary intent of the communication is for service and/or administrative
CHAPTER II announcements from the sender to its existing users, subscribers or customers; or
PUNISHABLE ACTS
(iii) The following conditions are present:
SEC. 4. Cybercrime Offenses. — The following acts constitute the offense of cybercrime
punishable under this Act: (aa) The commercial electronic communication contains a simple, valid, and reliable way for
the recipient to reject. receipt of further commercial electronic messages (opt-out) from the
(a) Offenses against the confidentiality, integrity and availability of computer data and same source;
systems:
(bb) The commercial electronic communication does not purposely disguise the source of the
(1) Illegal Access. – The access to the whole or any part of a computer system without right. electronic message; and

(2) Illegal Interception. – The interception made by technical means without right of any (cc) The commercial electronic communication does not purposely include misleading
non-public transmission of computer data to, from, or within a computer system including information in any part of the message in order to induce the recipients to read the message.
electromagnetic emissions from a computer system carrying such computer data.
(4) Libel. — The unlawful or prohibited acts of libel as defined in Article 355 of the Revised
(3) Data Interference. — The intentional or reckless alteration, damaging, deletion or Penal Code, as amended, committed through a computer system or any other similar means
deterioration of computer data, electronic document, or electronic data message, without which may be devised in the future.
right, including the introduction or transmission of viruses.
SEC. 5. Other Offenses. — The following acts shall also constitute an offense:
(4) System Interference. — The intentional alteration or reckless hindering or interference
with the functioning of a computer or computer network by inputting, transmitting, (a) Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets or
damaging, deleting, deteriorating, altering or suppressing computer data or program, aids in the commission of any of the offenses enumerated in this Act shall be held liable.
electronic document, or electronic data message, without right or authority, including the
introduction or transmission of viruses. (b) Attempt in the Commission of Cybercrime. — Any person who willfully attempts to
commit any of the offenses enumerated in this Act shall be held liable.
(5) Misuse of Devices.
SEC. 6. All crimes defined and penalized by the Revised Penal Code, as amended, and special
(i) The use, production, sale, procurement, importation, distribution, or otherwise making laws, if committed by, through and with the use of information and communications
available, without right, of: technologies shall be covered by the relevant provisions of this Act: Provided, That the
penalty to be imposed shall be one (1) degree higher than that provided for by the Revised
(aa) A device, including a computer program, designed or adapted primarily for the purpose Penal Code, as amended, and special laws, as the case may be.
of committing any of the offenses under this Act; or
SEC. 7. Liability under Other Laws. — A prosecution under this Act shall be without
(bb) A computer password, access code, or similar data by which the whole or any part of a prejudice to any liability for violation of any provision of the Revised Penal Code, as
computer system is capable of being accessed with intent that it be used for the purpose of amended, or special laws.
committing any of the offenses under this Act.
CHAPTER III
(ii) The possession of an item referred to in paragraphs 5(i)(aa) or (bb) above with intent to PENALTIES
use said devices for the purpose of committing any of the offenses under this section.
SEC. 8. Penalties. — Any person found guilty of any of the punishable acts enumerated in
(6) Cyber-squatting. – The acquisition of a domain name over the internet in bad faith to Sections 4(a) and 4(b) of this Act shall be punished with imprisonment of prision mayor or a
profit, mislead, destroy reputation, and deprive others from registering the same, if such a fine of at least Two hundred thousand pesos (PhP200,000.00) up to a maximum amount
domain name is: commensurate to the damage incurred or both.

(i) Similar, identical, or confusingly similar to an existing trademark registered with the Any person found guilty of the punishable act under Section 4(a)(5) shall be punished with
appropriate government agency at the time of the domain name registration: imprisonment of prision mayor or a fine of not more than Five hundred thousand pesos
(PhP500,000.00) or both.
(ii) Identical or in any way similar with the name of a person other than the registrant, in
case of a personal name; and If punishable acts in Section 4(a) are committed against critical infrastructure, the penalty of
reclusion temporal or a fine of at least Five hundred thousand pesos (PhP500,000.00) up to
(iii) Acquired without right or with intellectual property interests in it. maximum amount commensurate to the damage incurred or both, shall be imposed.

