Reviewer techlaw (Advisory)

1. NPC Advisory Opinion No. 2024-002 Re: Request for

Comments/Insights Regarding the use of Artificial Intelligence (AI) in
the Civil Service Commission’s (CSC) Correspondence
1. AI's Potential and Safeguards: While acknowledging the potential benefits of using AI to
improve correspondences and communication, the document emphasizes the need for proper
safeguards to protect the rights of data subjects if personal information is processed using AI,
such as Chat Generative Pretrained Transformer (ChatGPT).

2. NPC Advisory Opinion No. 2023-019 Re: Disclosure of an Individual

Customer’s Personal Information Upon the Request of Another
Individual Customer
PNB = Purpose, Necessity and Balance (three-part test)

(1) the purpose must establish, the legitimate interest is established

(2) the processing is necessary to fulfill the legitimate interest that is established

(3) the interest is legitimate and lawful and it does not dominate the fundamental rights and
freedoms of data subjects.

3. NPC Advisory Opinion No. 2023-015 Re: Disclosure to the National

Bureau of Investigation of the Record of Barangay Inhabitants
1. DILG Memorandum Circular No. 2008-144: The opinion refers to a Department of Interior and
Local Government (DILG) memorandum that emphasizes the confidentiality of records of
barangay inhabitants. It requires the owner's written authorization for access and disclosure of
data.

2. Necessity of a Subpoena: The opinion states that officials of the barangay may provide the
requested information to the NBI only if a formal subpoena has been issued. This ensures that
the request is authorized, proper, and lawful under existing rules and regulations.

3. Data Privacy Act (DPA) Section 4(e): The NBI cites Section 4(e) of the Data Privacy Act of 2012
(DPA) as a basis for its request, claiming that information requested by law enforcement
agencies necessary to carry out their functions is exempt from the DPA. The advisory opinion
provides clarification on the proper application of this section.
4. NPC Advisory Opinion No. 2023-001 Re: Disclosure of Condominium
Unit Owners’ Personal Data and Related Documents.
1. Scope of Data Privacy Act (DPA): The DPA applies to the processing of personal information and
sensitive personal information. Data relating to juridical entities like corporation name and
address falls outside the scope of the DPA.

2. CCT Numbers: Condominium Certificate of Title (CCT) numbers, by themselves, are not
considered personal information. However, they may be treated as personal information when
correlated with the name of the registered owner. Lawful processing under Section 12(f) of the
DPA may be applied for the disclosure of these numbers.

3. Legitimate Interests for Disclosure: The advisory opinion suggests that Section 13(f) of the DPA
may be applicable, allowing the disclosure of information necessary for the protection of lawful
rights and interests, even without an existing court proceeding.

4. Proportionality Principle: The principle of proportionality requires that the processing of

personal data should be adequate, relevant, suitable, necessary, and not excessive for the
declared purpose.

5. Contractual Obligation: The advisory opinion highlights that the processing of personal
information may be based on contractual obligation, specifically under Section 12(b) of the DPA,
relating to the fulfillment of a contract with the data subject.

6. Responsibilities of Personal Information Controller (PIC): TICC, as a PIC, is responsible for

ensuring that personal data is processed lawfully and fairly. Strict adherence to privacy
principles like transparency, proportionality, and legitimate purpose is emphasized.

7. Publication/Posting of Unit Numbers: While the TICC has the authority to file an adverse claim
for delinquent units, the advisory opinion suggests that posting or publishing unit numbers in
public spaces within the condominium may be too intrusive and should be considered as a last
resort.

8. NPC's Role: The advisory opinion clarifies that NPC does not issue a "legal confirmation," and its
opinions provide guidance on the interpretation of the DPA.

5. NPC Advisory Opinion No. 2022-018: Re: Data Subject Rights in the
Philippine Identification System
The document you provided is an Advisory Opinion (No. 2022-0182) issued by the National Privacy
Commission (NPC) of the Republic of the Philippines on September 20, 2022. This opinion responds to
an inquiry regarding data subject rights in the Philippine Identification System (PhilSys) and the
provisions of Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA).
The advisory opinion addresses two scenarios related to the rights of a data subject in the context of
PhilSys:

1. Scenario 1: The data subject is already registered in PhilSys but has not been issued a PhilSys
Number (PSN) or PhilSys Card Number (PCN). In this scenario, the data subject has the right to
withdraw consent and request deletion of their personal data. However, since the processing of
personal data under PhilSys is based on law (Republic Act No. 11055), not consent, the right to
withdraw consent does not apply.

