Data Privacy Act of 2012
Data Privacy Act of 2012
Data Privacy Act of 2012
RA NO. 10173
BASIS:
1987 Constitution
1. The privacy of communication and correspondence shall be inviolable (Bill of
Rights)
2. Declaration of Principles and State Policies (Sec. 24, Art. II)
RULE:
A. The processing of PERSONAL INFO. Is permitted if not otherwise prohibited by law
and subject to compliance w/ specific condition/s. (Sec.12, DPA)
B. The processing of SENSITIVE PERSONAL INFO and PRIVILEGED INFO. is prohibited,
except in the cases specified in the DPA (Sec.13, DPA)
PERSONAL INFO.
a. It is any info. From w/c the IDENTITY of an individual is –
- apparent or
- can be reasonably and directly ascertained by the 1 holding the info.; or
- when put together w/ other info. Would directly and certainly identify an individual;
c. The info may or may not be recorded in a material form.
PROCESSING
- is defined as any operation or set of operations performed upon personal info., w/c
includes the following:
a. Collection
b. Recording
c. storage
d. Consultation
e. use
f. erasure or destruction of data
g. etcetera (Sec. 3 [j)
GENERAL PRINCIPLES:
a. Transparency
- the data subject must be AWARE of the 1) nature, purpose, and extent of the
processing of his/her personal info., 2) the risks and safeguards involved, 3) the
identity of the personal info. Controller, 4) his/her rights, and 5) how the rights may
be exercised.
b. Legitimate Purpose
- compatible w/ a declared and specified purpose
c. Proportionality
- should be adequate, relevant, suitable, necessary, and not excessive in relation to the
declared purpose.
DATA SHARING
- refers to further processing of personal data collected from a party other than the
data subject.
When allowed:
a. Authorized by law
b. in the private sector, if the data subject consents to data sharing
c. for the purpose of research
d. between govt. agencies for the purpose of a public function or provision of a
public service.
DATA BREACH:
- the personal info. Controller shall notify the NPC and the data subjects w/in 72 hours
from knowledge thereof.
- Data breach notification shall likewise be made when there is reasonable belief by
the personal info. controller or processor that a personal data breach requiring
notification has occurred. (Sec. 38, IRR)
1. To be INFORMED that his/her personal info shall be, are being or have been processed;
2. To be FURNISHED the info. before the entry of his/her info. into the processing system
3. To reasonable ACCESS to the contents, sources, names, manner, reasons etcetera, upon
demand
1. To DISPUTE the inaccuracy or error in the personal info and have the personal info
controller CORRECT it immediately;
2. To order REMOVAL in case the info is incomplete, outdated, or false;
3. To be INDEMNIFIED for damages sustained due to inaccurate, outdated, unlawfully
obtained use of personal info.
FUNCTIONS OF NPC:
- The DPA created the NPC to administer and implement the provisions of the Act, and to
monitor and ensure compliance of the country w/ International standards set for data
protection (Sec. 7, DPA)
- The NPC is an independent body attached to the Department of Information and
Communications Technology (DICT)[Sec.9, DPA].