(b) Computer-related Offenses: Any person found guilty of any of the punishable acts enumerated in Section 4(c)(1) of this
Act shall be punished with imprisonment of prision mayor or a fine of at least Two hundred
(1) Computer-related Forgery. — thousand pesos (PhP200,000.00) but not exceeding One million pesos (PhP1,000,000.00) or
both.
(i) The input, alteration, or deletion of any computer data without right resulting in
inauthentic data with the intent that it be considered or acted upon for legal purposes as if it Any person found guilty of any of the punishable acts enumerated in Section 4(c)(2) of this
were authentic, regardless whether or not the data is directly readable and intelligible; or Act shall be punished with the penalties as enumerated in Republic Act No. 9775 or the
“Anti-Child Pornography Act of 2009”: Provided, That the penalty to be imposed shall be
(ii) The act of knowingly using computer data which is the product of computer-related one (1) degree higher than that provided for in Republic Act No. 9775, if committed through
forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest design. a computer system.
Any person found guilty of any of the punishable acts enumerated in Section 4(c)(3) shall be Within the time period specified in the warrant, to conduct interception, as defined in this
punished with imprisonment of arresto mayor or a fine of at least Fifty thousand pesos Act, and:
(PhP50,000.00) but not exceeding Two hundred fifty thousand pesos (PhP250,000.00) or both.
(a) To secure a computer system or a computer data storage medium;
Any person found guilty of any of the punishable acts enumerated in Section 5 shall be
punished with imprisonment one (1) degree lower than that of the prescribed penalty for the (b) To make and retain a copy of those computer data secured;
offense or a fine of at least One hundred thousand pesos (PhP100,000.00) but not exceeding
Five hundred thousand pesos (PhP500,000.00) or both. (c) To maintain the integrity of the relevant stored computer data;

SEC. 9. Corporate Liability. — When any of the punishable acts herein defined are (d) To conduct forensic analysis or examination of the computer data storage medium; and
knowingly committed on behalf of or for the benefit of a juridical person, by a natural person
acting either individually or as part of an organ of the juridical person, who has a leading (e) To render inaccessible or remove those computer data in the accessed computer or
position within, based on: (a) a power of representation of the juridical person provided the computer and communications network.
act committed falls within the scope of such authority; (b) an authority to take decisions on
behalf of the juridical person: Provided, That the act committed falls within the scope of such Pursuant thereof, the law enforcement authorities may order any person who has knowledge
authority; or (c) an authority to exercise control within the juridical person, the juridical about the functioning of the computer system and the measures to protect and preserve the
person shall be held liable for a fine equivalent to at least double the fines imposable in computer data therein to provide, as is reasonable, the necessary information, to enable the
Section 7 up to a maximum of Ten million pesos (PhP10,000,000.00). undertaking of the search, seizure and examination.