2. Scenario 2: The data subject has already been issued a PSN or PCN. In this case, the right to
erasure (deletion) does not apply as there are no provisions in RA 11055 or its Revised
Implementing Rules and Regulations (IRR) for the deletion of PSN/PCN or personal data. Instead,
the law provides for the deactivation of PSN under specific grounds.

The advisory opinion clarifies that the right to erasure or withdrawal of consent is not applicable in
either scenario due to the legal basis of processing under PhilSys. It emphasizes that the processing of
personal data under PhilSys is a legal obligation imposed on citizens or resident aliens, and therefore,
consent is not the basis for processing.

Furthermore, the opinion addresses the concept of anonymization and clarifies that anonymized data,
where the data subject is not or no longer identifiable, should not be used as a basis to deny deletion
requests. Anonymization should be carried out with a legitimate purpose and should not be utilized to
avoid fulfilling data subject rights.

The advisory opinion concludes by stating that it is based solely on the information provided and may be
subject to change based on additional facts. It also emphasizes that the opinion does not adjudicate the
rights and obligations of the parties involved.

6. NPC Advisory Opinion No. 2021-036: Re: Disclosure of Loan

Documents Pursuant to A Legal Claim
The request for an advisory opinion arises from a situation involving Atty. RAN, representing his client,
Mr. CGS, who sought certified copies of vouchers related to check payments made to Ms. CVG.
Allegedly, Mr. CGS lent money to Ms. CVG, and there is a disagreement between Pag-IBIG Fund and
Atty. RAN regarding the release of documents containing personal data.

The key points addressed in the advisory opinion are as follows:

1. Section 13(f) of the DPA: The opinion interprets Section 13(f) of the DPA, which allows the
processing of sensitive personal information necessary for the protection of lawful rights and
interests of natural or legal persons in court proceedings, or the establishment, exercise, or
defense of legal claims. It emphasizes that the establishment of legal claims does not require an
existing court proceeding, and the DPA is not a tool to prevent the discovery of a crime or hinder
legitimate proceedings.
 2. Lawful processing for establishment of legal claims: The opinion states that the establishment
of legal claims requiring the processing of sensitive personal information is permitted under the
DPA. The term "establishment" may include activities to obtain evidence by lawful means for
prospective court proceedings. Additionally, it clarifies that Section 13(f) would be the lawful
criterion for a request if the vouchers containing sensitive personal information are deemed
necessary to establish a legal claim.

3. Release of documents without consent: The advisory opinion indicates that Pag-IBIG Fund may
release certified copies of the requested loan documents, even without the consent of the data
subjects involved. It mentions that the release should be in line with the purpose of the request
and the data privacy principle of proportionality.

7. NPC Advisory Opinion No. 2021-033: Re: Internal Dissemination Of

Information Regarding Bank-related Crimes
1. Publication and Uploading of Names, Photos, and Other Details: The advisory opinion
addresses the proposal of the bank to publish and upload the names, photos, and other details
(such as criminal charges leading to the issuance of an arrest warrant or conviction) of personnel
involved in administrative or criminal offenses. The bank intended to disseminate this
information through internal channels like e-mail or posting in an intranet to combat fraud and
create a deterrent effect.

2. Caveat in the Publication or Email Message: The bank also sought clarification on whether it
could include a caveat in the publication or email message, warning internal stakeholders that
unauthorized dissemination of the information may be punishable under the Data Privacy Act of
2012 (DPA).

Key Points from the Advisory Opinion:

• Lawful Basis and Proportionality: The NPC emphasized the need for a lawful basis under the
DPA for processing sensitive personal information. The details of criminal or administrative
charges, including the disposal of proceedings and decisions, may be considered sensitive
personal information. The advisory opinion stressed that, as a general rule, the processing of
sensitive personal information is prohibited unless it falls under specific instances outlined in
Section 13 of the DPA.

• Principle of Proportionality: The advisory opinion reiterated the principle of proportionality,

emphasizing that the processing of personal data should be adequate, relevant, suitable,
necessary, and not excessive in relation to the declared and specified purpose. It highlighted the
need to process personal data only if the purpose could not reasonably be fulfilled by other
means.

• Alternative Means and Privacy-Intrusive Initiatives: The NPC suggested that the bank should
reevaluate its proposed anti-fraud initiatives and explore alternative, less privacy-intrusive
means to achieve its objectives. It mentioned that the Bangko Sentral ng Pilipinas (BSP) had
 issued a directive addressing human resource-related risk, requiring banks to manage "people
risk" within an enterprise-wide risk management framework.