If the commission of any of the punishable acts herein defined was made possible due to the Law enforcement authorities may request for an extension of time to complete the
lack of supervision or control by a natural person referred to and described in the preceding examination of the computer data storage medium and to make a return thereon but in no
paragraph, for the benefit of that juridical person by a natural person acting under its case for a period longer than thirty (30) days from date of approval by the court.
authority, the juridical person shall be held liable for a fine equivalent to at least double the
fines imposable in Section 7 up to a maximum of Five million pesos (PhP5,000,000.00). SEC. 16. Custody of Computer Data. — All computer data, including content and traffic
data, examined under a proper warrant shall, within forty-eight (48) hours after the
The liability imposed on the juridical person shall be without prejudice to the criminal expiration of the period fixed therein, be deposited with the court in a sealed package, and
liability of the natural person who has committed the offense. shall be accompanied by an affidavit of the law enforcement authority executing it stating the
dates and times covered by the examination, and the law enforcement authority who may
CHAPTER IV access the deposit, among other relevant data. The law enforcement authority shall also
ENFORCEMENT AND IMPLEMENTATION certify that no duplicates or copies of the whole or any part thereof have been made, or if
made, that all such duplicates or copies are included in the package deposited with the court.
SEC. 10. Law Enforcement Authorities. — The National Bureau of Investigation (NBI) and The package so deposited shall not be opened, or the recordings replayed, or used in
the Philippine National Police (PNP) shall be responsible for the efficient and effective law evidence, or then contents revealed, except upon order of the court, which shall not be
enforcement of the provisions of this Act. The NBI and the PNP shall organize a cybercrime granted except upon motion, with due notice and opportunity to be heard to the person or
unit or center manned by special investigators to exclusively handle cases involving violations persons whose conversation or communications have been recorded.
of this Act.
SEC. 17. Destruction of Computer Data. — Upon expiration of the periods as provided in
SEC. 11. Duties of Law Enforcement Authorities. — To ensure that the technical nature of Sections 13 and 15, service providers and law enforcement authorities, as the case may be,
cybercrime and its prevention is given focus and considering the procedures involved for shall immediately and completely destroy the computer data subject of a preservation and
international cooperation, law enforcement authorities specifically the computer or examination.
technology crime divisions or units responsible for the investigation of cybercrimes are
required to submit timely and regular reports including pre-operation, post-operation and SEC. 18. Exclusionary Rule. — Any evidence procured without a valid warrant or beyond
investigation results and such other documents as may be required to the Department of the authority of the same shall be inadmissible for any proceeding before any court or
Justice (DOJ) for review and monitoring. tribunal.

SEC. 12. Real-Time Collection of Traffic Data. — Law enforcement authorities, with due SEC. 19. Restricting or Blocking Access to Computer Data. — When a computer data is
cause, shall be authorized to collect or record by technical or electronic means traffic data in prima facie found to be in violation of the provisions of this Act, the DOJ shall issue an order
real-time associated with specified communications transmitted by means of a computer to restrict or block access to such computer data.
system.
SEC. 20. Noncompliance. — Failure to comply with the provisions of Chapter IV hereof
Traffic data refer only to the communication’s origin, destination, route, time, date, size, specifically the orders from law enforcement authorities shall be punished as a violation of
duration, or type of underlying service, but not content, nor identities. Presidential Decree No. 1829 with imprisonment of prision correctional in its maximum
period or a fine of One hundred thousand pesos (Php100,000.00) or both, for each and every
All other data to be collected or seized or disclosed will require a court warrant. noncompliance with an order issued by law enforcement authorities.

Service providers are required to cooperate and assist law enforcement authorities in the CHAPTER V
collection or recording of the above-stated information. JURISDICTION

The court warrant required under this section shall only be issued or granted upon written SEC. 21. Jurisdiction. — The Regional Trial Court shall have jurisdiction over any violation
application and the examination under oath or affirmation of the applicant and the witnesses of the provisions of this Act. including any violation committed by a Filipino national
he may produce and the showing: (1) that there are reasonable grounds to believe that any of regardless of the place of commission. Jurisdiction shall lie if any of the elements was
the crimes enumerated hereinabove has been committed, or is being committed, or is about committed within the Philippines or committed with the use of any computer system wholly
to be committed: (2) that there are reasonable grounds to believe that evidence that will be or partly situated in the country, or when by such commission any damage is caused to a
obtained is essential to the conviction of any person for, or to the solution of, or to the natural or juridical person who, at the time the offense was committed, was in the
prevention of, any such crimes; and (3) that there are no other means readily available for Philippines.
obtaining such evidence.
There shall be designated special cybercrime courts manned by specially trained judges to
SEC. 13. Preservation of Computer Data. — The integrity of traffic data and subscriber handle cybercrime cases.
information relating to communication services provided by a service provider shall be
preserved for a minimum period of six (6) months from the date of the transaction. Content CHAPTER VI
data shall be similarly preserved for six (6) months from the date of receipt of the order from INTERNATIONAL COOPERATION
law enforcement authorities requiring its preservation.
Sec. 22. General Principles Relating to International Cooperation — All relevant
Law enforcement authorities may order a one-time extension for another six (6) months: international instruments on international cooperation in criminal matters, arrangements
Provided, That once computer data preserved, transmitted or stored by a service provider is agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest
used as evidence in a case, the mere furnishing to such service provider of the transmittal extent possible for the purposes of investigations or proceedings concerning criminal offenses
document to the Office of the Prosecutor shall be deemed a notification to preserve the related to computer systems and data, or for the collection of evidence in electronic form of a
computer data until the termination of the case. criminal, offense shall be given full force and effect.

The service provider ordered to preserve computer data shall keep confidential the order CHAPTER VII
and its compliance. COMPETENT AUTHORITIES

SEC. 14. Disclosure of Computer Data. — Law enforcement authorities, upon securing a SEC 23. Department of Justice (DOJ). — There is hereby created an Office of Cybercrime
court warrant, shall issue an order requiring any person or service provider to disclose or within the DOJ designated as the central authority in all matters related to international
submit subscriber’s information, traffic data or relevant data in his/its possession or control mutual assistance and extradition.
within seventy-two (72) hours from receipt of the order in relation to a valid complaint
officially docketed and assigned for investigation and the disclosure is necessary and relevant SEC. 24. Cybercrime Investigation and Coordinating Center. — There is hereby created,
for the purpose of investigation. within thirty (30) days from the effectivity of this Act, an inter-agency body to be known as
the Cybercrime Investigation and Coordinating Center (CICC), under the administrative
SEC. 15. Search, Seizure and Examination of Computer Data. — Where a search and seizure supervision of the Office of the President, for policy coordination among concerned agencies
warrant is properly issued, the law enforcement authorities shall likewise have the following and for the formulation and enforcement of the national cybersecurity plan.
powers and duties.
SEC. 25. Composition. — The CICC shall be headed by the Executive Director of the
Information and Communications Technology Office under the Department of Science and a. Any unwanted physical contact between the bully and the victim like punching, pushing,
Technology (ICTO-DOST) as Chairperson with the Director of the NBI as Vice Chairperson; shoving, kicking, slapping, tickling, headlocks, inflicting school pranks, teasing, fighting and
the Chief of the PNP; Head of the DOJ Office of Cybercrime; and one (1) representative the use of available objects as weapons;
from the private sector and academe, as members. The CICC shall be manned by a
secretariat of selected existing personnel and representatives from the different participating b. Any act that causes damage to a victim’s psyche and/or emotional well-being;
agencies.
c. Any slanderous statement or accusation that causes the victim undue emotional distress
SEC. 26. Powers and Functions. — The CICC shall have the following powers and functions: like directing foul language or profanity at the target, name-calling, tormenting and
commenting negatively on victim’s looks, clothes and body; and
(a) To formulate a national cybersecurity plan and extend immediate assistance for the
suppression of real-time commission of cybercrime offenses through a computer emergency d. Cyber-bullying or any bullying done through the use of technology or any electronic
response team (CERT); means.

(b) To coordinate the preparation of appropriate and effective measures to prevent and SEC. 3. Adoption of Anti-Bullying Policies. – All elementary and secondary schools are
suppress cybercrime activities as provided for in this Act; hereby directed to adopt policies to address the existence of bullying in their respective
institutions. Such policies shall be regularly updated and, at a minimum, shall include
(c) To monitor cybercrime cases being bandied by participating law enforcement and provisions which:
prosecution agencies;
(a) Prohibit the following acts:
(d) To facilitate international cooperation on intelligence, investigations, training and
capacity building related to cybercrime prevention, suppression and prosecution; (1) Bullying on school grounds; property immediately adjacent to school grounds; at school-
sponsored or school-related activities, functions or programs whether on or off school
(e) To coordinate the support and participation of the business sector, local government units grounds; at school bus stops; on school buses or other vehicles owned, leased or used by a
and nongovernment organizations in cybercrime prevention programs and other school; or through the use of technology or an electronic device owned, leased or used by a
school;
related projects;
(2) Bullying at a location, activity, function or program that is not school-related and through
(f) To recommend the enactment of appropriate laws, issuances, measures and policies; the use of technology or an electronic device that is not owned, leased or used by a school if
the act or acts in question create a hostile environment at school for the victim, infringe on
(g) To call upon any government agency to render assistance in the accomplishment of the the rights of the victim at school, or materially and substantially disrupt the education
CICC’s mandated tasks and functions; and process or the orderly operation of a school; and