• Consideration of Fundamental Rights: The advisory opinion stressed the importance of

assessing the proposed personal data processing activity in terms of its potential impact on
other fundamental rights and freedoms of the data subjects, such as the right to due process.

8. NPC Advisory Opinion No. 2021-022: Re: Processing Personal Data for
Electronic Know-your-customer (eKYC)
1. Processing Personal Data for eKYC: The advisory opinion addresses a scenario where a bank is
designing a digital onboarding process involving the processing of personal and sensitive
personal information (personal data) from applicants wishing to open a bank account or apply
for a bank loan online. The bank plans to obtain applicants' consent through a tick box or an
Agree button after presenting a Data Privacy Consent/terms.

2. Lawful Basis for Processing: The NPC suggests that Section 13 (b) of the Data Privacy Act of
2012 (DPA) is applicable as the lawful basis for processing sensitive personal information based
on existing laws and regulations. In this case, the relationship between the bank and its
customers, along with compliance requirements from the Bangko Sentral ng Pilipinas (BSP)
Manual of Regulations for Banks (MORB), forms the basis for lawful processing.

3. Privacy Notice Instead of Consent: Instead of seeking consent, the advisory opinion
recommends that the bank provide a privacy notice. A privacy notice is seen as an embodiment
of transparency and upholding the right to information of data subjects. It serves as a statement
describing how the organization collects, uses, retains, and discloses personal information.

4. Outsourcing and Data Subject Rights: Regarding outsourcing, the NPC emphasizes the need for
the bank, as a personal information controller, to include stipulations from the MORB provisions
and the Data Privacy Act's Implementing Rules and Regulations in its agreement with the eKYC
solutions provider. The bank should ensure that proper safeguards are in place, and the eKYC
solutions provider complies with the requirements of the DPA.

5. Privacy by Design: The NPC encourages the adoption of a privacy by design approach, which
involves considering privacy and data protection during the design phase of a system, project,
program, or process. This approach ensures ongoing consideration of privacy throughout the
lifecycle and implementation.

9. NPC Advisory Opinion No. 2020-039: Re: Disclosure or Sharing of

Bank Transaction Information for Fraud Investigations
1. Background: The Union Bank of the Philippines (the Bank) initiated investigations on alleged
fraudulent transactions involving multi-platform transactions. These transactions, initiated from
 the bank for transfer to non-bank accounts (such as electronic money issuers - EMIs) and vice
versa, often culminate in cash withdrawals. The Bank seeks to share specific transaction details
with other affected banks and EMIs to facilitate fraud investigations effectively.

2. Personal Information and Lawful Processing: Transaction details, including bank account
numbers and transaction reference numbers, are considered personal information under the
Data Privacy Act of 2012 (DPA). The processing of personal information is permitted if not
otherwise prohibited by law and meets the criteria required by the DPA.

3. Legitimate Interests as Lawful Basis: Section 12 (f) of the DPA allows the processing of personal
information when it is necessary for the purpose of legitimate interests pursued by the personal
information controller or third parties to whom the data is disclosed. Legitimate interests may
include matters that are desired or important to a personal information controller, such as
business, financial, or other reasonable purposes, not contrary to law, morals, or public policy.

4. Legitimate Interests Test: The determination of legitimate interests involves a purpose test,
necessity test, and balancing test:

• Purpose Test: Clearly establishing the existence of a legitimate interest.

• Necessity Test: Ensuring that the processing is necessary for the legitimate interest
pursued and cannot be reasonably fulfilled by other means.

• Balancing Test: Ensuring that fundamental rights and freedoms of data subjects are not
overridden by legitimate interests.

5. Fraud Investigation as Legitimate Interest: Fraud investigation may be considered a legitimate

interest of the Bank and third parties. However, the Bank must establish that:

• Investigations are strictly for resolving and preventing fraud.

• Only necessary and proportionate personal information is processed.

• Fundamental rights and freedoms of data subjects are not unduly affected.

6. Data Privacy Principles: Despite having a lawful basis, the Bank must adhere to general data
privacy principles, including transparency, legitimate purpose, and proportionality. Appropriate
security measures must be implemented, and security breaches should be monitored,
prevented, and mitigated.

7. Documentation and Agreements: Personal information controllers involved may consider

entering into data sharing agreements or similar contracts to document disclosure
arrangements.