(h) To perform all other matters related to cybercrime prevention and suppression, including (3) Retaliation against a person who reports bullying, who provides information during an
capacity building and such other functions and duties as may be necessary for the proper investigation of bullying, or who is a witness to or has reliable information about bullying;
implementation of this Act.
(b) Identify the range of disciplinary administrative actions that may be taken against a
CHAPTER VIII perpetrator for bullying or retaliation which shall be commensurate with the nature and
FINAL PROVISIONS gravity of the offense: Provided, That, in addition to the disciplinary sanctions imposed upon
a perpetrator of bullying or retaliation, he/she shall also be required to undergo a
SEC. 27. Appropriations. — The amount of Fifty million pesos (PhP50,000,000.00) shall be rehabilitation program which shall be administered by the institution concerned. The parents
appropriated annually for the implementation of this Act. of the said perpetrator shall be encouraged by the said institution to join the rehabilitation
program;
SEC. 28. Implementing Rules and Regulations. — The ICTO-DOST, the DOJ and the
Department of the Interior and Local Government (DILG) shall jointly formulate the (c) Establish clear procedures and strategies for:
necessary rules and regulations within ninety (90) days from approval of this Act, for its
effective implementation. (1) Reporting acts of bullying or retaliation;

SEC. 29. Separability Clause — If any provision of this Act is held invalid, the other (2) Responding promptly to and investigating reports of bullying or retaliation;
provisions not affected shall remain in full force and effect.
(3) Restoring a sense of safety for a victim and assessing the student’s need for protection;
SEC. 30. Repealing Clause. — All laws, decrees or rules inconsistent with this Act are hereby
repealed or modified accordingly. Section 33(a) of Republic Act No. 8792 or the “Electronic (4) Protecting from bullying or retaliation of a person who reports acts of bullying, provides
Commerce Act” is hereby modified accordingly. information during an investigation of bullying, or is witness to or has reliable information
about an act of bullying; and
SEC. 31. Effectivity. — This Act shall take effect fifteen (15) days after the completion of its
publication in the Official Gazette or in at least two (2) newspapers of general circulation. (5) Providing counseling or referral to appropriate services for perpetrators, victims and
appropriate family members of said students;

(d) Enable students to anonymously report bullying or retaliation: Provided, however, That
Republic Act No. 10627 no disciplinary administrative action shall be taken against a perpetrator solely on the basis
September 12, 2013 of an anonymous report;
H. No. 5496
(e) Subject a student who knowingly makes a false accusation of bullying to disciplinary
Republic of the Philippines administrative action;
Congress of the Philippines
Metro Manila (f) Educate students on the dynamics of bullying, the anti-bullying policies of the school as
Fifteenth Congress well as the mechanisms of such school for the anonymous reporting of acts of bullying or
Third Regular Session retaliation;