10. NPC Advisory Opinion No. 2020-032: Re: The Use of Blockchain
Technology for the Philippine Personal Property Security Registry
1. Background: The Land Registration Authority (LRA) is mandated under Republic Act (RA) No.
11057, also known as the Personal Property Security Act (PPSA), to establish a centralized,
online notice-based registry. The LRA plans to use blockchain technology to store information
obtained from data subjects for the creation of the Philippine Personal Property Security Agency
(Registry).

2. Statutory Mandate and Exception to DPA: The Data Privacy Act of 2012 (DPA) and its
Implementing Rules and Regulations (IRR) provide an exception in Section 5(d) for information
necessary to carry out the functions of public authority, subject to certain restrictions. For this
exception to apply, it must be established that:

• Information is necessary for law enforcement or regulatory function.

• Processing fulfills a constitutional or statutory mandate.

• Applies only to the minimum extent necessary.

• Adherence to all substantive and procedural processes.

3. Regulatory Mandate and Necessity for Registry: RA No. 11057 and its IRR mandate the
establishment of an electronic registry by the LRA for the registration and searching of notices
related to transactions on personal property. The collection and disclosure of personal
information through the Registry are deemed necessary for the exercise of the LRA's regulatory
mandate and fall outside the scope of the DPA, but only to the minimum extent necessary.

4. Data Privacy Principles and Security Measures: While there is a legal basis for the LRA to
process personal information, it is still required to adhere to general data privacy principles,
including transparency, proportionality, and legitimate purpose. The LRA must implement
organizational, technical, and physical security measures to protect the collected personal
information.

5. Blockchain Technology and Data Subject Rights: Blockchain technology's inherent feature of
immutability raises concerns regarding the identification of the actual Personal Information
Controller (PIC) and the exercise of data subject rights. The DPA assigns responsibility to the PIC,
and the immutability of data on the blockchain poses challenges for correction or erasure
requests.

6. Identification of PIC in Blockchain Arrangement: The advisory suggests that participants in the
proposed blockchain technology may designate in writing who the PIC will be or the entity
responsible for upholding data subject rights. Factors such as involvement in the blockchain
process, purpose, and type of data processed should be considered.

7. Privacy Impact Assessment (PIA) and Design Considerations: The advisory recommends
conducting a PIA to assess and manage risks in processing personal data using blockchain
technology. Purposeful design from a data privacy perspective and technological approaches to
address immutability concerns are encouraged.

8. Documentation and Compliance: It is essential to fully document all processes and software
designs, including changes, to identify technological issues and options for resolution.
11. NPC Advisory Opinion No. 2019-040: Anti-money laundering council
request
1. Background: The advisory responds to a letter seeking clarification regarding the request from
the AMLC for documents related to a business entity in Antipolo City. The AMLC requested
certified true copies of various documents, and the inquiry seeks clarification on whether the
Privacy Policy Office may provide such documents to the AMLC.

2. Applicability of Data Privacy Act (DPA): The Data Privacy Act of 2012 (DPA) applies to the
processing of all types of personal information by natural and/or juridical persons involved in
personal information processing. The law defines personal information as any information from
which the identity of an individual is apparent or can reasonably and directly be ascertained.

3. Nature of Business Documents: Business establishments are considered juridical persons under
Article 44 of the Civil Code of the Philippines. The certified true copies of the requested
documents are generally considered the juridical person’s information, not an individual’s
personal information.

4. Lawful Bases for Processing: While the requested documents pertain to a juridical person, there
may be personal or sensitive personal information in these documents. The DPA recognizes
various criteria for processing such information, including:

• Processing necessary for compliance with a legal obligation.

• Processing to fulfill functions of public authority, including the fulfillment of mandates.

• Processing provided for by existing laws and regulations.

• Processing necessary for the protection of lawful rights and interests in court
proceedings or for the establishment, exercise, or defense of legal claims.

5. AMLC's Investigative Functions: Given that the AMLC is vested with investigative functions
under Republic Act No. 9160 (Anti-Money Laundering Act of 2001), the Business Permit and
Licensing Office (BPLO) may rely on lawful bases for processing personal data, considering the
necessity for fulfilling their respective mandates.

6. Balancing DPA Requirements and Government Functions: The DPA should not be an obstacle
to the collection and processing of personal data by government agencies, as long as it is
necessary for fulfilling their mandates. The law encourages fair, secure, and lawful processing of
information while ensuring compliance with DPA requirements, its Implementing Rules and
Regulations, and other NPC issuances.