Begun and held in Metro Manila, on Monday, the twenty-third day of July, two thousand (g) Educate parents and guardians about the dynamics of bullying, the anti-bullying policies
twelve. of the school and how parents and guardians can provide support and reinforce such policies
at home; and
[REPUBLIC ACT NO. 10627]
(h) Maintain a public record of relevant information and statistics on acts of bullying or
AN ACT REQUIRING ALL ELEMENTARY AND SECONDARY SCHOOLS TO ADOPT retaliation in school: Provided, That the names of students who committed acts of bullying or
POLICIES TO PREVENT AND ADDRESS THE ACTS OF BULLYING IN THEIR retaliation shall be strictly confidential and only made available to the school administration,
INSTITUTIONS teachers directly responsible for the said students and parents or guardians of students who
are or have been victims of acts of bullying or retaliation.
Be it enacted by the Senate and House of Representatives of the Philippines in Congress
assembled: All elementary and secondary schools shall provide students and their parents or guardians a
copy of the anti-bullying policies being adopted by the school. Such policies shall likewise be
SECTION 1. Short Title. – This Act shall be known as the “Anti-Bullying Act of 2013”. included in the school’s student and/or employee handbook and shall be conspicuously posted
on the school walls and website, if there is any.
SEC. 2. Acts of Bullying. – For purposes of this Act, “bullying” shall refer to any severe or
repeated use by one or more students of a written, verbal or electronic expression, or a The Department of Education (DepED) shall include in its training programs, courses or
physical act or gesture, or any combination thereof, directed at another student that has the activities which shall provide opportunities for school administrators, teachers and other
effect of actually causing or placing the latter in reasonable fear of physical or emotional employees to develop their knowledge and skills in preventing or responding to any bullying
harm or damage to his property; creating a hostile environment at school for the other act.
student; infringing on the rights of the other student at school; or materially and
substantially disrupting the education process or the orderly operation of a school; such as, SEC. 4. Mechanisms to Address Bullying. – The school principal or any person who holds a
but not limited to, the following: comparable role shall be responsible for the implementation and oversight of policies
intended to address bullying.
Any member of the school administration, student, parent or volunteer shall immediately
report any instance of bullying or act of retaliation witnessed, or that has come to one’s
attention, to the school principal or school officer or person so designated by the principal to
handle such issues, or both. Upon receipt of such a report, the school principal or the
designated school officer or person shall promptly investigate. If it is determined that
bullying or retaliation has occurred, the school principal or the designated school officer or
person shall:

(a) Notify the law enforcement agency if the school principal or designee believes that
criminal charges under the Revised Penal Code may be pursued against the perpetrator;

(b) Take appropriate disciplinary administrative action;

(c) Notify the parents or guardians of the perpetrator; and

(d) Notify the parents or guardians of the victim regarding the action taken to prevent any
further acts of bullying or retaliation.

If an incident of bullying or retaliation involves students from more than one school, the
school first informed of the bullying or retaliation shall promptly notify the appropriate
administrator of the other school so that both may take appropriate action.

SEC. 5. Reporting Requirement. – All schools shall inform their respective schools division
superintendents in writing about the anti-bullying policies formulated within six (6) months
from the effectivity of this Act. Such notification shall likewise be an administrative
requirement prior to the operation of new schools.

Beginning with the school year after the effectivity of this Act, and every first week of the
start of the school year thereafter, schools shall submit a report to their respective schools
division superintendents all relevant information and statistics on acts of bullying or
retaliation. The schools division superintendents shall compile these data and report the same
to the Secretary of the DepED who shall likewise formally transmit a comprehensive report
to the Committee on Basic Education of both the House of Representatives and the Senate.

SEC. 6. Sanction for Noncompliance. – In the rules and regulations to be implemented

pursuant to this Act, the Secretary of the DepED shall prescribe the appropriate
administrative sanctions on school administrators who shall fail to comply with the
requirements under this Act. In addition thereto, erring private schools shall likewise suffer
the penalty of suspension of their permits to operate.

SEC. 7. Implementing Rules and Regulations. – Within ninety (90) days from the effectivity
of this Act, the DepED shall promulgate the necessary rules and regulations to implement the
provisions of this Act.

SEC. 8. Separability Clause. – If, for any reason, any provision of this Act is declared to be
unconstitutional or invalid, the other sections or provisions hereof which are not affected
thereby shall continue to be in full force or effect.

SEC. 9. Repealing Clause. – All laws, decrees, orders, rules and regulations or parts thereof
which are inconsistent with or contrary to the provisions of this Act are hereby repealed,
amended or modified accordingly.

SEC. 10. Effectivity. – This Act shall take effect fifteen (15) days after its publication in at
least two (2) national newspapers of general circulatioN